From 5e71c349afb484b6cc9f3465c3d5737f62980663 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Fri, 26 Aug 2016 18:22:28 +0000
Subject: [PATCH] Role/Capability: Only users who can manage options should be
 able to trash/delete the page for posts or the front page, as they are the
 only users who can restore it or subsequently alter the "Front page displays"
 setting.

Fixes #37580
Props JakePT


git-svn-id: https://develop.svn.wordpress.org/trunk@38378 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/capabilities.php        |  5 ++++
 tests/phpunit/tests/user/mapMetaCap.php | 36 +++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/src/wp-includes/capabilities.php b/src/wp-includes/capabilities.php
index eac359630b..da542293dd 100644
--- a/src/wp-includes/capabilities.php
+++ b/src/wp-includes/capabilities.php
@@ -67,6 +67,11 @@ function map_meta_cap( $cap, $user_id ) {
 			}
 		}
 
+		if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) {
+			$caps[] = 'manage_options';
+			break;
+		}
+
 		$post_type = get_post_type_object( $post->post_type );
 		if ( ! $post_type ) {
 			/* translators: 1: post type, 2: capability name */
diff --git a/tests/phpunit/tests/user/mapMetaCap.php b/tests/phpunit/tests/user/mapMetaCap.php
index 1b86dd1dd2..a2218f1c59 100644
--- a/tests/phpunit/tests/user/mapMetaCap.php
+++ b/tests/phpunit/tests/user/mapMetaCap.php
@@ -255,4 +255,40 @@ class Tests_User_MapMetaCap extends WP_UnitTestCase {
 		$this->assertEquals( array( 'delete_others_posts', 'delete_published_posts' ), map_meta_cap( 'delete_post', $editor, $post_id ) );
 
 	}
+
+	/**
+	 * Test deleting front page.
+	 *
+	 * @ticket 37580
+	 */
+	function test_only_users_who_can_manage_options_can_delete_page_on_front() {
+		$post_id = self::factory()->post->create( array(
+			'post_type'   => 'page',
+			'post_status' => 'publish',
+		) );
+
+		update_option( 'page_on_front', $post_id );
+		$caps = map_meta_cap( 'delete_page', $this->user_id, $post_id );
+		delete_option( 'page_on_front' );
+
+		$this->assertEquals( array( 'manage_options' ), $caps );
+	}
+
+	/**
+	 * Test deleting posts page.
+	 *
+	 * @ticket 37580
+	 */
+	function test_only_users_who_can_manage_options_can_delete_page_for_posts() {
+		$post_id = self::factory()->post->create( array(
+			'post_type'   => 'page',
+			'post_status' => 'publish',
+		) );
+
+		update_option( 'page_for_posts', $post_id );
+		$caps = map_meta_cap( 'delete_page', $this->user_id, $post_id );
+		delete_option( 'page_for_posts' );
+
+		$this->assertEquals( array( 'manage_options' ), $caps );
+	}
 }