Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#11873 closed defect (bug) (worksforme)

Contributors can restore posts trashed by editors

Reported by: scribu Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9
Component: Trash Keywords:
Focuses: Cc:



editor - has the publish_posts capability

contributor - doesn't have the publish_posts capability

If an editor moves a post to trash, the post author is able to republish the post, even if he's a contributor.

Steps to reproduce:

  1. contributor: submit a post for review
  1. editor: publish post
  1. editor: trash post
  1. contributor: restore post

So, to prevent a contributor from republishing trashed posts, an editor has the following workarounds:

  • permanently delete the post
  • set the post status to 'pending' before trashing it

Neither of these is optimal.

[11873] doesn't seem to address this properly.

Change History (7)

#1 @scribu
6 years ago

  • Component changed from Administration to Trash

Ideally, a distinction should be made:

A contributor can restore one of his posts only if it was trashed by himself, not by an editor.

#2 @scribu
6 years ago

  • Summary changed from Contributors can restore trashed posts to Contributors can restore posts trashed by editors

#3 @azaozz
6 years ago

Contributors shouldn't be able to trash/untrash any published posts, that's not their role. We should be checking current_user_can('publish_posts') and perhaps have an exception when post_status in pending and post_author is a contributor.

#4 @scribu
6 years ago

Currently a contributor can see the contents of the trash, so I guess that should be addressed too.

How about a new capability: current_user_can('use_trash'). I think it would simplify a lot of the code related to Trash.

#5 @layotte
6 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

Just tested this... it seems to be fixed in Trunk (04.24.2010). A contributor can still see the trash though, but cannot restore the post.


#6 @scribu
6 years ago

Yeah, it seems to be fixed now.

#7 @nacin
5 years ago

  • Milestone 3.0 deleted
Note: See TracTickets for help on using tickets.