WordPress.org

Make WordPress Core

#38483 closed defect (bug) (worksforme)

REST API: (CPT) Status handling doesn't account for edit_published_posts

Reported by: adamsilverstein Owned by: rachelbaker
Milestone: Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords: needs-patch needs-unit-tests
Focuses: Cc:

Description

Moving this ticket over from Github: https://github.com/WP-API/WP-API/issues/2050.

JakePT commented on Jan 18:

I'm trying out the API for the first time, and am enjoying it greatly, but I've run into one issue that I can't seem to get around.

The issue is a mismatch between how wp-admin handles post editing capabilities and the API does.

I have a Custom Post Type, item, and have map_meta_cap set to true, and capabilitiy_type set to array( 'item', 'items' ). I have given the Administrator role the all the capabilities, but only given Editor edit_items edit_others_items and edit_published_items. In wp-admin it works as expected, the user can edit existing Items, even ones created by others, but cannot publish new ones (only submit them for review), and they can't delete them. This is exactly what I want.

The problem is that with the API when an Editor submits an update to an Item, if the model's status is set to publish the API always checks for current_user_can( $post_type->cap->publish_posts ), even if the post was previously published.

Change History (3)

#1 @rachelbaker
20 months ago

  • Keywords needs-unit-tests added

#2 @rachelbaker
20 months ago

  • Owner set to rachelbaker
  • Status changed from new to assigned

#3 @rachelbaker
20 months ago

  • Milestone 4.7 deleted
  • Resolution set to worksforme
  • Status changed from assigned to closed

@adamsilverstein I cannot reproduce this locally. I think you are correct in the GH issue that the reporter's issue could be due to an unmapped edit_others_posts. I am going to close this ticket. We can re-open if the reporter gets back to you.

Note: See TracTickets for help on using tickets.