WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#20474 closed defect (bug) (invalid)

cap fixes in _wp_insert_post

Reported by: nprasath002 Owned by: ryan
Milestone: Priority: normal
Severity: critical Version: 3.4
Component: XML-RPC Keywords:
Focuses: Cc:

Description

The patch validates 'publish_post' with post_ID to check whether the user is allowed to publish an already existing post

Attachments (1)

_insert_post cap fixes.patch (1.8 KB) - added by nprasath002 2 years ago.

Download all attachments as: .zip

Change History (12)

comment:1 maxcutler2 years ago

  • Milestone changed from Awaiting Review to 3.4

comment:2 ryan2 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In [20568]:

Check the publish_post cap when publishing an already existing post.

Props nprasath002
Fixes #20474

comment:3 nacin2 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

There isn't a publish_post cap...

comment:4 scribu2 years ago

The magic of meta caps: current_user_can( 'publish_post', $post_data[ 'ID' ] ) )

That should work with all post types, right?

comment:5 scribu2 years ago

  • Keywords needs-patch added; has-patch removed

comment:6 ryan2 years ago

Well hell I thought we added that.

comment:7 ryan2 years ago

get_post_type_capabilities() would also need an update. Probably not worth it for 3.4, but I think I'd like to finally do publish_post in 3.5 since this happens all the time.

comment:8 ryan2 years ago

In [20576]:

Revert [20568] until a publish_post cap is introduced. see #20474

comment:9 ryan2 years ago

There are edit_post/edit_posts checks above this block. I think all cap bases are covered.

comment:10 maxcutler2 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

comment:11 SergeyBiryukov2 years ago

  • Keywords needs-patch removed
  • Milestone 3.4 deleted
Note: See TracTickets for help on using tickets.