WordPress.org

Make WordPress Core


Ignore:
Timestamp:
02/04/2020 10:13:15 PM (21 months ago)
Author:
SergeyBiryukov
Message:

Posts, Post Types: Fail gracefully when checking mapped cap against unregistered post status.

With map_meta_cap enabled for a post type, the read_post capability for posts with a public status is supposed to be mapped to the post type's read capability.

When a post is left in the database after the post status is no longer present, and WP does a read_post check against it, a PHP notice was thrown, and the cap check always failed.

As a more graceful fallback, the cap is now mapped onto edit_others_posts, which allows highly privileged users to be able to access orphaned content.

A _doing_it_wrong() notice is also added, so that developers and site administrators are aware that the cap mapping is failing in the absence of the registered post status.

Follow-up to [34091], which introduced a similar approach to checking mapped caps against an unregistered post type.

Props roytanck, SergeyBiryukov.
Fixes #48653.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/user/capabilities.php

    r47122 r47178  
    17751775
    17761776    /**
     1777     * @ticket 48653
     1778     * @expectedIncorrectUsage map_meta_cap
     1779     */
     1780    function test_require_edit_others_posts_if_post_status_doesnt_exist() {
     1781        register_post_status( 'existed' );
     1782        $post_id = self::factory()->post->create( array( 'post_status' => 'existed' ) );
     1783        _unregister_post_status( 'existed' );
     1784
     1785        $subscriber_id = self::$users['subscriber']->ID;
     1786        $editor_id     = self::$users['editor']->ID;
     1787
     1788        foreach ( array( 'read_post', 'read_page' ) as $cap ) {
     1789            wp_set_current_user( $subscriber_id );
     1790            $this->assertSame( array( 'edit_others_posts' ), map_meta_cap( $cap, $subscriber_id, $post_id ) );
     1791            $this->assertFalse( current_user_can( $cap, $post_id ) );
     1792
     1793            wp_set_current_user( $editor_id );
     1794            $this->assertSame( array( 'edit_others_posts' ), map_meta_cap( $cap, $editor_id, $post_id ) );
     1795            $this->assertTrue( current_user_can( $cap, $post_id ) );
     1796        }
     1797    }
     1798
     1799    /**
    17771800     * @ticket 17253
    17781801     */
Note: See TracChangeset for help on using the changeset viewer.