Make WordPress Core

Changeset 33379


Ignore:
Timestamp:
07/23/2015 04:26:36 AM (9 years ago)
Author:
pento
Message:

Capabilities: When creating an auto-draft, ensure that the current user still has permission to do so.

Partial merge of [33357] to the 3.7 branch.

Location:
branches/3.7
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7/src/wp-admin/includes/dashboard.php

    r32206 r33379  
    487487        printf('<p class="easy-blogging">' . __('You can also try %s, easy blogging from anywhere on the Web.') . '</p>', '<a href="' . esc_url( admin_url( 'tools.php' ) ) . '">' . __('Press This') . '</a>' );
    488488        $_REQUEST = array(); // hack for get_default_post_to_edit()
     489    }
     490
     491    if ( ! current_user_can( 'edit_posts' ) ) {
     492        return;
    489493    }
    490494
  • branches/3.7/src/wp-includes/capabilities.php

    r32202 r33379  
    10741074    case 'edit_page':
    10751075        $post = get_post( $args[0] );
    1076         if ( empty( $post ) )
     1076        if ( empty( $post ) ) {
     1077            $caps[] = 'do_not_allow';
    10771078            break;
     1079        }
    10781080
    10791081        if ( 'revision' == $post->post_type ) {
  • branches/3.7/tests/phpunit/tests/user/capabilities.php

    r32202 r33379  
    699699        wp_set_current_user( $old_uid );
    700700    }
     701
     702    function test_subscriber_cant_edit_posts() {
     703        $user = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) );
     704        wp_set_current_user( $user->ID );
     705
     706        $post = $this->factory->post->create( array( 'post_author' => 1 ) );
     707
     708        $this->assertFalse( current_user_can( 'edit_post', $post ) );
     709        $this->assertFalse( current_user_can( 'edit_post', $post + 1 ) );
     710    }
    701711}
Note: See TracChangeset for help on using the changeset viewer.