#27020 closed enhancement (fixed)
Use a safer capability default when post_author == 0
Reported by: | danielbachhuber | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Role/Capability | Keywords: | has-patch dev-feedback |
Focuses: | Cc: |
Description
There are a few cases in which posts can get created without an assigned author:
- WP-CLI needs a
--user
argument in order to set the user context for performing any action. It's easy to forget to do this. - WP-Cron performing, say, a syndication import can create posts without assigned authors if no author is explicitly identified when using
wp_insert_post()
. - Co-Authors Plus supports creating posts without assigning a byline, as well as assigning a "guest author", which doesn't exist as a user entity and so no
post_author
assignment is made.
Although core doesn't explicitly support it via UI, there are valid ways in which posts can get created without an assigned author.
With that being said, a post without an assigned author currently can be edited by any user with edit_posts
(ref). This means that contributors, often untrusted users within media companies, get more editing capabilities than expected.
I propose that changing the capability check to edit_others_posts
when an author isn't assigned would be much safer. A concern is that this change will break some obscure use-case that's been possible for four years.
Genesis commit was r12053, although it looks like that problem should've been fixed higher up the stack.
Related #26659
Attachments (3)
Change History (10)
#1
follow-up:
↓ 2
@
11 years ago
- Keywords needs-patch added; dev-feedback removed
- Milestone changed from Awaiting Review to 3.9
#2
in reply to:
↑ 1
@
11 years ago
Replying to nacin:
Yeah, I've never been sure why we've defaulted to the current user when post_author = 0. I agree it should be edit_others_posts by default. I am wondering if we can change this without causing problems, but given the concerns of privilege escalation, I'm also not as worried about the side effects. Let's try it out.
It seems reasonable to try it out.
I'm not convinced that posts with an author of 0 work well in other ways too - I have a feeling there are comment moderation issues, if we are going to make them work better we should check all the different ways capability checks interact with post objects and create test cases for how we expect them to work.
@
11 years ago
Change default edit, view, and trash capabilities for authorless posts to require editor equivalent or above
#3
@
11 years ago
- Keywords has-patch dev-feedback added; needs-patch removed
Added patch and tests for edit_post
, read_post
, and delete_post
.
Per westi's comment, *_post_meta
falls back to map_meta_cap( 'edit_post' )
, as does edit_comment
. For the former, I don't foresee any problems with this change.
For the latter, an author can view comments on Manage Comments, but not edit unless they have edit permissions on the post. Editors can view and edit. Contributors can only view.
This behavior seems expected to me, but open to feedback and direction.
This ticket was mentioned in IRC in #wordpress-dev by nacin. View the logs.
11 years ago
#5
@
11 years ago
27020.2.diff is a combined patch that also includes tests directly against map_meta_cap()
#6
@
11 years ago
- Owner set to nacin
- Resolution set to fixed
- Status changed from new to closed
In 27390:
Yeah, I've never been sure why we've defaulted to the current user when post_author = 0. I agree it should be edit_others_posts by default. I am wondering if we can change this without causing problems, but given the concerns of privilege escalation, I'm also not as worried about the side effects. Let's try it out.