WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#31760 closed defect (bug) (fixed)

Undefined index: post_status when previewing post.

Reported by: szaqal21 Owned by: boonebgorges
Milestone: 4.2 Priority: normal
Severity: normal Version: 4.1.1
Component: Posts, Post Types Keywords: has-patch
Focuses: Cc:

Description

If a user doesn't have capability to publish posts there is no select list for setting post status in edit form and when previewing post, function post_preview() throws: PHP Notice: Undefined index: post_status in .../wp-admin/includes/post.php on line 1606.

Attachments (1)

31760.patch (499 bytes) - added by tyxla 3 years ago.
When user has no publish_posts capability, check for post_status before using it.

Download all attachments as: .zip

Change History (8)

@tyxla
3 years ago

When user has no publish_posts capability, check for post_status before using it.

#1 follow-up: @tyxla
3 years ago

  • Keywords has-patch added

Since the user has no publishing capabilities, the post status box should definitely not be there. So that is working correctly IMO. However, the post_status had to be checked before used, which is addressed in the patch above.

Last edited 3 years ago by tyxla (previous) (diff)

#2 in reply to: ↑ 1 @boonebgorges
3 years ago

  • Milestone changed from Awaiting Review to 4.2

Replying to tyxla:

Since the user has no publishing capabilities, the post status box should definitely not be there. So that is working correctly IMO. However, the post_status had to be checked before used, which is addressed in the patch above.

Yes, this is correct. Note that it takes a pretty odd set of circumstances to get to this point: you have to be previewing a post that you did not write, and therefore you must have 'edit_others_posts' (perhaps among other caps), but you can't have 'publish_posts'.

#3 @boonebgorges
3 years ago

  • Owner set to boonebgorges
  • Resolution set to fixed
  • Status changed from new to closed

In 31896:

Check that $_POST array index is set before comparing it in post_preview().

This prevents PHP notices in cases where a user with 'edit_others_posts' but
without 'publish_posts' previews another user's posts.

Props tyxla.
Fixes #31760.

#4 @szaqal21
3 years ago

In my case it was the posts author that was previewing his pending post (from edit form, previewing from posts table doesn't produce a notice). It's not that odd :) I think.

#5 @jeremyclarke
3 years ago

Nice to see this was fixed. I'll add another important scenario: User doesn't have edit_others_posts OR publish_posts, but a plugin is using map_meta_cap to delegate selective access to specific posts (certainly something intended by the map_meta_cap system which passes the post_id and author_id around for just such delegation).

My use case is an add-on to Edit Flow that lets users who are ticked in "Notifiations" (subscribed to a post) also edit it so we don't have to promote every user to 'Editor' in order to let them work together on posts.

Related #30452

Last edited 3 years ago by jeremyclarke (previous) (diff)

#6 @szaqal21
3 years ago

  • Keywords close added

#7 @szaqal21
3 years ago

  • Keywords close removed
Note: See TracTickets for help on using tickets.