#42464 closed defect (bug) (fixed)
Replace `publish_posts` permission check in `wp_insert_post()`.
Reported by: | peterwilsoncc | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 5.1 | Priority: | normal |
Severity: | normal | Version: | 2.7 |
Component: | Role/Capability | Keywords: | has-patch has-unit-tests commit |
Focuses: | Cc: |
Description
wp_insert_post()
includes a permission check to prevent contributors from setting the slug:
// Don't allow contributors to set the post slug for pending review posts. if ( 'pending' == $post_status && ! current_user_can( 'publish_posts' ) ) { $post_name = ''; }
To ensure WP is checking permissions against the correct post type, the check should be changed to the following for new posts:
current_user_can( get_post_type_object( /**/ )->cap->publish_posts )
For post updates, the check should be changed to:
current_user_can( 'publish_post', $postID )
Tests will need to include:
- CPTs mapping meta caps
- CPTs not mapping meta caps
- CPTs using custom caps (eg
cpt_publish_posts
) with various user roles - CPTs not using custom caps
- core post types
Attachments (4)
Change History (15)
#2
@
7 years ago
- Keywords has-patch has-unit-tests added; needs-unit-tests removed
@skostadinov Thanks for your initial patch, unfortunately it's a little more complex as we need to allow for new and updated posts and custom post types.
In 42464.diff:
- when updating posts, the meta capability is checked with the post ID
- for new posts, the primitive capability is checked for the post type
Various tests:
- CPTs with and without mapped meta caps, both use custom capability types
- contributor setting the post slug of a core
post
post type - administrator attempting to set the post slug of a CPT in which they don't have permissions (this would previously fail)
#3
@
7 years ago
- Keywords commit added
In 42464.2.diff:
- Refreshed against coding standards
- Updated to include @johnbillion's feedback
#5
@
7 years ago
42464.3.diff adds a tearDownAfterClass()
method to remove the post type caps added to the admin role. Without this, the Tests_User_Capabilities::test_all_caps_of_users_are_being_tested()
and Tests_User_Capabilities::testPrimitiveCapsTestsAreCorrect()
rightly fail. Also tweaked the test names and switched to assertSame()
as we're dealing with empty strings.
#7
@
6 years ago
- Milestone changed from 5.0 to 5.0.1
- Resolution fixed deleted
- Status changed from closed to reopened
I changed the current_user_can with the post_ID.