WordPress.org

Make WordPress Core

Opened 18 months ago

Last modified 10 months ago

#38997 accepted defect (bug)

delete_private_posts capability doesn't prevent user from deleting private posts

Reported by: yboris Owned by: johnbillion
Milestone: Future Release Priority: normal
Severity: normal Version: 4.6.1
Component: Role/Capability Keywords: needs-patch needs-unit-tests
Focuses: administration Cc:

Description

Attempting to prevent users from deleting a published post works, but if they set a post to 'private' they can delete it even if 'delete_private_posts' capability is set to 0.

<?php
global $current_user;
// works
$current_user->allcaps['delete_published_posts'] = 0;
// doesn't work
$current_user->allcaps['delete_private_posts'] = 0;

"doesn't work" means that "Trash" link appears on hover over the post in edit.php and "Move to Trash" shows up on post.php

Change History (2)

#1 @yboris
18 months ago

The above "global $current_user" was a shorthand of:

<?php
$current_user = wp_get_current_user();
$current_user->allcaps['delete_published_posts'] = 0;
$current_user->allcaps['delete_private_posts'] = 0;

#2 @johnbillion
10 months ago

  • Component changed from Users to Role/Capability
  • Keywords needs-patch needs-unit-tests added
  • Milestone changed from Awaiting Review to Future Release
  • Owner set to johnbillion
  • Status changed from new to accepted

Thank you for your report, @yboris. Sorry that it's taken such a long time before anybody responded.

I'm looking into this as part of several other related fixes.

Note: See TracTickets for help on using tickets.