Make WordPress Core

Opened 10 years ago

Last modified 5 months ago

#29999 new defect (bug)

update post overwrites slug if current_user is contributor

Reported by: jnhghy's profile jnhghy Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 4.0
Component: Posts, Post Types Keywords: has-patch dev-feedback
Focuses: Cc:

Description

The wp_update_post function calls wp_insert_post which is located in wp-includes/post.php in posts.php at lines 3168 - 3171 there is this code:

	        // Don't allow contributors to set the post slug for pending review posts.
	        if ( 'pending' == $post_status && !current_user_can( 'publish_posts' ) ) {
	                $post_name = '';
	        }


this will remove post_name if the current user is a contributor without any message or notification. This creates an issue because scripts/plugins that uses wp_upadate_post usually don't handle this case (the documentation doesn't cover this also - I would update the documentation but I'm wondering if there's no other solution).

I don't see the issues that a contributor changing the slug would create (a contributor vs an editor) anybody does?

Attachments (1)

29999.patch (2.1 KB) - added by deconf 10 years ago.

Download all attachments as: .zip

Change History (21)

#1 @jnhghy
10 years ago

  • Severity changed from normal to trivial

#2 @jayelebun
10 years ago

  • Keywords reporter-feedback added

Hey @jnhghy,

I went through in an attempt to reproduce. Here is a rundown of what I did trying to see if the post slug would disappear or if I would be blocked from updating the post slug as a contributor

  1. Save test post as a draft as contributor.
  1. Changed the title and the post slug updated successfully. Save post as pending review.
  1. Logged in as admin. Published test post. The title and post slug changes persist. Now signing out to edit title and slug as a contributor.
  1. Unpublished as admin, logged in as contributor, still able to edit both the title and post slug and both persist on save draft. Not able to reproduce this error.

Could you provide some more steps on how you're running into this issue? Have you tested this on vanilla WP? For the installation where you're seeing this issue are there any other plugins dealing with permissions?

Thanks!

#3 @jnhghy
10 years ago

@jayelebun
Hi, Thank you for your time spent on this.

Here are the steps I'm making to hit this issue:

1) Create post with contributor user and submit it for publish
2) Publish post with admin
3) Draft post with admin
4) Edit post with contributor and change slug, send for review
5) Edit post again with contributor (no slug changing option at this time), send for review again
6) check post with admin, no slug changes will be seen

I haven't tested this with vanilla WP sorry (I'm not familiar with vanila WP, a link? or is it the vanila WP plugin?)

Let me know if you need any other info or if you can confirm this issue.
Thanks

This ticket was mentioned in Slack in #core by jnhghy. View the logs.


10 years ago

#5 @SergeyBiryukov
10 years ago

  • Component changed from Role/Capability to Posts, Post Types

#6 @jnhghy
10 years ago

  • Keywords reporter-feedback removed

Also tested with a fresh install of WordPress the issue is still there in wp 4.1.1.

@deconf
10 years ago

#7 @deconf
10 years ago

I was able to replicate the issue.

29999.patch will allow contributors to edit the slug while a post is waiting for review.

Allowing contributors to edit slugs while a post is pending review also fixes this bug.

I can't see why a contributor should be restricted on changing the slug while the post is waiting for review, since he's allowed to edit it while the post is a Draft.

Last edited 10 years ago by deconf (previous) (diff)

#8 @ocean90
10 years ago

  • Type changed from feature request to enhancement

Introduced in [9055], #7805.

#9 @jnhghy
10 years ago

  • Type changed from enhancement to defect (bug)

Because of this issue info is lost so I'd leave its status as bug instead of enhancement.

Last edited 10 years ago by jnhghy (previous) (diff)

#10 @deconf
10 years ago

  • Focuses docs removed
  • Keywords has-patch dev-feedback added
  • Severity changed from trivial to minor

#11 @repenter
8 years ago

Guyz I reported this bug here: #37262

Are these bugs the same?

Last edited 8 years ago by SergeyBiryukov (previous) (diff)

#12 @SergeyBiryukov
8 years ago

#37262 was marked as a duplicate.

#14 @repenter
6 years ago

Seriously no one wants to fix this issue in wordpress?

https://github.com/WordPress/gutenberg/issues/13857

This ticket was mentioned in Slack in #bbpress by netweb. View the logs.


5 years ago

#16 @SergeyBiryukov
4 years ago

#46486 was marked as a duplicate.

This ticket was mentioned in Slack in #core-editor by gwwar. View the logs.


4 years ago

#18 @helpingcat
4 years ago

Is the behavior here expected? From the code comment here, it looks intentional, but it'd be great if we could clarify for folks why we check for this. (For example, is this security related?)

https://github.com/WordPress/wordpress-develop/blob/22e2fce9032535f6b8826656c2ce6a765092af8e/src/wp-includes/post.php#L3898-L3908

#19 @brookedot
9 months ago

The field has been hidden in the block editor in https://github.com/WordPress/gutenberg/pull/46361

However, looking at this again, I am wondering if we should add a filter to allow contributors to edit the slug?

In other words, a filter that allows the conditional to return false.

Thoughts?

#20 @jrxbicycle
5 months ago

I am running into the issue of contributors accidentally resetting a custom slug to the post title when they submit for review (WP 6.6). It looks like it is being addressed in this pull request:

https://github.com/WordPress/gutenberg/pull/46361

But it hasn't been included in WP core yet. Does anyone know of a recommended workaround until it is included?

Note: See TracTickets for help on using tickets.