WordPress.org

Make WordPress Core

Changeset 33096


Ignore:
Timestamp:
07/06/2015 10:40:59 PM (3 years ago)
Author:
obenland
Message:

Check for all required caps before (un)sticking a post.

In cases where a user has the edit_others_posts capability but not
publish_posts, it was possible for that user to unstick a post after editing,
since the input field was never made available in that context.

Props ericmann, chriscct7.
Fixes #24153.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/post.php

    r33054 r33096  
    386386    wp_set_post_lock( $post_ID );
    387387
    388     if ( current_user_can( $ptype->cap->edit_others_posts ) ) {
     388    if ( current_user_can( $ptype->cap->edit_others_posts ) && current_user_can( $ptype->cap->publish_posts ) ) {
    389389        if ( ! empty( $post_data['sticky'] ) )
    390390            stick_post( $post_ID );
  • trunk/tests/phpunit/tests/post.php

    r33041 r33096  
    10241024        _unregister_post_type( $post_type );
    10251025    }
     1026
     1027    /**
     1028     * If a post is sticky and is updated by a user that does not have the publish_post capability, it should _stay_
     1029     * sticky.
     1030     *
     1031     * @ticket 24153
     1032     */
     1033    function test_user_without_publish_cannot_affect_sticky() {
     1034        // Create a role with edit_others_posts.
     1035        add_role( 'grammarian', 'Grammarian', array(
     1036            'read'                 => true,
     1037            'edit_posts'           => true,
     1038            'edit_others_posts'    => true,
     1039            'edit_published_posts' => true,
     1040        ) );
     1041        $editor_user = $this->factory->user->create( array( 'role' => 'grammarian' ) );
     1042        $old_uid = get_current_user_id();
     1043        wp_set_current_user( $editor_user );
     1044
     1045        // Sanity Check.
     1046        $this->assertFalse( current_user_can( 'publish_posts' ) );
     1047        $this->assertTrue( current_user_can( 'edit_others_posts' ) );
     1048        $this->assertTrue( current_user_can( 'edit_published_posts' ) );
     1049
     1050        // Create a sticky post.
     1051        $post = $this->factory->post->create_and_get( array(
     1052            'post_title'   => 'Will be changed',
     1053            'post_content' => 'Will be changed',
     1054        ) );
     1055        stick_post( $post->ID );
     1056
     1057        // Sanity Check.
     1058        $this->assertTrue( is_sticky( $post->ID ) );
     1059
     1060        // Edit the post.
     1061        $post->post_title = 'Updated';
     1062        $post->post_content = 'Updated';
     1063        wp_update_post( $post );
     1064
     1065        // Make sure it's still sticky.
     1066        $saved_post = get_post( $post->ID );
     1067        $this->assertTrue( is_sticky( $saved_post->ID ) );
     1068        $this->assertEquals( 'Updated', $saved_post->post_title );
     1069        $this->assertEquals( 'Updated', $saved_post->post_content );
     1070
     1071        // Teardown
     1072        wp_set_current_user( $old_uid );
     1073    }
     1074
     1075    /**
     1076     * If the `edit_post()` method is invoked by a user without publish_posts permission, the sticky status of the post
     1077     * should not be changed.
     1078     *
     1079     * @ticket 24153
     1080     */
     1081    function test_user_without_publish_cannot_affect_sticky_with_edit_post() {
     1082        // Create a sticky post.
     1083        $post = $this->factory->post->create_and_get( array(
     1084            'post_title'   => 'Will be changed',
     1085            'post_content' => 'Will be changed',
     1086        ) );
     1087        stick_post( $post->ID );
     1088
     1089        // Sanity Check.
     1090        $this->assertTrue( is_sticky( $post->ID ) );
     1091
     1092        // Create a role with edit_others_posts.
     1093        add_role( 'grammarian', 'Grammarian', array(
     1094            'read'                 => true,
     1095            'edit_posts'           => true,
     1096            'edit_others_posts'    => true,
     1097            'edit_published_posts' => true,
     1098        ) );
     1099        $editor_user = $this->factory->user->create( array( 'role' => 'grammarian' ) );
     1100        $old_uid = get_current_user_id();
     1101        wp_set_current_user( $editor_user );
     1102
     1103        // Sanity Check.
     1104        $this->assertFalse( current_user_can( 'publish_posts' ) );
     1105        $this->assertTrue( current_user_can( 'edit_others_posts' ) );
     1106        $this->assertTrue( current_user_can( 'edit_published_posts' ) );
     1107
     1108        // Edit the post - The key 'sticky' is intentionally unset.
     1109        $data = array(
     1110            'post_ID'      => $post->ID,
     1111            'post_title'   => 'Updated',
     1112            'post_content' => 'Updated',
     1113        );
     1114        edit_post( $data );
     1115
     1116        // Make sure it's still sticky
     1117        $saved_post = get_post( $post->ID );
     1118        $this->assertTrue( is_sticky( $saved_post->ID ) );
     1119        $this->assertEquals( 'Updated', $saved_post->post_title );
     1120        $this->assertEquals( 'Updated', $saved_post->post_content );
     1121
     1122        // Teardown
     1123        wp_set_current_user( $old_uid );
     1124    }
    10261125}
Note: See TracChangeset for help on using the changeset viewer.