WordPress.org
Get WordPress

Make WordPress Core

Opened 8 years ago

Closed 4 months ago

#42323 closed defect (bug) (worksforme)

Posts vs CPT user permissions issue

Reported by: bor0's profile bor0 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9
Component: Role/Capability Keywords: has-patch
Focuses: administration Cc:

Description

We have the following use case:

  1. User does not have access to create new "Posts"
  2. User does have access to create new Product Submissions (CPT post type)

With these prerequisites, when the user clicks on "New Product Submission" from the list view (or the edit view), they get the No access message.

This happens because in core we check for edit.php no_priv instead of edit.php?post_type=product_submission.

Attachments (1)

42323.patch (3.6 KB) - added by bor0 8 years ago.

Download all attachments as: .zip

Change History (7)

@bor0
8 years ago

This ticket was mentioned in Slack in #core by bor0. View the logs.
8 years ago

#2 @bor0
8 years ago

  • Keywords has-patch dev-feedback added

#3 @SergeyBiryukov
8 years ago

  • Component changed from Menus to Posts, Post Types
  • Focuses administration added
  • Owner set to SergeyBiryukov
  • Status changed from new to assigned

#4 @SergeyBiryukov
8 years ago

  • Owner SergeyBiryukov deleted

#5 @welcher
8 years ago

  • Keywords needs-unit-tests needs-testing added; dev-feedback removed

@bor0 thanks for the ticket and patch!

I think we need to be sure that the current unit tests pass and add one ( if not already existing ) that tests this use case exactly.

#6 @SirLouen
4 months ago

  • Component changed from Posts, Post Types to Role/Capability
  • Keywords needs-unit-tests needs-testing removed
  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from assigned to closed

Reproduction Report

Description

❌ This report can't validate that the issue can be reproduced.

Environment

  • WordPress: 6.9-alpha-60093-src
  • PHP: 8.2.29
  • Server: nginx/1.29.1
  • Database: mysqli (Server: 8.4.6 / Client: mysqlnd 8.2.29)
  • Browser: Chrome 140.0.0.0
  • OS: Windows 10/11
  • Theme: Twenty Twenty-Five 1.3
  • MU Plugins: None activated
  • Plugins:
    • BBB Testing Dolly
    • Test Reports 1.2.0
    • User Switching 1.10.0

Testing Instructions

  1. Added the code in supp artifacts
  2. The idea is to have a new role called Limited, which happens to have caps to edit, create and publish a CPT called Test, but no extra caps to publish regular Posts as suggested by OP
  3. 👌 User can publish posts

Actual Results

  1. ❌ Error condition occurs (reproduced).

Additional Notes

  • I'm closing this as it's not reproducible anymore.

Supplemental Artifacts

<?php
add_action( 'init', function () {
        register_post_type( 'test', array(
                'label' => 'Test',
                'public' => true,
                'show_in_rest' => true,
                'capability_type' => array( 'test', 'tests' ),
                'map_meta_cap' => true,
                'supports' => array( 'title', 'editor' ),
        ) );
} );

register_activation_hook( __FILE__, function () {
        add_role( 'limited', 'Limited', array( 'read' => true ) );
        $role = get_role( 'limited' );
        if ( $role ) {
                $role->add_cap( 'edit_tests' );
                $role->add_cap( 'edit_test' );
                $role->add_cap( 'create_tests' );
                $role->add_cap( 'publish_tests' );
        }
} );
Note: See TracTickets for help on using tickets.