Changes between Initial Version and Version 1 of Ticket #37917, comment 1
- Timestamp:
- 09/05/2016 06:15:32 AM (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #37917, comment 1
initial v1 5 5 Users, who have the capability to `publish_posts`, but do not have `edit_published_posts`, can publish posts. They just can't edit them afterwards without the capability. Similarly, it makes sense that users cannot edit private posts afterwards without `edit_private_posts`. But alas, there is no separate `make_posts_private` (the equivalent to `publish_posts` for private posts). 6 6 7 When trying to publish or make posts private without `publish_posts` their status status is set to `pending` in `wp-admin/includes/post.php`. XML-RPC does it 's own similar validation, but throws an error. [https://github.com/WP-API/WP-API/blob/develop/lib/endpoints/class-wp-rest-posts-controller.php#L880 REST API too requires `publish_posts`] for private status.7 When trying to publish or make posts private without `publish_posts` their status status is set to `pending` in `wp-admin/includes/post.php`. XML-RPC does its own similar validation, but throws an error. [https://github.com/WP-API/WP-API/blob/develop/lib/endpoints/class-wp-rest-posts-controller.php#L880 REST API too requires `publish_posts`] for private status. 8 8 9 9 So the `publish_posts` capability is used instead to also cover cases where status is changing to `private`. It makes sense, because if this capability is missing, none of the visibility choices would appear. For more fine-grained control, a new capability would have to be introduced. And that would have to be enforced in many more places than on the UI level. XML-RPC and REST API included.