WordPress.org

Make WordPress Core

Changeset 33358


Ignore:
Timestamp:
07/22/2015 04:05:17 AM (5 years ago)
Author:
pento
Message:

Capabilities: When creating an auto-draft, ensure that the current user still has permission to do so.

Merge of [33357] to the 4.2 branch.

Location:
branches/4.2
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/4.2/src/wp-admin/includes/dashboard.php

    r32175 r33358  
    418418function wp_dashboard_quick_press( $error_msg = false ) {
    419419    global $post_ID;
     420
     421    if ( ! current_user_can( 'edit_posts' ) ) {
     422        return;
     423    }
    420424
    421425    /* Check if a new auto-draft (= no new post_ID) is needed or if the old can be used */
  • branches/4.2/src/wp-admin/post.php

    r31633 r33358  
    116116        $error_msg = __( 'Unable to submit this form, please refresh and try again.' );
    117117
    118     if ( ! current_user_can( 'edit_posts' ) )
    119         $error_msg = __( 'Oops, you don’t have access to add new drafts.' );
     118    if ( ! current_user_can( 'edit_posts' ) ) {
     119        exit;
     120    }
    120121
    121122    if ( $error_msg )
  • branches/4.2/src/wp-includes/capabilities.php

    r32173 r33358  
    11441144    case 'edit_page':
    11451145        $post = get_post( $args[0] );
    1146         if ( empty( $post ) )
     1146        if ( empty( $post ) ) {
     1147            $caps[] = 'do_not_allow';
    11471148            break;
     1149        }
    11481150
    11491151        if ( 'revision' == $post->post_type ) {
  • branches/4.2/tests/phpunit/tests/user/capabilities.php

    r32177 r33358  
    742742        $this->assertFalse( $user->has_cap( 'publish_pages' ) );
    743743    }
     744
     745    function test_subscriber_cant_edit_posts() {
     746        $user = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) );
     747        wp_set_current_user( $user->ID );
     748
     749        $post = $this->factory->post->create( array( 'post_author' => 1 ) );
     750
     751        $this->assertFalse( current_user_can( 'edit_post', $post ) );
     752        $this->assertFalse( current_user_can( 'edit_post', $post + 1 ) );
     753    }
    744754}
Note: See TracChangeset for help on using the changeset viewer.