Changeset 38378

Timestamp:

08/26/2016 06:22:28 PM (9 years ago)

Author:

johnbillion

Message:

Role/Capability: Only users who can manage options should be able to trash/delete the page for posts or the front page, as they are the only users who can restore it or subsequently alter the "Front page displays" setting.

Fixes #37580
Props JakePT

Location:

trunk

Files:

• src/wp-includes/capabilities.php (modified) (1 diff)
• tests/phpunit/tests/user/mapMetaCap.php (modified) (1 diff)

trunk/src/wp-includes/capabilities.php

@@ -66 +66 @@
                 break;
             }
+        }
+
+        if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) {
+            $caps[] = 'manage_options';
+            break;
         }
 

trunk/tests/phpunit/tests/user/mapMetaCap.php

@@ -256 +256 @@
 
     }
+
+    /**
+     * Test deleting front page.
+     *
+     * @ticket 37580
+     */
+    function test_only_users_who_can_manage_options_can_delete_page_on_front() {
+        $post_id = self::factory()->post->create( array(
+            'post_type'   => 'page',
+            'post_status' => 'publish',
+        ) );
+
+        update_option( 'page_on_front', $post_id );
+        $caps = map_meta_cap( 'delete_page', $this->user_id, $post_id );
+        delete_option( 'page_on_front' );
+
+        $this->assertEquals( array( 'manage_options' ), $caps );
+    }
+
+    /**
+     * Test deleting posts page.
+     *
+     * @ticket 37580
+     */
+    function test_only_users_who_can_manage_options_can_delete_page_for_posts() {
+        $post_id = self::factory()->post->create( array(
+            'post_type'   => 'page',
+            'post_status' => 'publish',
+        ) );
+
+        update_option( 'page_for_posts', $post_id );
+        $caps = map_meta_cap( 'delete_page', $this->user_id, $post_id );
+        delete_option( 'page_for_posts' );
+
+        $this->assertEquals( array( 'manage_options' ), $caps );
+    }
 }