Make WordPress Core


Ignore:
Timestamp:
12/09/2017 10:50:13 PM (7 years ago)
Author:
johnbillion
Message:

Role/Capability: When checking capabilities before setting a post slug, ensure the correct post type capabilities are used.

Previously, only the publish_posts capability was checked. Now, the correct meta or primitive capability for the post type is used where appropriate.

Props peterwilsoncc

Fixes #42464

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/post.php

    r42343 r42380  
    33053305    }
    33063306
    3307     // Don't allow contributors to set the post slug for pending review posts.
    3308     if ( 'pending' == $post_status && ! current_user_can( 'publish_posts' ) ) {
     3307    /*
     3308     * Don't allow contributors to set the post slug for pending review posts.
     3309     *
     3310     * For new posts check the primitive capability, for updates check the meta capability.
     3311     */
     3312    $post_type_object = get_post_type_object( $post_type );
     3313
     3314    if ( ! $update && 'pending' === $post_status && ! current_user_can( $post_type_object->cap->publish_posts ) ) {
     3315        $post_name = '';
     3316    } elseif ( $update && 'pending' === $post_status && ! current_user_can( 'publish_post', $post_ID ) ) {
    33093317        $post_name = '';
    33103318    }
Note: See TracChangeset for help on using the changeset viewer.