WordPress.org

Make WordPress Core

Changeset 33357


Ignore:
Timestamp:
07/22/2015 04:01:53 AM (4 years ago)
Author:
pento
Message:

Capabilities: When creating an auto-draft, ensure that the current user still has permission to do so.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/dashboard.php

    r33192 r33357  
    442442function wp_dashboard_quick_press( $error_msg = false ) {
    443443    global $post_ID;
     444
     445    if ( ! current_user_can( 'edit_posts' ) ) {
     446        return;
     447    }
    444448
    445449    /* Check if a new auto-draft (= no new post_ID) is needed or if the old can be used */
  • trunk/src/wp-admin/post.php

    r33054 r33357  
    121121        $error_msg = __( 'Unable to submit this form, please refresh and try again.' );
    122122
    123     if ( ! current_user_can( 'edit_posts' ) )
    124         $error_msg = __( 'Oops, you don’t have access to add new drafts.' );
     123    if ( ! current_user_can( 'edit_posts' ) ) {
     124        exit;
     125    }
    125126
    126127    if ( $error_msg )
  • trunk/src/wp-includes/capabilities.php

    r33214 r33357  
    11891189    case 'edit_page':
    11901190        $post = get_post( $args[0] );
    1191         if ( empty( $post ) )
     1191        if ( empty( $post ) ) {
     1192            $caps[] = 'do_not_allow';
    11921193            break;
     1194        }
    11931195
    11941196        if ( 'revision' == $post->post_type ) {
  • trunk/tests/phpunit/tests/user/capabilities.php

    r32812 r33357  
    927927        $this->assertFalse( $user->has_cap( 'publish_pages' ) );
    928928    }
     929
     930    function test_subscriber_cant_edit_posts() {
     931        $user = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) );
     932        wp_set_current_user( $user->ID );
     933
     934        $post = $this->factory->post->create( array( 'post_author' => 1 ) );
     935
     936        $this->assertFalse( current_user_can( 'edit_post', $post ) );
     937        $this->assertFalse( current_user_can( 'edit_post', $post + 1 ) );
     938    }
    929939}
Note: See TracChangeset for help on using the changeset viewer.