Opened 9 years ago
Closed 21 months ago
#33453 closed defect (bug) (duplicate)
Redundant checks in _wp_translate_postdata()
Reported by: | loboyle | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.2.4 |
Component: | Posts, Post Types | Keywords: | has-patch close |
Focuses: | Cc: |
Description
_wp_translate_postdata() checks whether the current user can edit_post for updates, then explicitly checks whether the current user can edit_others_posts if they're not the author of that post.
This checking is redundant, as the edit_post meta capability is already mapped to the appropriate edit_other_posts capability by map_meta_cap.
Generally this double handling is probably not harmful, but it does make it difficult to add additional checking around capabilities - the edit_post meta capability passes through the ID of the post being checked, while the generic edit_others_posts capability lacks this information.
In my case I'm allowing certain users to edit posts that don't belong to them, but not all - so I don't want to give them edit_others_posts, which would allow editing all of them, instead selectively edit the required capabilities using the map_meta_cap filter. This works in most places (e.g. they get an edit link in the list of posts, they can go to the edit screen) but they cannot save changes because the double handling here makes it impossible to determine whether they have permission to edit that specific post or not.
Attachments (1)
Change History (11)
#2
@
9 years ago
Yes, that's the check. Didn't realise I could provide a handy link like that or I would have!
#3
@
9 years ago
Threw in a patch that removes the check, hope you don't mind:
33453.patch
#4
@
9 years ago
Hey, you're not going to hear me complain ;) I was waiting to hear feedback before putting up a patch, on the off chance that there is some subtle requirement for the double check that I had failed to understand.
#8
@
9 years ago
The redundant code is still present in WP 4.4 beta 4; is there an intention to remove it for the WP 4.4 release?
Are you referring to this check:
trunk/src/wp-admin/includes/post.php@:67-80#L67
Scanned it quickly and it does seem redundant, but I guess others can provide a more insightful feedback :)