Make WordPress Core

Opened 4 months ago

Closed 3 months ago

#42464 closed defect (bug) (fixed)

Replace `publish_posts` permission check in `wp_insert_post()`.

Reported by: peterwilsoncc Owned by: johnbillion
Milestone: 5.0 Priority: normal
Severity: normal Version: 2.7
Component: Role/Capability Keywords: has-patch has-unit-tests commit
Focuses: Cc:


wp_insert_post() includes a permission check to prevent contributors from setting the slug:

// Don't allow contributors to set the post slug for pending review posts.
if ( 'pending' == $post_status && ! current_user_can( 'publish_posts' ) ) {
	$post_name = '';

To ensure WP is checking permissions against the correct post type, the check should be changed to the following for new posts:

current_user_can( get_post_type_object( /**/ )->cap->publish_posts )

For post updates, the check should be changed to:

current_user_can( 'publish_post', $postID )

Tests will need to include:

  • CPTs mapping meta caps
  • CPTs not mapping meta caps
  • CPTs using custom caps (eg cpt_publish_posts) with various user roles
  • CPTs not using custom caps
  • core post types

Attachments (4)

42464.patch (499 bytes) - added by skostadinov 4 months ago.
I changed the current_user_can with the post_ID.
42464.diff (6.1 KB) - added by peterwilsoncc 4 months ago.
42464.2.diff (6.1 KB) - added by peterwilsoncc 4 months ago.
42464.3.diff (6.3 KB) - added by johnbillion 3 months ago.

Download all attachments as: .zip

Change History (10)

4 months ago

I changed the current_user_can with the post_ID.

#1 @skostadinov
4 months ago

  • Keywords needs-patch removed

4 months ago

#2 @peterwilsoncc
4 months ago

  • Keywords has-patch has-unit-tests added; needs-unit-tests removed

@skostadinov Thanks for your initial patch, unfortunately it's a little more complex as we need to allow for new and updated posts and custom post types.

In 42464.diff:

  • when updating posts, the meta capability is checked with the post ID
  • for new posts, the primitive capability is checked for the post type

Various tests:

  • CPTs with and without mapped meta caps, both use custom capability types
  • contributor setting the post slug of a core post post type
  • administrator attempting to set the post slug of a CPT in which they don't have permissions (this would previously fail)

#3 @peterwilsoncc
4 months ago

  • Keywords commit added

In 42464.2.diff:

  • Refreshed against coding standards
  • Updated to include @johnbillion's feedback

3 months ago

#4 @johnbillion
3 months ago

  • Owner set to johnbillion
  • Status changed from new to reviewing

#5 @johnbillion
3 months ago

42464.3.diff adds a tearDownAfterClass() method to remove the post type caps added to the admin role. Without this, the Tests_User_Capabilities::test_all_caps_of_users_are_being_tested() and Tests_User_Capabilities::testPrimitiveCapsTestsAreCorrect() rightly fail. Also tweaked the test names and switched to assertSame() as we're dealing with empty strings.

#6 @johnbillion
3 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 42380:

Role/Capability: When checking capabilities before setting a post slug, ensure the correct post type capabilities are used.

Previously, only the publish_posts capability was checked. Now, the correct meta or primitive capability for the post type is used where appropriate.

Props peterwilsoncc

Fixes #42464

Note: See TracTickets for help on using tickets.