WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #37917, comment 1


Ignore:
Timestamp:
09/05/2016 06:15:32 AM (5 years ago)
Author:
akibjorklund
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #37917, comment 1

    initial v1  
    55Users, who have the capability to `publish_posts`, but do not have `edit_published_posts`, can publish posts. They just can't edit them afterwards without the capability. Similarly, it makes sense that users cannot edit private posts afterwards without `edit_private_posts`. But alas, there is no separate `make_posts_private` (the equivalent to `publish_posts` for private posts).
    66
    7 When trying to publish or make posts private without `publish_posts` their status status is set to `pending` in `wp-admin/includes/post.php`. XML-RPC does it's own similar validation, but throws an error. [https://github.com/WP-API/WP-API/blob/develop/lib/endpoints/class-wp-rest-posts-controller.php#L880 REST API too requires `publish_posts`] for private status.
     7When trying to publish or make posts private without `publish_posts` their status status is set to `pending` in `wp-admin/includes/post.php`. XML-RPC does its own similar validation, but throws an error. [https://github.com/WP-API/WP-API/blob/develop/lib/endpoints/class-wp-rest-posts-controller.php#L880 REST API too requires `publish_posts`] for private status.
    88
    99So the `publish_posts` capability is used instead to also cover cases where status is changing to `private`. It makes sense, because if this capability is missing, none of the visibility choices would appear. For more fine-grained control, a new capability would have to be introduced. And that would have to be enforced in many more places than on the UI level. XML-RPC and REST API included.