WordPress.org

Make WordPress Core

Changeset 35747


Ignore:
Timestamp:
11/29/2015 02:24:15 AM (3 years ago)
Author:
johnbillion
Message:

When a post is scheduled for publication, treat it the same as a published post when calculating the capabilities required to edit or delete it.

Fixes #33694

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/capabilities.php

    r35718 r35747  
    8484        // If the post author is set and the user is the author...
    8585        if ( $post->post_author && $user_id == $post->post_author ) {
    86             // If the post is published...
    87             if ( 'publish' == $post->post_status ) {
     86            // If the post is published or scheduled...
     87            if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {
    8888                $caps[] = $post_type->cap->delete_published_posts;
    8989            } elseif ( 'trash' == $post->post_status ) {
    90                 if ( 'publish' == get_post_meta( $post->ID, '_wp_trash_meta_status', true ) ) {
     90                $status = get_post_meta( $post->ID, '_wp_trash_meta_status', true );
     91                if ( in_array( $status, array( 'publish', 'future' ), true ) ) {
    9192                    $caps[] = $post_type->cap->delete_published_posts;
     93                } else {
     94                    $caps[] = $post_type->cap->delete_posts;
    9295                }
    9396            } else {
     
    98101            // The user is trying to edit someone else's post.
    99102            $caps[] = $post_type->cap->delete_others_posts;
    100             // The post is published, extra cap required.
    101             if ( 'publish' == $post->post_status ) {
     103            // The post is published or scheduled, extra cap required.
     104            if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {
    102105                $caps[] = $post_type->cap->delete_published_posts;
    103106            } elseif ( 'private' == $post->post_status ) {
     
    142145        // If the post author is set and the user is the author...
    143146        if ( $post->post_author && $user_id == $post->post_author ) {
    144             // If the post is published...
    145             if ( 'publish' == $post->post_status ) {
     147            // If the post is published or scheduled...
     148            if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {
    146149                $caps[] = $post_type->cap->edit_published_posts;
    147150            } elseif ( 'trash' == $post->post_status ) {
    148                 if ( 'publish' == get_post_meta( $post->ID, '_wp_trash_meta_status', true ) ) {
     151                $status = get_post_meta( $post->ID, '_wp_trash_meta_status', true );
     152                if ( in_array( $status, array( 'publish', 'future' ), true ) ) {
    149153                    $caps[] = $post_type->cap->edit_published_posts;
     154                } else {
     155                    $caps[] = $post_type->cap->edit_posts;
    150156                }
    151157            } else {
     
    156162            // The user is trying to edit someone else's post.
    157163            $caps[] = $post_type->cap->edit_others_posts;
    158             // The post is published, extra cap required.
    159             if ( 'publish' == $post->post_status ) {
     164            // The post is published or scheduled, extra cap required.
     165            if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {
    160166                $caps[] = $post_type->cap->edit_published_posts;
    161167            } elseif ( 'private' == $post->post_status ) {
  • trunk/tests/phpunit/tests/user/capabilities.php

    r35242 r35747  
    982982    }
    983983
     984    /**
     985     * @ticket 33694
     986     */
     987    function test_contributor_cannot_edit_scheduled_post() {
     988
     989        // Add a contributor
     990        $contributor = $this->factory->user->create_and_get( array(
     991            'role' => 'contributor',
     992        ) );
     993
     994        // Give them a scheduled post
     995        $post = $this->factory->post->create_and_get( array(
     996            'post_author' => $contributor->ID,
     997            'post_status' => 'future',
     998        ) );
     999
     1000        // Ensure contributor can't edit or trash the post
     1001        $this->assertFalse( user_can( $contributor->ID, 'edit_post', $post->ID ) );
     1002        $this->assertFalse( user_can( $contributor->ID, 'delete_post', $post->ID ) );
     1003
     1004        // Test the tests
     1005        $this->assertTrue( defined( 'EMPTY_TRASH_DAYS' ) );
     1006        $this->assertNotEmpty( EMPTY_TRASH_DAYS );
     1007
     1008        // Trash it
     1009        $trashed = wp_trash_post( $post->ID );
     1010        $this->assertNotEmpty( $trashed );
     1011
     1012        // Ensure contributor can't edit, un-trash, or delete the post
     1013        $this->assertFalse( user_can( $contributor->ID, 'edit_post', $post->ID ) );
     1014        $this->assertFalse( user_can( $contributor->ID, 'delete_post', $post->ID ) );
     1015
     1016    }
     1017
    9841018    function test_multisite_administrator_with_manage_network_users_can_edit_users() {
    9851019        if ( ! is_multisite() ) {
Note: See TracChangeset for help on using the changeset viewer.