WordPress.org

Make WordPress Core

Changeset 46897


Ignore:
Timestamp:
12/12/2019 06:07:23 PM (13 months ago)
Author:
whyisjake
Message:

Ensure that a user can publish_posts before making a post sticky.

Props: danielbachhuber, whyisjake, peterwilson, xknown.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/5.3/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r46435 r46897  
    499499        }
    500500
    501         if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
     501        if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
    502502            return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
    503503        }
     
    654654        }
    655655
    656         if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
     656        if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
    657657            return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
    658658        }
     
    956956     */
    957957    protected function prepare_item_for_database( $request ) {
    958         $prepared_post = new stdClass;
     958        $prepared_post = new stdClass();
    959959
    960960        // Post ID.
Note: See TracChangeset for help on using the changeset viewer.