Make WordPress Core

Opened 7 years ago

Closed 5 years ago

Last modified 3 years ago

#42464 closed defect (bug) (fixed)

Replace `publish_posts` permission check in `wp_insert_post()`.

Reported by: peterwilsoncc's profile peterwilsoncc Owned by: johnbillion's profile johnbillion
Milestone: 5.1 Priority: normal
Severity: normal Version: 2.7
Component: Role/Capability Keywords: has-patch has-unit-tests commit
Focuses: Cc:


wp_insert_post() includes a permission check to prevent contributors from setting the slug:

// Don't allow contributors to set the post slug for pending review posts.
if ( 'pending' == $post_status && ! current_user_can( 'publish_posts' ) ) {
	$post_name = '';

To ensure WP is checking permissions against the correct post type, the check should be changed to the following for new posts:

current_user_can( get_post_type_object( /**/ )->cap->publish_posts )

For post updates, the check should be changed to:

current_user_can( 'publish_post', $postID )

Tests will need to include:

  • CPTs mapping meta caps
  • CPTs not mapping meta caps
  • CPTs using custom caps (eg cpt_publish_posts) with various user roles
  • CPTs not using custom caps
  • core post types

Attachments (4)

42464.patch (499 bytes) - added by skostadinov 7 years ago.
I changed the current_user_can with the post_ID.
42464.diff (6.1 KB) - added by peterwilsoncc 7 years ago.
42464.2.diff (6.1 KB) - added by peterwilsoncc 6 years ago.
42464.3.diff (6.3 KB) - added by johnbillion 6 years ago.

Download all attachments as: .zip

Change History (15)

7 years ago

I changed the current_user_can with the post_ID.

#1 @skostadinov
7 years ago

  • Keywords needs-patch removed

7 years ago

#2 @peterwilsoncc
7 years ago

  • Keywords has-patch has-unit-tests added; needs-unit-tests removed

@skostadinov Thanks for your initial patch, unfortunately it's a little more complex as we need to allow for new and updated posts and custom post types.

In 42464.diff:

  • when updating posts, the meta capability is checked with the post ID
  • for new posts, the primitive capability is checked for the post type

Various tests:

  • CPTs with and without mapped meta caps, both use custom capability types
  • contributor setting the post slug of a core post post type
  • administrator attempting to set the post slug of a CPT in which they don't have permissions (this would previously fail)

#3 @peterwilsoncc
6 years ago

  • Keywords commit added

In 42464.2.diff:

  • Refreshed against coding standards
  • Updated to include @johnbillion's feedback

6 years ago

#4 @johnbillion
6 years ago

  • Owner set to johnbillion
  • Status changed from new to reviewing

#5 @johnbillion
6 years ago

42464.3.diff adds a tearDownAfterClass() method to remove the post type caps added to the admin role. Without this, the Tests_User_Capabilities::test_all_caps_of_users_are_being_tested() and Tests_User_Capabilities::testPrimitiveCapsTestsAreCorrect() rightly fail. Also tweaked the test names and switched to assertSame() as we're dealing with empty strings.

#6 @johnbillion
6 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 42380:

Role/Capability: When checking capabilities before setting a post slug, ensure the correct post type capabilities are used.

Previously, only the publish_posts capability was checked. Now, the correct meta or primitive capability for the post type is used where appropriate.

Props peterwilsoncc

Fixes #42464

#7 @johnbillion
6 years ago

  • Milestone changed from 5.0 to 5.0.1
  • Resolution fixed deleted
  • Status changed from closed to reopened

#8 @pento
5 years ago

  • Milestone changed from 5.0.1 to 5.0.2

#9 @pento
5 years ago

  • Milestone changed from 5.0.2 to 5.0.3

#10 @peterwilsoncc
5 years ago

  • Milestone changed from 5.0.3 to 5.1
  • Resolution set to fixed
  • Status changed from reopened to closed

Bumping this back to 5.1 is scheduled to be released very soon and 5.0.3 is intended to be for bug fixes rather than bug fixes and minor enhancements.

#11 @johnbillion
3 years ago

#52023 was marked as a duplicate.

Note: See TracTickets for help on using tickets.