Changeset 33357

Timestamp:

07/22/2015 04:01:53 AM (9 years ago)

Author:

pento

Message:

Capabilities: When creating an auto-draft, ensure that the current user still has permission to do so.

Location:

trunk

Files:

• src/wp-admin/includes/dashboard.php (modified) (1 diff)
• src/wp-admin/post.php (modified) (1 diff)
• src/wp-includes/capabilities.php (modified) (1 diff)
• tests/phpunit/tests/user/capabilities.php (modified) (1 diff)

trunk/src/wp-admin/includes/dashboard.php

@@ -442 +442 @@
 function wp_dashboard_quick_press( $error_msg = false ) {
     global $post_ID;
+
+    if ( ! current_user_can( 'edit_posts' ) ) {
+        return;
+    }
 
     /* Check if a new auto-draft (= no new post_ID) is needed or if the old can be used */

trunk/src/wp-admin/post.php

@@ -121 +121 @@
         $error_msg = __( 'Unable to submit this form, please refresh and try again.' );
 
-    if ( ! current_user_can( 'edit_posts' ) )
-        $error_msg = __( 'Oops, you don’t have access to add new drafts.' );
+    if ( ! current_user_can( 'edit_posts' ) ) {
+        exit;
+    }
 
     if ( $error_msg )

trunk/src/wp-includes/capabilities.php

@@ -1189 +1189 @@
     case 'edit_page':
         $post = get_post( $args[0] );
-        if ( empty( $post ) )
+        if ( empty( $post ) ) {
+            $caps[] = 'do_not_allow';
             break;
+        }
 
         if ( 'revision' == $post->post_type ) {

trunk/tests/phpunit/tests/user/capabilities.php

@@ -927 +927 @@
         $this->assertFalse( $user->has_cap( 'publish_pages' ) );
     }
+
+    function test_subscriber_cant_edit_posts() {
+        $user = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) );
+        wp_set_current_user( $user->ID );
+
+        $post = $this->factory->post->create( array( 'post_author' => 1 ) );
+
+        $this->assertFalse( current_user_can( 'edit_post', $post ) );
+        $this->assertFalse( current_user_can( 'edit_post', $post + 1 ) );
+    }
 }