WordPress.org

Make WordPress Core

Opened 12 months ago

Last modified 12 months ago

#24153 new defect (bug)

Sticky flag gets unset if author doesn't have publish_posts permission

Reported by: archon810 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 3.5.1
Component: Role/Capability Keywords:
Focuses: Cc:

Description

I'm observing a bug with the sticky flag. I set up a special user with a role of "Grammar Nazi" who should only have access to editing of other people's posts, but not publishing his own.

The permissions given to this role are:

  • edit_published_posts
  • edit_others_posts
  • edit_posts
  • read
  • read_private_posts

This user works out great - he's limited to only editing errors in other authors' posts.

However, there is a bug with sticky posts. If a grammar nazi edits a stickied post, the sticky flag gets unset. As a possibly related observation, there's no Edit button on the post edit page next to the Visibility area.

This bug is worked around by adding the publish_posts permission. However, this permission is unwanted in this case as grammar nazis shouldn't be able to post their own posts. Adding publish_posts enables the Edit button next to Visibility, and saves retain the sticky bit correctly.

So, in short: the sticky bit should be retained even when users without the publish_posts permission update a post.

Change History (3)

comment:1 archon81012 months ago

  • Cc admin@… added

comment:2 SergeyBiryukov12 months ago

Sticky flag indeed requires both publish_posts and edit_others_posts capabilities:
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-admin/includes/meta-boxes.php#L127

Related: [8546], [8577], ticket:7457:19.

comment:3 archon81012 months ago

Thanks for tracking down the source references and the original ticket with relevant comments. It's clear that this is a bug at this point, right?

Note: See TracTickets for help on using tickets.