WordPress.org

Make WordPress Core


Ignore:
Timestamp:
07/06/2015 10:40:59 PM (3 years ago)
Author:
obenland
Message:

Check for all required caps before (un)sticking a post.

In cases where a user has the edit_others_posts capability but not
publish_posts, it was possible for that user to unstick a post after editing,
since the input field was never made available in that context.

Props ericmann, chriscct7.
Fixes #24153.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/post.php

    r33054 r33096  
    386386    wp_set_post_lock( $post_ID );
    387387
    388     if ( current_user_can( $ptype->cap->edit_others_posts ) ) {
     388    if ( current_user_can( $ptype->cap->edit_others_posts ) && current_user_can( $ptype->cap->publish_posts ) ) {
    389389        if ( ! empty( $post_data['sticky'] ) )
    390390            stick_post( $post_ID );
Note: See TracChangeset for help on using the changeset viewer.