sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Check for all required caps before (un)sticking a post.

Browse Source 
In cases where a user has the `edit_others_posts` capability but not
`publish_posts`, it was possible for that user to unstick a post after editing,
since the input field was never made available in that context.

Props ericmann, chriscct7.
Fixes #24153.



git-svn-id: https://develop.svn.wordpress.org/trunk@33096 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Konstantin Obenland 2015-07-06 22:40:59 +00:00
parent 53021ef6fe
commit 2cafc0d787
2 changed files with 100 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/wp-admin/includes/post.php
View File

@ -385,7 +385,7 @@ function edit_post( $post_data = null ) {
wp_set_post_lock( $post_ID );
if ( current_user_can( $ptype->cap->edit_others_posts ) ) {
if ( current_user_can( $ptype->cap->edit_others_posts ) && current_user_can( $ptype->cap->publish_posts ) ) {
if ( ! empty( $post_data['sticky'] ) )
stick_post( $post_ID );
else

99
tests/phpunit/tests/post.php
View File

@ -1023,4 +1023,103 @@ class Tests_Post extends WP_UnitTestCase {
$this->assertEquals( 'closed', $post->ping_status );
_unregister_post_type( $post_type );
}
/**
* If a post is sticky and is updated by a user that does not have the publish_post capability, it should _stay_
* sticky.
*
* @ticket 24153
*/
function test_user_without_publish_cannot_affect_sticky() {
// Create a role with edit_others_posts.
add_role( 'grammarian', 'Grammarian', array(
'read' => true,
'edit_posts' => true,
'edit_others_posts' => true,
'edit_published_posts' => true,
) );
$editor_user = $this->factory->user->create( array( 'role' => 'grammarian' ) );
$old_uid = get_current_user_id();
wp_set_current_user( $editor_user );
// Sanity Check.
$this->assertFalse( current_user_can( 'publish_posts' ) );
$this->assertTrue( current_user_can( 'edit_others_posts' ) );
$this->assertTrue( current_user_can( 'edit_published_posts' ) );
// Create a sticky post.
$post = $this->factory->post->create_and_get( array(
'post_title' => 'Will be changed',
'post_content' => 'Will be changed',
) );
stick_post( $post->ID );
// Sanity Check.
$this->assertTrue( is_sticky( $post->ID ) );
// Edit the post.
$post->post_title = 'Updated';
$post->post_content = 'Updated';
wp_update_post( $post );
// Make sure it's still sticky.
$saved_post = get_post( $post->ID );
$this->assertTrue( is_sticky( $saved_post->ID ) );
$this->assertEquals( 'Updated', $saved_post->post_title );
$this->assertEquals( 'Updated', $saved_post->post_content );
// Teardown
wp_set_current_user( $old_uid );
}
/**
* If the `edit_post()` method is invoked by a user without publish_posts permission, the sticky status of the post
* should not be changed.
*
* @ticket 24153
*/
function test_user_without_publish_cannot_affect_sticky_with_edit_post() {
// Create a sticky post.
$post = $this->factory->post->create_and_get( array(
'post_title' => 'Will be changed',
'post_content' => 'Will be changed',
) );
stick_post( $post->ID );
// Sanity Check.
$this->assertTrue( is_sticky( $post->ID ) );
// Create a role with edit_others_posts.
add_role( 'grammarian', 'Grammarian', array(
'read' => true,
'edit_posts' => true,
'edit_others_posts' => true,
'edit_published_posts' => true,
) );
$editor_user = $this->factory->user->create( array( 'role' => 'grammarian' ) );
$old_uid = get_current_user_id();
wp_set_current_user( $editor_user );
// Sanity Check.
$this->assertFalse( current_user_can( 'publish_posts' ) );
$this->assertTrue( current_user_can( 'edit_others_posts' ) );
$this->assertTrue( current_user_can( 'edit_published_posts' ) );
// Edit the post - The key 'sticky' is intentionally unset.
$data = array(
'post_ID' => $post->ID,
'post_title' => 'Updated',
'post_content' => 'Updated',
);
edit_post( $data );
// Make sure it's still sticky
$saved_post = get_post( $post->ID );
$this->assertTrue( is_sticky( $saved_post->ID ) );
$this->assertEquals( 'Updated', $saved_post->post_title );
$this->assertEquals( 'Updated', $saved_post->post_content );
// Teardown
wp_set_current_user( $old_uid );
}
}