WordPress.org

Make WordPress Core

Opened 21 months ago

Closed 7 months ago

#42464 closed defect (bug) (fixed)

Replace `publish_posts` permission check in `wp_insert_post()`.

Reported by: peterwilsoncc Owned by: johnbillion
Milestone: 5.1 Priority: normal
Severity: normal Version: 2.7
Component: Role/Capability Keywords: has-patch has-unit-tests commit
Focuses: Cc:

Description

wp_insert_post() includes a permission check to prevent contributors from setting the slug:

// Don't allow contributors to set the post slug for pending review posts.
if ( 'pending' == $post_status && ! current_user_can( 'publish_posts' ) ) {
	$post_name = '';
}

To ensure WP is checking permissions against the correct post type, the check should be changed to the following for new posts:

current_user_can( get_post_type_object( /**/ )->cap->publish_posts )

For post updates, the check should be changed to:

current_user_can( 'publish_post', $postID )

Tests will need to include:

  • CPTs mapping meta caps
  • CPTs not mapping meta caps
  • CPTs using custom caps (eg cpt_publish_posts) with various user roles
  • CPTs not using custom caps
  • core post types

Attachments (4)

42464.patch (499 bytes) - added by skostadinov 20 months ago.
I changed the current_user_can with the post_ID.
42464.diff (6.1 KB) - added by peterwilsoncc 20 months ago.
42464.2.diff (6.1 KB) - added by peterwilsoncc 20 months ago.
42464.3.diff (6.3 KB) - added by johnbillion 20 months ago.

Download all attachments as: .zip

Change History (14)

@skostadinov
20 months ago

I changed the current_user_can with the post_ID.

#1 @skostadinov
20 months ago

  • Keywords needs-patch removed

#2 @peterwilsoncc
20 months ago

  • Keywords has-patch has-unit-tests added; needs-unit-tests removed

@skostadinov Thanks for your initial patch, unfortunately it's a little more complex as we need to allow for new and updated posts and custom post types.

In 42464.diff:

  • when updating posts, the meta capability is checked with the post ID
  • for new posts, the primitive capability is checked for the post type

Various tests:

  • CPTs with and without mapped meta caps, both use custom capability types
  • contributor setting the post slug of a core post post type
  • administrator attempting to set the post slug of a CPT in which they don't have permissions (this would previously fail)

#3 @peterwilsoncc
20 months ago

  • Keywords commit added

In 42464.2.diff:

  • Refreshed against coding standards
  • Updated to include @johnbillion's feedback

#4 @johnbillion
20 months ago

  • Owner set to johnbillion
  • Status changed from new to reviewing

#5 @johnbillion
20 months ago

42464.3.diff adds a tearDownAfterClass() method to remove the post type caps added to the admin role. Without this, the Tests_User_Capabilities::test_all_caps_of_users_are_being_tested() and Tests_User_Capabilities::testPrimitiveCapsTestsAreCorrect() rightly fail. Also tweaked the test names and switched to assertSame() as we're dealing with empty strings.

#6 @johnbillion
20 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 42380:

Role/Capability: When checking capabilities before setting a post slug, ensure the correct post type capabilities are used.

Previously, only the publish_posts capability was checked. Now, the correct meta or primitive capability for the post type is used where appropriate.

Props peterwilsoncc

Fixes #42464

#7 @johnbillion
9 months ago

  • Milestone changed from 5.0 to 5.0.1
  • Resolution fixed deleted
  • Status changed from closed to reopened

#8 @pento
7 months ago

  • Milestone changed from 5.0.1 to 5.0.2

#9 @pento
7 months ago

  • Milestone changed from 5.0.2 to 5.0.3

#10 @peterwilsoncc
7 months ago

  • Milestone changed from 5.0.3 to 5.1
  • Resolution set to fixed
  • Status changed from reopened to closed

Bumping this back to 5.1 is scheduled to be released very soon and 5.0.3 is intended to be for bug fixes rather than bug fixes and minor enhancements.

Note: See TracTickets for help on using tickets.