Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#31760 closed defect (bug) (fixed)

Undefined index: post_status when previewing post.

Reported by: szaqal21's profile szaqal21 Owned by: boonebgorges's profile boonebgorges
Milestone: 4.2 Priority: normal
Severity: normal Version: 4.1.1
Component: Posts, Post Types Keywords: has-patch
Focuses: Cc:

Description

If a user doesn't have capability to publish posts there is no select list for setting post status in edit form and when previewing post, function post_preview() throws: PHP Notice: Undefined index: post_status in .../wp-admin/includes/post.php on line 1606.

Attachments (1)

31760.patch (499 bytes) - added by tyxla 10 years ago.
When user has no publish_posts capability, check for post_status before using it.

Download all attachments as: .zip

Change History (8)

@tyxla
10 years ago

When user has no publish_posts capability, check for post_status before using it.

#1 follow-up: @tyxla
10 years ago

  • Keywords has-patch added

Since the user has no publishing capabilities, the post status box should definitely not be there. So that is working correctly IMO. However, the post_status had to be checked before used, which is addressed in the patch above.

Last edited 10 years ago by tyxla (previous) (diff)

#2 in reply to: ↑ 1 @boonebgorges
10 years ago

  • Milestone changed from Awaiting Review to 4.2

Replying to tyxla:

Since the user has no publishing capabilities, the post status box should definitely not be there. So that is working correctly IMO. However, the post_status had to be checked before used, which is addressed in the patch above.

Yes, this is correct. Note that it takes a pretty odd set of circumstances to get to this point: you have to be previewing a post that you did not write, and therefore you must have 'edit_others_posts' (perhaps among other caps), but you can't have 'publish_posts'.

#3 @boonebgorges
10 years ago

  • Owner set to boonebgorges
  • Resolution set to fixed
  • Status changed from new to closed

In 31896:

Check that $_POST array index is set before comparing it in post_preview().

This prevents PHP notices in cases where a user with 'edit_others_posts' but
without 'publish_posts' previews another user's posts.

Props tyxla.
Fixes #31760.

#4 @szaqal21
10 years ago

In my case it was the posts author that was previewing his pending post (from edit form, previewing from posts table doesn't produce a notice). It's not that odd :) I think.

#5 @jeremyclarke
10 years ago

Nice to see this was fixed. I'll add another important scenario: User doesn't have edit_others_posts OR publish_posts, but a plugin is using map_meta_cap to delegate selective access to specific posts (certainly something intended by the map_meta_cap system which passes the post_id and author_id around for just such delegation).

My use case is an add-on to Edit Flow that lets users who are ticked in "Notifiations" (subscribed to a post) also edit it so we don't have to promote every user to 'Editor' in order to let them work together on posts.

Version 0, edited 10 years ago by jeremyclarke (next)

#6 @szaqal21
10 years ago

  • Keywords close added

#7 @szaqal21
10 years ago

  • Keywords close removed
Note: See TracTickets for help on using tickets.