Make WordPress Core

Opened 11 years ago

Closed 9 years ago

#24280 closed defect (bug) (invalid)

Unit tests for mt_publishPost, blogger_newPost and mw_newPost

Reported by: fgauthier's profile fgauthier Owned by: chriscct7's profile chriscct7
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: XML-RPC Keywords: needs-unit-tests
Focuses: Cc:

Description

The mt_publishPost function requires both the publish_posts and edit_post privileges to publish a post.

Elsewhere, the publish_posts privilege is sufficient to publish a post.

Attachments (1)

24280.patch (1.1 KB) - added by chriscct7 9 years ago.

Download all attachments as: .zip

Change History (14)

#1 @markoheijnen
11 years ago

If I look at _insert_post() what is used in the main XML-RPC methods you will see both checks there too.

Guess you mean that with elsewhere? or do you mean somewhere else in core?

#2 follow-up: @fgauthier
11 years ago

In fact, I meant functions like blogger_newPost($args) and mw_newPost($args) that do not check the edit_post privilege when the status of the new post is set to 'publish'.

In this context, it seemed strange to require the edit_post privilege to publish a post.

#3 @markoheijnen
11 years ago

wp.* methods are leading to me. So I rather fix blogger_newPost and mw_newPost if needed.

#4 @SergeyBiryukov
11 years ago

  • Version changed from trunk to 3.0.3

Introduced in [16802].

@chriscct7
9 years ago

#5 @chriscct7
9 years ago

  • Keywords has-patch needs-testing added
  • Milestone changed from Awaiting Review to 4.3

Fixes both permission issues

#6 @chriscct7
9 years ago

  • Owner set to chriscct7
  • Status changed from new to accepted

#7 @chriscct7
9 years ago

  • Version changed from 3.0.3 to 3.0

#8 in reply to: ↑ 2 ; follow-up: @johnbillion
9 years ago

  • Keywords close added; has-patch needs-testing removed

24280.patch has the opposite of the intended affect. It allows someone with either the edit_posts or publish_posts cap to publish a post.

Replying to fgauthier:

In fact, I meant functions like blogger_newPost($args) and mw_newPost($args) that do not check the edit_post privilege when the status of the new post is set to 'publish'.

blogger_newPost() and mw_newPost() both check the edit_posts cap too. Those functions, along with mt_publishPost(), all look correct to me. In order to publish a post, you also need the ability to edit that post.

I think this ticket is invalid.

Last edited 9 years ago by johnbillion (previous) (diff)

#9 in reply to: ↑ 8 @chriscct7
9 years ago

  • Keywords has-patch added; close removed

Replying to johnbillion:

24280.patch has the opposite of the intended affect. It allows someone with either the edit_posts or publish_posts cap to publish a post.

That's the intention. In the comments it is noted the publish_post cap doesn't exist at that point.

Last edited 9 years ago by chriscct7 (previous) (diff)

#10 follow-up: @johnbillion
9 years ago

  • Keywords needs-unit-tests added; has-patch removed
  • Milestone changed from 4.3 to Future Release

Discussed with Chris. Definitely invalid.

However, we could do with some tests here to prove this, so if someone wants to write tests which cover these methods then that would be super. We have existing tests for much of XML-RPC but not for these methods.

#11 @chriscct7
9 years ago

  • Summary changed from Privilege check in mt_publishPost to Unit tests for mt_publishPost, blogger_newPost and mw_newPost

#12 in reply to: ↑ 10 @chriscct7
9 years ago

Replying to johnbillion:

Discussed with Chris. Definitely invalid.

However, we could do with some tests here to prove this, so if someone wants to write tests which cover these methods then that would be super. We have existing tests for much of XML-RPC but not for these methods.

Can we split that off into a new ticket?

#13 @wonderboymusic
9 years ago

  • Milestone Future Release deleted
  • Resolution set to invalid
  • Status changed from accepted to closed
Note: See TracTickets for help on using tickets.