WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#5727 closed defect (bug) (worksforme)

Post gets published even though user can't publish_posts

Reported by: SimonK Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.3.3
Component: Administration Keywords: capabilities edit_published_posts publish_posts bug needs-patch
Focuses: Cc:

Description

When users don't have the "publish_posts" capability, but DO have the "edit_published_posts" capability, they can publish posts directly. This happens when they press "Submit for Review" AFTER the post has been saved (either manually or autosave). I've located the bug in /wp-admin/includes/post.php, and fixed it (temporarily) by adding the following code after line 71.

// START fix
if ('publish' == $_POST['post_status'] && !current_user_can( 'publish_posts' )) {
	$_POST['post_status'] = 'pending';
}
// END fix

This is the piece of code that causes the bug (I think..):

	} else {
		if ('publish' == $_POST['post_status'] && !current_user_can( 'edit_published_posts' ))
			$_POST['post_status'] = 'pending';
	}

(line 68-71 in /wp-admin/includes/post.php)

Note: this bug only occures when using a plugin to change roles/capabilities, but that doesn't make it a bug in the plugin I think.

Change History (4)

comment:1 lloydbudd6 years ago

  • Keywords needs-patch added
  • Milestone changed from 2.6 to 2.5

comment:2 ffemtcj6 years ago

  • Cc ffemtcj added

Since this works correctly without the plugin and the plugin creates the problem, doesn't that mean that the plugin has the bug and not WP? You could probably pick quite a few things in the WP code and create a plugin to do something that it isn't supposed to do. That doesn't make it a bug in WP.

comment:3 Otto426 years ago

  • Version changed from 2.3.2 to 2.3.3

Bringing this up again:

No, this is not a bug in the plugin, the plugin in question is simply the Role Manager. This is a definite WordPress bug.

To reproduce:

  1. Make a user who can edit_published_posts but not publish_posts himself. As these are separate capabilities, it's possible to create a user this way.
  2. Create a new post.
  3. Save it as draft.
  4. Submit it for review.

Result: it publishes instead of going to pending.
Desired result: As the user does not have publish_posts, it should not publish.

Fix:
Change this:
`if ('publish' == $_POSTpost_status? && !current_user_can( 'edit_published_posts' ))
$_POSTpost_status? = 'pending';`

to this:
`if ('publish' == $_POSTpost_status? && !current_user_can( 'edit_published_posts' ) && !current_user_can( 'publish_posts' ))
$_POSTpost_status? = 'pending';`

Same with pages just above that.

comment:4 DD325 years ago

  • Milestone 2.9 deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Is this still valid?

I copied the Editors role (Which includes edit_published_*), removed the publish_* caps, and submitted a post for review. The post came up as Pending.

Seems to me that it was fixed in the 2.7 UI overhaul? Re-open if problem persists.

Note: See TracTickets for help on using tickets.