WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 12 months ago

#35800 new defect (bug)

Preview button for CPT not working for user with limited Capabilities

Reported by: Webbverkstaden Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.4.1
Component: Posts, Post Types Keywords: dev-feedback reporter-feedback
Focuses: administration Cc:

Description

I have a CPT "platsannonser" that has the capability_type = post. This post type can be edited by a custom user type Admanager, with capabilities added/limited to this post type through the plugin "Press Permit Core". The Admanager users does not have the right to edit regular post. I have tried adding that capability, but it made no difference.

The behavior described below happens when the post author is an Admin. If the post author is another user of the same type (Admanager), or another custom user type with similar or extended capabilities compared to the Admanager, everything works fine.

The user can preview a post via the Preview link in the posts list, and via the Permalink-link in the post editor, but not with the preview button on the editor.

When the Preview button is clicked AFTER the Permalink-link in the editor has been clicked (the post is a draft) and a Preview window/tab has opened, the Preview button works. But otherwise not.

When previewing works it opens with an URL like this: ~/?post_type=platsannons&p=5383&preview=true

When the preview button is clicked, the URL(that gives a 404) looks like this: ~/?post_type=platsannons&p=5383&preview_id=5383&preview_nonce=42d25b539b&post_format=standard&preview=true

The site is hosted at http://oderland.com. The behavior is there regardless of browser type.

Change History (4)

#1 @DrewAPicture
12 months ago

Seems like the nonce check is probably what's causing this behavior. Not to say that the nonce check shouldn't be in place (it should) but in this particular it seems like there's a discrepancy in how preview actions are being handled – nonce only added by the preview button.

#2 @DrewAPicture
12 months ago

  • Keywords dev-feedback added

I wonder if @westonruter might have some insight here following his work on post customizer stuff that leverages preview nonces.

#3 @DrewAPicture
12 months ago

  • Summary changed from Preview button for CTP not working for user with limited Capabilities to Preview button for CPT not working for user with limited Capabilities

#4 @westonruter
12 months ago

  • Keywords reporter-feedback added

@DrewAPicture Actually, the Customize Posts plugin actually doesn't use the preview nonce since the data is part of the customizer changeset, and so the UUID is used instead.

@Webbverkstaden You'll want to look at the _set_preview() and _show_post_preview() functions.

But before that, you'll want to look at this line in WP_Query:

<?php
if ( $this->is_preview && $this->posts && current_user_can( $edit_cap, $this->posts[0]->ID ) ) {

It could be an issue with mapping the meta caps to the primitive caps in your CPT. It's looking at the edit_post meta cap (here stored in the $edit_cap variable).

Note: See TracTickets for help on using tickets.