Make WordPress Core

Changeset 33378


Ignore:
Timestamp:
07/23/2015 04:18:49 AM (9 years ago)
Author:
pento
Message:

Capabilities: When creating an auto-draft, ensure that the current user still has permission to do so.

Merge of [33357] to the 3.8 branch.

Location:
branches/3.8
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/3.8/src/wp-admin/includes/dashboard.php

    r32205 r33378  
    333333function wp_dashboard_quick_press( $error_msg = false ) {
    334334    global $post_ID;
     335
     336    if ( ! current_user_can( 'edit_posts' ) ) {
     337        return;
     338    }
    335339
    336340    /* Check if a new auto-draft (= no new post_ID) is needed or if the old can be used */
  • branches/3.8/src/wp-admin/post.php

    r26960 r33378  
    110110        $error_msg = __( 'Unable to submit this form, please refresh and try again.' );
    111111
    112     if ( ! current_user_can( 'edit_posts' ) )
    113         $error_msg = __( 'Oops, you don’t have access to add new drafts.' );
     112    if ( ! current_user_can( 'edit_posts' ) ) {
     113        exit;
     114    }
    114115
    115116    if ( $error_msg )
  • branches/3.8/src/wp-includes/capabilities.php

    r32201 r33378  
    11051105    case 'edit_page':
    11061106        $post = get_post( $args[0] );
    1107         if ( empty( $post ) )
     1107        if ( empty( $post ) ) {
     1108            $caps[] = 'do_not_allow';
    11081109            break;
     1110        }
    11091111
    11101112        if ( 'revision' == $post->post_type ) {
  • branches/3.8/tests/phpunit/tests/user/capabilities.php

    r32201 r33378  
    699699        wp_set_current_user( $old_uid );
    700700    }
     701
     702    function test_subscriber_cant_edit_posts() {
     703        $user = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) );
     704        wp_set_current_user( $user->ID );
     705
     706        $post = $this->factory->post->create( array( 'post_author' => 1 ) );
     707
     708        $this->assertFalse( current_user_can( 'edit_post', $post ) );
     709        $this->assertFalse( current_user_can( 'edit_post', $post + 1 ) );
     710    }
    701711}
Note: See TracChangeset for help on using the changeset viewer.