WordPress.org

Make WordPress Core

Opened 6 months ago

Last modified 4 weeks ago

#47443 new defect (bug)

REST-API prevents users with edit_published_posts capability updating published posts

Reported by: derweili Owned by:
Milestone: 5.4 Priority: normal
Severity: normal Version: 5.2.1
Component: REST API Keywords: has-patch
Focuses: rest-api Cc:
PR Number:

Description

When a user has edit_posts and edit_published_posts capabilities but not publish_posts capability and they edit a published post they they get following error:

'Sorry, you are not allowed to publish posts in this post type.'

Because the Block Editor relies on the REST-API, you can see this behavior in the Gutenberg Editor as well.
In Gutenberg they don't see the above error. Instead you see a "Submit for Review" button instead of an Update Button.

To Reproduce

  1. Create a user with edit_pages and edit_published_pages capabilities but not publish_pages capability
  2. Login as that user and edit a published page in the Classic Editor
  3. See that the primary action button is "Update"
  4. Switch to the Block Editor and see that the primary action button is "Submit for Review"

I think there are two changes that need to be done:

1. in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php:1825

The if statement should be changed to:

<?php
if ( 'attachment' !== $this->post_type && ( ( 'publish' == $post->post_status && current_user_can( $post_type->cap->edit_published_posts ) ) || current_user_can( $post_type->cap->publish_posts ) )  ) {

After this first change you will have the "Update" Button back in the editor, but you still can't update the post. You will receive the above Sorry, you are not allowed to publish posts in this post type. answer from the REST-API. A additional change must be done:

2. in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php:1148

The if statement should be changed to

<?php
if ( ! current_user_can( $post_type->cap->publish_posts ) && ! current_user_can( $post_type->cap->edit_published_posts ) ) {
    return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to publish posts in this post type.' ), array( 'status' => rest_authorization_required_code() ) );
}

Github Issue for Gutenberg: https://github.com/WordPress/gutenberg/issues/13342

I am concerned about introducing security risk with this changes.

Attachments (1)

47443.diff (1.3 KB) - added by derweili 6 months ago.
Patch V1

Download all attachments as: .zip

Change History (7)

@derweili
6 months ago

Patch V1

#1 @derweili
6 months ago

  • Keywords has-patch added; needs-patch removed

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


6 months ago

This ticket was mentioned in Slack in #docs by pbiron. View the logs.


5 months ago

This ticket was mentioned in Slack in #core-restapi by derweili. View the logs.


5 months ago

This ticket was mentioned in Slack in #core-restapi by derweili. View the logs.


5 weeks ago

#6 @kadamwhite
4 weeks ago

  • Milestone changed from Awaiting Review to 5.4
Note: See TracTickets for help on using tickets.