#27452 closed defect (bug) (fixed)
Contributors can publish privately
Reported by: | plocha | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.8.2 | Priority: | normal |
Severity: | normal | Version: | 2.7 |
Component: | Posts, Post Types | Keywords: | has-patch commit fixed-major |
Focuses: | ui | Cc: |
Description
If user doesn't own the 'publish_posts' capability, he can't set a post status to 'private' in edit screen even if he has the capabilities to edit this post. But in Quick Edit he can. The same problem appears with pages. You can check the problem with a user of the role 'contributor'.
In my humble opinion such a user should be able to set the status from draft to 'private' and vice versa.
Attachments (3)
Change History (16)
#1
@
11 years ago
A post with status 'private' is also published (as indicated on private.png
) and can be viewed by users with 'read_private_posts' capability. Moving to status 'private' is a publishing action.
I would not want my contributors to "publish" any draft post they have written as private, surprising my editors when they arrive and view the site. It seems to that Quick Edit is the place to fix this, if inconsistent.
#2
follow-up:
↓ 3
@
11 years ago
- Keywords needs-patch added
- Summary changed from Can't set status to 'private' without publishing capability to Contributors can publish privately
Okay thanks, I interpreted the private status incorrectly. In that case we shouldn't only implement the restriction in Quick Edit but also in edit processing. The latter should be done in wp_insert_post imho.
Btw I'm sure the server-side post edit processing contains more bugs of this type. That's the second time I found a input validation bug in wp_insert_post unintentionally.
#3
in reply to:
↑ 2
@
11 years ago
- Keywords has-patch added; needs-patch removed
Replying to knutsp:
It seems to that Quick Edit is the place to fix this, if inconsistent.
Exactly! All it takes is adding a "disabled" attribute to the checkbox element if the user does not have publish_post capability. Then checking user capability again when the form is submitted.
Replying to plocha:
...we shouldn't only implement the restriction in Quick Edit but also in edit processing. The latter should be done in wp_insert_post imho.
No capabilities are ever checked in wp_insert_post()
. It must be able function properly without restriction in order for remote procedure calls to work. In WordPress, capabilities are always verified at the user interface level, never at system calls.
We do need to check user capability when the form is submitted, disabling the form element is not enough, that can be easily circumvented. The first code to process quick edit submits is wp_ajax_inline_save()
. The patch checks user capability here.
Until now, it's not totally clear what steps to take to replicate this error. Here they are:
- Ensure the Contributor role only has the default capabilities: read, edit_posts, delete_posts
- Log in as a user with Contributor role and create a post, then submit for review.
- In the posts list table, open the post just created for quick edit.
- Check the "Private" checkbox and click Update
- The post is now published as a private post and is visible on the main index page to any logged in editor or administrator.
After applying the patch, contributors can see the private condition but cannot change it.
#5
@
11 years ago
- Milestone changed from Awaiting Review to 3.8.2
- Owner set to nacin
- Status changed from new to reviewing
- Version changed from 3.8.1 to 2.7
#11
@
11 years ago
[27990] looks a bit weird, but basically, $post_data holds information used for all posts being looped over. The information coming from _wp_translate_postdata() is specific to that post. If we overwrite it, things can happen like all subsequent posts getting published, if the initial post was already published, even if "No Change" was chosen during bulk edit.
Draft UI Lock