Opened 12 years ago
Closed 12 years ago
#22417 closed defect (bug) (fixed)
_wp_translate_postdata() should use current_user_can( $ptype->cap->edit_post, $post_id )
Reported by: | danielbachhuber | Owned by: | westi |
---|---|---|---|
Milestone: | 3.5 | Priority: | low |
Severity: | normal | Version: | |
Component: | Role/Capability | Keywords: | has-patch |
Focuses: | Cc: |
Description
Similar to #22415, _wp_translate_postdata() should use current_user_can( $ptype->cap->edit_post, $post_id )
here:
$ptype = get_post_type_object( $post_data['post_type'] ); if ( isset($post_data['user_ID']) && ($post_data['post_author'] != $post_data['user_ID']) ) { if ( !current_user_can( $ptype->cap->edit_others_posts ) ) {
I think this is problematic too:
if ( $previous_status != 'publish' || !current_user_can( 'edit_post', $post_id ) ) $post_data['post_status'] = 'pending';
Switching to current_user_can( $ptype->cap->edit_post, $post_id )
would mean that the context could be appropriately filtered.
Attachments (3)
Change History (15)
#5
@
12 years ago
@danielbachhuber it would be really useful if you could help write some tests which show the issues you are having to add to the above tests.
#6
@
12 years ago
That patch shows that my tests are broken too, need to update them to create real posts for the update = true tests ;)
#9
@
12 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
Chatted about this with westi in IRC. A few points:
- The second part of this bug report can be answered by (and further addressed in) #22415.
- [22769] looks good, but after it landed, I noticed that 'edit_post' could get away with being outside of the post_author == user_ID block, instead letting the meta capability handle that part. Of course, that check may still be necessary for $update = false (which I'll aim to eliminate in 3.6). So, re-opening for review.
Note: See
TracTickets for help on using
tickets.
I imagine this is in place for _wp_translate_postdata( false ), as in — when it is not used for an update.
wp_write_post() uses this, but this code is actually dead now and has been since auto-drafts are introduced, because edit_post() gets called right before it. For more on removing wp_write_post() and making this code more sane, see #21963.
If $update, we should be able to make the more informed capability checks you are proposing.