WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 4 months ago

#33453 assigned defect (bug)

Redundant checks in _wp_translate_postdata()

Reported by: loboyle Owned by: SergeyBiryukov
Milestone: Priority: normal
Severity: normal Version: 4.2.4
Component: Posts, Post Types Keywords: has-patch
Focuses: Cc:
PR Number:

Description

_wp_translate_postdata() checks whether the current user can edit_post for updates, then explicitly checks whether the current user can edit_others_posts if they're not the author of that post.

This checking is redundant, as the edit_post meta capability is already mapped to the appropriate edit_other_posts capability by map_meta_cap.

Generally this double handling is probably not harmful, but it does make it difficult to add additional checking around capabilities - the edit_post meta capability passes through the ID of the post being checked, while the generic edit_others_posts capability lacks this information.

In my case I'm allowing certain users to edit posts that don't belong to them, but not all - so I don't want to give them edit_others_posts, which would allow editing all of them, instead selectively edit the required capabilities using the map_meta_cap filter. This works in most places (e.g. they get an edit link in the list of posts, they can go to the edit screen) but they cannot save changes because the double handling here makes it impossible to determine whether they have permission to edit that specific post or not.

Attachments (1)

33453.patch (1.1 KB) - added by egill 4 years ago.
33453.patch

Download all attachments as: .zip

Change History (9)

#1 @egill
4 years ago

Are you referring to this check:
trunk/src/wp-admin/includes/post.php@:67-80#L67

Scanned it quickly and it does seem redundant, but I guess others can provide a more insightful feedback :)

#2 @loboyle
4 years ago

Yes, that's the check. Didn't realise I could provide a handy link like that or I would have!

@egill
4 years ago

33453.patch

#3 @egill
4 years ago

Threw in a patch that removes the check, hope you don't mind:
33453.patch

#4 @loboyle
4 years ago

Hey, you're not going to hear me complain ;) I was waiting to hear feedback before putting up a patch, on the off chance that there is some subtle requirement for the double check that I had failed to understand.

#5 @egill
4 years ago

  • Keywords has-patch added

#7 @wonderboymusic
4 years ago

  • Owner set to SergeyBiryukov
  • Status changed from new to assigned

#8 @loboyle
4 years ago

The redundant code is still present in WP 4.4 beta 4; is there an intention to remove it for the WP 4.4 release?

Note: See TracTickets for help on using tickets.