Make WordPress Core

Opened 8 years ago

Closed 14 months ago

#35800 closed defect (bug) (invalid)

Preview button for CPT not working for user with limited Capabilities

Reported by: webbverkstaden's profile Webbverkstaden Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4.1
Component: Posts, Post Types Keywords: reporter-feedback close
Focuses: administration Cc:

Description

I have a CPT "platsannonser" that has the capability_type = post. This post type can be edited by a custom user type Admanager, with capabilities added/limited to this post type through the plugin "Press Permit Core". The Admanager users does not have the right to edit regular post. I have tried adding that capability, but it made no difference.

The behavior described below happens when the post author is an Admin. If the post author is another user of the same type (Admanager), or another custom user type with similar or extended capabilities compared to the Admanager, everything works fine.

The user can preview a post via the Preview link in the posts list, and via the Permalink-link in the post editor, but not with the preview button on the editor.

When the Preview button is clicked AFTER the Permalink-link in the editor has been clicked (the post is a draft) and a Preview window/tab has opened, the Preview button works. But otherwise not.

When previewing works it opens with an URL like this:
~/?post_type=platsannons&p=5383&preview=true

When the preview button is clicked, the URL(that gives a 404) looks like this:
~/?post_type=platsannons&p=5383&preview_id=5383&preview_nonce=42d25b539b&post_format=standard&preview=true

The site is hosted at http://oderland.com. The behavior is there regardless of browser type.

Change History (6)

#1 @DrewAPicture
7 years ago

Seems like the nonce check is probably what's causing this behavior. Not to say that the nonce check shouldn't be in place (it should) but in this particular it seems like there's a discrepancy in how preview actions are being handled – nonce only added by the preview button.

#2 @DrewAPicture
7 years ago

  • Keywords dev-feedback added

I wonder if @westonruter might have some insight here following his work on post customizer stuff that leverages preview nonces.

#3 @DrewAPicture
7 years ago

  • Summary changed from Preview button for CTP not working for user with limited Capabilities to Preview button for CPT not working for user with limited Capabilities

#4 @westonruter
7 years ago

  • Keywords reporter-feedback added

@DrewAPicture Actually, the Customize Posts plugin actually doesn't use the preview nonce since the data is part of the customizer changeset, and so the UUID is used instead.

@Webbverkstaden You'll want to look at the _set_preview() and _show_post_preview() functions.

But before that, you'll want to look at this line in WP_Query:

<?php
if ( $this->is_preview && $this->posts && current_user_can( $edit_cap, $this->posts[0]->ID ) ) {

It could be an issue with mapping the meta caps to the primitive caps in your CPT. It's looking at the edit_post meta cap (here stored in the $edit_cap variable).

#5 @hellofromTonya
2 years ago

  • Keywords close added; dev-feedback removed

Hello @Webbverkstaden,

Welcome to WordPress Core's Trac!

Does this issue persists today? If yes, were you able to follow-up on suggestions Weston made? If this is still a problem today, please follow-up with more information to help contributors investigate.

Marking this ticket as a close candidate since it's there's been no activity for 4 years. Will close this ticket in a month if there's no follow-up (though it can be reopened later).

#6 @hellofromTonya
14 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Marking this ticket as a close candidate since it's there's been no activity for 4 years. Will close this ticket in a month if there's no follow-up (though it can be reopened later).

As there's been no follow-up of the reported issue for 16 months, closing this ticket.

@Webbverkstaden if the problem persists today, please feel free to reopen and provide more information to help contributors investigate.

Note: See TracTickets for help on using tickets.