Changeset 46897

Timestamp:

12/12/2019 06:07:23 PM (5 years ago)

Author:

whyisjake

Message:

Ensure that a user can publish_posts before making a post sticky.

Props: danielbachhuber, whyisjake, peterwilson, xknown.

File:

• branches/5.3/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (3 diffs)

branches/5.3/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -499 +499 @@
         }
 
-        if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
+        if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
             return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
         }
@@ -654 +654 @@
         }
 
-        if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
+        if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
             return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
         }
@@ -956 +956 @@
      */
     protected function prepare_item_for_database( $request ) {
-        $prepared_post = new stdClass;
+        $prepared_post = new stdClass();
 
         // Post ID.