WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 5 years ago

#27020 closed enhancement (fixed)

Use a safer capability default when post_author == 0

Reported by: danielbachhuber Owned by: nacin
Milestone: 3.9 Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch dev-feedback
Focuses: Cc:

Description

There are a few cases in which posts can get created without an assigned author:

  • WP-CLI needs a --user argument in order to set the user context for performing any action. It's easy to forget to do this.
  • WP-Cron performing, say, a syndication import can create posts without assigned authors if no author is explicitly identified when using wp_insert_post().
  • Co-Authors Plus supports creating posts without assigning a byline, as well as assigning a "guest author", which doesn't exist as a user entity and so no post_author assignment is made.

Although core doesn't explicitly support it via UI, there are valid ways in which posts can get created without an assigned author.

With that being said, a post without an assigned author currently can be edited by any user with edit_posts (ref). This means that contributors, often untrusted users within media companies, get more editing capabilities than expected.

I propose that changing the capability check to edit_others_posts when an author isn't assigned would be much safer. A concern is that this change will break some obscure use-case that's been possible for four years.

Genesis commit was r12053, although it looks like that problem should've been fixed higher up the stack.

Related #26659

Attachments (3)

27020.1.diff (3.7 KB) - added by danielbachhuber 8 years ago.
Change default edit, view, and trash capabilities for authorless posts to require editor equivalent or above
27020.tests.diff (1.2 KB) - added by danielbachhuber 8 years ago.
Tests for the patch
27020.2.diff (6.0 KB) - added by danielbachhuber 8 years ago.

Download all attachments as: .zip

Change History (10)

#1 follow-up: @nacin
8 years ago

  • Keywords needs-patch added; dev-feedback removed
  • Milestone changed from Awaiting Review to 3.9

Yeah, I've never been sure why we've defaulted to the current user when post_author = 0. I agree it should be edit_others_posts by default. I am wondering if we can change this without causing problems, but given the concerns of privilege escalation, I'm also not as worried about the side effects. Let's try it out.

#2 in reply to: ↑ 1 @westi
8 years ago

Replying to nacin:

Yeah, I've never been sure why we've defaulted to the current user when post_author = 0. I agree it should be edit_others_posts by default. I am wondering if we can change this without causing problems, but given the concerns of privilege escalation, I'm also not as worried about the side effects. Let's try it out.

It seems reasonable to try it out.

I'm not convinced that posts with an author of 0 work well in other ways too - I have a feeling there are comment moderation issues, if we are going to make them work better we should check all the different ways capability checks interact with post objects and create test cases for how we expect them to work.

@danielbachhuber
8 years ago

Change default edit, view, and trash capabilities for authorless posts to require editor equivalent or above

@danielbachhuber
8 years ago

Tests for the patch

#3 @danielbachhuber
8 years ago

  • Keywords has-patch dev-feedback added; needs-patch removed

Added patch and tests for edit_post, read_post, and delete_post.

Per westi's comment, *_post_metafalls back to map_meta_cap( 'edit_post' ), as does edit_comment. For the former, I don't foresee any problems with this change.

For the latter, an author can view comments on Manage Comments, but not edit unless they have edit permissions on the post. Editors can view and edit. Contributors can only view.

This behavior seems expected to me, but open to feedback and direction.

This ticket was mentioned in IRC in #wordpress-dev by nacin. View the logs.


8 years ago

#5 @danielbachhuber
8 years ago

27020.2.diff is a combined patch that also includes tests directly against map_meta_cap()

#6 @nacin
8 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 27390:

Don't default to current user for capability checks when dealing with a post without an author (post_author = 0).

Undoes [12053]. While it risks breakage, this is a far safer and saner default for these situations.

props danielbachhuber.
fixes #27020.

This ticket was mentioned in Slack in #core-restapi by jeremyfelt. View the logs.


5 years ago

Note: See TracTickets for help on using tickets.