Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#20474 closed defect (bug) (invalid)

cap fixes in _wp_insert_post

Reported by: nprasath002's profile nprasath002 Owned by: ryan's profile ryan
Milestone: Priority: normal
Severity: critical Version: 3.4
Component: XML-RPC Keywords:
Focuses: Cc:

Description

The patch validates 'publish_post' with post_ID to check whether the user is allowed to publish an already existing post

Attachments (1)

_insert_post cap fixes.patch (1.8 KB) - added by nprasath002 12 years ago.

Download all attachments as: .zip

Change History (12)

#1 @maxcutler
12 years ago

  • Milestone changed from Awaiting Review to 3.4

#2 @ryan
12 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In [20568]:

Check the publish_post cap when publishing an already existing post.

Props nprasath002
Fixes #20474

#3 @nacin
12 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

There isn't a publish_post cap...

#4 @scribu
12 years ago

The magic of meta caps: current_user_can( 'publish_post', $post_data[ 'ID' ] ) )

That should work with all post types, right?

#5 @scribu
12 years ago

  • Keywords needs-patch added; has-patch removed

#6 @ryan
12 years ago

Well hell I thought we added that.

#7 @ryan
12 years ago

get_post_type_capabilities() would also need an update. Probably not worth it for 3.4, but I think I'd like to finally do publish_post in 3.5 since this happens all the time.

#8 @ryan
12 years ago

In [20576]:

Revert [20568] until a publish_post cap is introduced. see #20474

#9 @ryan
12 years ago

There are edit_post/edit_posts checks above this block. I think all cap bases are covered.

#10 @maxcutler
12 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

#11 @SergeyBiryukov
12 years ago

  • Keywords needs-patch removed
  • Milestone 3.4 deleted
Note: See TracTickets for help on using tickets.