Changeset 33379

Timestamp:

07/23/2015 04:26:36 AM (10 years ago)

Author:

pento

Message:

Capabilities: When creating an auto-draft, ensure that the current user still has permission to do so.

Partial merge of [33357] to the 3.7 branch.

Location:

branches/3.7

Files:

• src/wp-admin/includes/dashboard.php (modified) (1 diff)
• src/wp-includes/capabilities.php (modified) (1 diff)
• tests/phpunit/tests/user/capabilities.php (modified) (1 diff)

branches/3.7/src/wp-admin/includes/dashboard.php

@@ -487 +487 @@
         printf('<p class="easy-blogging">' . __('You can also try %s, easy blogging from anywhere on the Web.') . '</p>', '<a href="' . esc_url( admin_url( 'tools.php' ) ) . '">' . __('Press This') . '</a>' );
         $_REQUEST = array(); // hack for get_default_post_to_edit()
+    }
+
+    if ( ! current_user_can( 'edit_posts' ) ) {
+        return;
     }
 

branches/3.7/src/wp-includes/capabilities.php

@@ -1074 +1074 @@
     case 'edit_page':
         $post = get_post( $args[0] );
-        if ( empty( $post ) )
+        if ( empty( $post ) ) {
+            $caps[] = 'do_not_allow';
             break;
+        }
 
         if ( 'revision' == $post->post_type ) {

branches/3.7/tests/phpunit/tests/user/capabilities.php

@@ -699 +699 @@
         wp_set_current_user( $old_uid );
     }
+
+    function test_subscriber_cant_edit_posts() {
+        $user = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) );
+        wp_set_current_user( $user->ID );
+
+        $post = $this->factory->post->create( array( 'post_author' => 1 ) );
+
+        $this->assertFalse( current_user_can( 'edit_post', $post ) );
+        $this->assertFalse( current_user_can( 'edit_post', $post + 1 ) );
+    }
 }