Make WordPress Core

Changeset 24478


Ignore:
Timestamp:
06/21/2013 06:00:59 AM (11 years ago)
Author:
nacin
Message:

Better cap checks in _wp_translate_post_data().

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/post.php

    r24414 r24478  
    6666    }
    6767
    68     if ( ! $update && isset( $post_data['user_ID'] ) && ( $post_data['post_author'] != $post_data['user_ID'] )
     68    if ( isset( $post_data['user_ID'] ) && ( $post_data['post_author'] != $post_data['user_ID'] )
    6969         && ! current_user_can( $ptype->cap->edit_others_posts ) ) {
    70 
    71         if ( 'page' == $post_data['post_type'] )
    72             return new WP_Error( 'edit_others_pages', __( 'You are not allowed to create pages as this user.' ) );
    73         else
    74             return new WP_Error( 'edit_others_posts', __( 'You are not allowed to create posts as this user.' ) );
    75     }
     70        if ( $update ) {
     71            if ( 'page' == $post_data['post_type'] )
     72                return new WP_Error( 'edit_others_pages', __( 'You are not allowed to edit pages as this user.' ) );
     73            else
     74                return new WP_Error( 'edit_others_posts', __( 'You are not allowed to edit posts as this user.' ) );
     75        } else {
     76            if ( 'page' == $post_data['post_type'] )
     77                return new WP_Error( 'edit_others_pages', __( 'You are not allowed to create pages as this user.' ) );
     78            else
     79                return new WP_Error( 'edit_others_posts', __( 'You are not allowed to create posts as this user.' ) );
     80        }
     81    }
     82
     83    if ( ! empty( $post_data['post_status'] ) )
     84        $post_data['post_status'] = sanitize_key( $post_data['post_status'] );
    7685
    7786    // What to do based on which button they pressed
     
    93102    $previous_status = $post_id ? get_post_field( 'post_status', $post_id ) : false;
    94103
     104    $published_statuses = array( 'publish', 'future' );
     105
    95106    // Posts 'submitted for approval' present are submitted to $_POST the same as if they were being published.
    96107    // Change status from 'publish' to 'pending' if user lacks permissions to publish or to resave published posts.
    97     if ( isset($post_data['post_status']) && ('publish' == $post_data['post_status'] && !current_user_can( $ptype->cap->publish_posts )) )
    98         if ( $previous_status != 'publish' || !current_user_can( 'edit_post', $post_id ) )
     108    if ( isset($post_data['post_status']) && (in_array( $post_data['post_status'], $published_statuses ) && !current_user_can( $ptype->cap->publish_posts )) )
     109        if ( ! in_array( $previous_status, $published_statuses ) || !current_user_can( 'edit_post', $post_id ) )
    99110            $post_data['post_status'] = 'pending';
    100111
Note: See TracChangeset for help on using the changeset viewer.