Ticket #40922: 40922.diff
File 40922.diff, 6.3 KB (added by , 7 years ago) |
---|
-
src/wp-admin/customize.php
135 135 <?php 136 136 $save_text = $wp_customize->is_theme_active() ? __( 'Save & Publish' ) : __( 'Save & Activate' ); 137 137 $save_attrs = array(); 138 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->publish_posts ) ) { 139 $save_attrs['style'] = 'display: none'; 138 if ( $wp_customize->changeset_post_id() ) { 139 if ( ! current_user_can( 'publish_post', $wp_customize->changeset_post_id() ) ) { 140 $save_attrs['style'] = 'display: none'; 141 } 142 } else { 143 if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->publish_posts ) ) { 144 $save_attrs['style'] = 'display: none'; 145 } 140 146 } 141 147 submit_button( $save_text, 'primary save', 'save', false, $save_attrs ); 142 148 ?> -
src/wp-includes/class-wp-customize-manager.php
2135 2135 wp_send_json_error( 'bad_customize_changeset_status', 400 ); 2136 2136 } 2137 2137 $is_publish = ( 'publish' === $changeset_status || 'future' === $changeset_status ); 2138 if ( $is_publish && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->publish_posts) ) {2138 if ( $is_publish && ! current_user_can( 'publish_post', $changeset_post_id ) ) { 2139 2139 wp_send_json_error( 'changeset_publish_unauthorized', 403 ); 2140 2140 } 2141 2141 } -
src/wp-includes/post.php
175 175 'can_export' => false, 176 176 'delete_with_user' => false, 177 177 'supports' => array( 'title', 'author' ), 178 'capability_type' => ' customize_changeset',178 'capability_type' => 'post', 179 179 'capabilities' => array( 180 180 'create_posts' => 'customize', 181 'delete_others_posts' => 'customize', 182 'delete_post' => 'customize', 183 'delete_posts' => 'customize', 184 'delete_private_posts' => 'customize', 185 'delete_published_posts' => 'customize', 186 'edit_others_posts' => 'customize', 187 'edit_post' => 'customize', 188 'edit_posts' => 'customize', 189 'edit_private_posts' => 'customize', 181 'delete_others_posts' => 'edit_theme_options', 182 'delete_posts' => 'edit_theme_options', 183 'delete_private_posts' => 'edit_theme_options', 184 'delete_published_posts' => 'edit_theme_options', 185 'edit_others_posts' => 'edit_theme_options', 186 'edit_posts' => 'edit_theme_options', 187 'edit_private_posts' => 'edit_theme_options', 190 188 'edit_published_posts' => 'do_not_allow', 191 'publish_posts' => 'customize', 192 'read' => 'read', 193 'read_post' => 'customize', 194 'read_private_posts' => 'customize', 189 'publish_posts' => 'edit_theme_options', 190 'read' => 'edit_theme_options', 191 'read_private_posts' => 'edit_theme_options', 195 192 ), 196 193 ) ); 197 194 -
tests/phpunit/tests/ajax/CustomizeManager.php
150 150 $nonce = wp_create_nonce( 'save-customize_' . $wp_customize->get_stylesheet() ); 151 151 $_POST['nonce'] = $_GET['nonce'] = $_REQUEST['nonce'] = $nonce; 152 152 $post_type_obj = get_post_type_object( 'customize_changeset' ); 153 $previous_create_posts_cap = $post_type_obj->cap->create_posts; 153 154 $post_type_obj->cap->create_posts = 'create_customize_changesets'; 154 155 $this->make_ajax_call( 'customize_save' ); 155 156 $this->assertFalse( $this->_last_response_parsed['success'] ); … … 157 158 $this->overridden_caps[ $post_type_obj->cap->create_posts ] = true; 158 159 $this->make_ajax_call( 'customize_save' ); 159 160 $this->assertTrue( $this->_last_response_parsed['success'] ); 160 $post_type_obj->cap->create_posts = 'customize'; // Restore.161 $post_type_obj->cap->create_posts = $previous_create_posts_cap; // Restore. 161 162 162 163 // Changeset already published. 163 164 $wp_customize->set_post_value( 'blogname', 'Hello' ); … … 164 165 $wp_customize->save_changeset_post( array( 'status' => 'publish' ) ); 165 166 $this->make_ajax_call( 'customize_save' ); 166 167 $this->assertFalse( $this->_last_response_parsed['success'] ); 167 $this->assertEquals( 'c hangeset_already_published', $this->_last_response_parsed['data']['code'] );168 $this->assertEquals( 'cannot_edit_changeset_post', $this->_last_response_parsed['data'] ); 168 169 wp_update_post( array( 'ID' => $wp_customize->changeset_post_id(), 'post_status' => 'auto-draft' ) ); 169 170 170 171 // User cannot edit. 171 172 $post_type_obj = get_post_type_object( 'customize_changeset' ); 173 $previous_edit_post_cap = $post_type_obj->cap->edit_post; 172 174 $post_type_obj->cap->edit_post = 'edit_customize_changesets'; 173 175 $this->make_ajax_call( 'customize_save' ); 174 176 $this->assertFalse( $this->_last_response_parsed['success'] ); … … 176 178 $this->overridden_caps[ $post_type_obj->cap->edit_post ] = true; 177 179 $this->make_ajax_call( 'customize_save' ); 178 180 $this->assertTrue( $this->_last_response_parsed['success'] ); 179 $post_type_obj->cap->edit_post = 'customize'; // Restore.181 $post_type_obj->cap->edit_post = $previous_edit_post_cap; // Restore. 180 182 181 183 // Bad customize_changeset_data. 182 184 $_POST['customize_changeset_data'] = '[MALFORMED]'; … … 193 195 194 196 // Disallowed publish posts if not allowed. 195 197 $post_type_obj = get_post_type_object( 'customize_changeset' ); 198 $previous_publish_posts_cap = $post_type_obj->cap->publish_posts; 196 199 $post_type_obj->cap->publish_posts = 'publish_customize_changesets'; 197 200 $_POST['customize_changeset_status'] = 'publish'; 198 201 $this->make_ajax_call( 'customize_save' ); … … 202 205 $this->make_ajax_call( 'customize_save' ); 203 206 $this->assertFalse( $this->_last_response_parsed['success'] ); 204 207 $this->assertEquals( 'changeset_publish_unauthorized', $this->_last_response_parsed['data'] ); 205 $post_type_obj->cap->publish_posts = 'customize'; // Restore.208 $post_type_obj->cap->publish_posts = $previous_publish_posts_cap; // Restore. 206 209 207 210 // Validate date. 208 211 $_POST['customize_changeset_status'] = 'draft';