WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 3 months ago

#24280 accepted defect (bug)

Unit tests for mt_publishPost, blogger_newPost and mw_newPost

Reported by: fgauthier Owned by: chriscct7
Milestone: Future Release Priority: normal
Severity: normal Version: 3.0
Component: XML-RPC Keywords: needs-unit-tests
Focuses: Cc:

Description

The mt_publishPost function requires both the publish_posts and edit_post privileges to publish a post.

Elsewhere, the publish_posts privilege is sufficient to publish a post.

Attachments (1)

24280.patch (1.1 KB) - added by chriscct7 4 months ago.

Download all attachments as: .zip

Change History (13)

comment:1 @markoheijnen2 years ago

If I look at _insert_post() what is used in the main XML-RPC methods you will see both checks there too.

Guess you mean that with elsewhere? or do you mean somewhere else in core?

comment:2 follow-up: @fgauthier2 years ago

In fact, I meant functions like blogger_newPost($args) and mw_newPost($args) that do not check the edit_post privilege when the status of the new post is set to 'publish'.

In this context, it seemed strange to require the edit_post privilege to publish a post.

comment:3 @markoheijnen2 years ago

wp.* methods are leading to me. So I rather fix blogger_newPost and mw_newPost if needed.

comment:4 @SergeyBiryukov2 years ago

  • Version changed from trunk to 3.0.3

Introduced in [16802].

@chriscct74 months ago

comment:5 @chriscct74 months ago

  • Keywords has-patch needs-testing added
  • Milestone changed from Awaiting Review to 4.3

Fixes both permission issues

comment:6 @chriscct74 months ago

  • Owner set to chriscct7
  • Status changed from new to accepted

comment:7 @chriscct74 months ago

  • Version changed from 3.0.3 to 3.0

comment:8 in reply to: ↑ 2 ; follow-up: @johnbillion4 months ago

  • Keywords close added; has-patch needs-testing removed

24280.patch has the opposite of the intended affect. It allows someone with either the edit_posts or publish_posts cap to publish a post.

Replying to fgauthier:

In fact, I meant functions like blogger_newPost($args) and mw_newPost($args) that do not check the edit_post privilege when the status of the new post is set to 'publish'.

blogger_newPost() and mw_newPost() both check the edit_posts cap too. Those functions, along with mt_publishPost(), all look correct to me. In order to publish a post, you also need the ability to edit that post.

I think this ticket is invalid.

Last edited 4 months ago by johnbillion (previous) (diff)

comment:9 in reply to: ↑ 8 @chriscct74 months ago

  • Keywords has-patch added; close removed

Replying to johnbillion:

24280.patch has the opposite of the intended affect. It allows someone with either the edit_posts or publish_posts cap to publish a post.

That's the intention. In the comments it is noted the publish_post cap doesn't exist at that point.

Last edited 4 months ago by chriscct7 (previous) (diff)

comment:10 follow-up: @johnbillion4 months ago

  • Keywords needs-unit-tests added; has-patch removed
  • Milestone changed from 4.3 to Future Release

Discussed with Chris. Definitely invalid.

However, we could do with some tests here to prove this, so if someone wants to write tests which cover these methods then that would be super. We have existing tests for much of XML-RPC but not for these methods.

comment:11 @chriscct74 months ago

  • Summary changed from Privilege check in mt_publishPost to Unit tests for mt_publishPost, blogger_newPost and mw_newPost

comment:12 in reply to: ↑ 10 @chriscct73 months ago

Replying to johnbillion:

Discussed with Chris. Definitely invalid.

However, we could do with some tests here to prove this, so if someone wants to write tests which cover these methods then that would be super. We have existing tests for much of XML-RPC but not for these methods.

Can we split that off into a new ticket?

Note: See TracTickets for help on using tickets.