sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't default to current user for capability checks when dealing with a post without an author (post_author = 0).

Browse Source 
Undoes [12053]. While it risks breakage, this is a far safer and saner default for these situations.

props danielbachhuber.
fixes #27020.


git-svn-id: https://develop.svn.wordpress.org/trunk@27390 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Nacin 2014-03-04 03:08:54 +00:00
parent 1329d5ebc0
commit 5edec1d792
3 changed files with 59 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
src/wp-includes/capabilities.php
View File

@ -1071,20 +1071,15 @@ function map_meta_cap( $cap, $user_id ) {
break; break;
} }
$post_author_id = $post->post_author; // If the post author is set and the user is the author...
if ( $post->post_author && $user_id == $post->post_author ) {
// If no author set yet, default to current user for cap checks.
if ( ! $post_author_id )
$post_author_id = $user_id;
// If the user is the author...
if ( $user_id == $post_author_id ) {
// If the post is published... // If the post is published...
if ( 'publish' == $post->post_status ) { if ( 'publish' == $post->post_status ) {
$caps[] = $post_type->cap->delete_published_posts; $caps[] = $post_type->cap->delete_published_posts;
} elseif ( 'trash' == $post->post_status ) { } elseif ( 'trash' == $post->post_status ) {
if ('publish' == get_post_meta($post->ID, '_wp_trash_meta_status', true) ) if ( 'publish' == get_post_meta( $post->ID, '_wp_trash_meta_status', true ) ) {
$caps[] = $post_type->cap->delete_published_posts; $caps[] = $post_type->cap->delete_published_posts;
}
} else { } else {
// If the post is draft... // If the post is draft...
$caps[] = $post_type->cap->delete_posts; $caps[] = $post_type->cap->delete_posts;
@ -1093,10 +1088,11 @@ function map_meta_cap( $cap, $user_id ) {
// The user is trying to edit someone else's post. // The user is trying to edit someone else's post.
$caps[] = $post_type->cap->delete_others_posts; $caps[] = $post_type->cap->delete_others_posts;
// The post is published, extra cap required. // The post is published, extra cap required.
if ( 'publish' == $post->post_status ) if ( 'publish' == $post->post_status ) {
$caps[] = $post_type->cap->delete_published_posts; $caps[] = $post_type->cap->delete_published_posts;
elseif ( 'private' == $post->post_status ) } elseif ( 'private' == $post->post_status ) {
$caps[] = $post_type->cap->delete_private_posts; $caps[] = $post_type->cap->delete_private_posts;
}
} }
break; break;
// edit_post breaks down to edit_posts, edit_published_posts, or // edit_post breaks down to edit_posts, edit_published_posts, or
@ -1121,20 +1117,15 @@ function map_meta_cap( $cap, $user_id ) {
break; break;
} }
$post_author_id = $post->post_author; // If the post author is set and the user is the author...
if ( $post->post_author && $user_id == $post->post_author ) {
// If no author set yet, default to current user for cap checks.
if ( ! $post_author_id )
$post_author_id = $user_id;
// If the user is the author...
if ( $user_id == $post_author_id ) {
// If the post is published... // If the post is published...
if ( 'publish' == $post->post_status ) { if ( 'publish' == $post->post_status ) {
$caps[] = $post_type->cap->edit_published_posts; $caps[] = $post_type->cap->edit_published_posts;
} elseif ( 'trash' == $post->post_status ) { } elseif ( 'trash' == $post->post_status ) {
if ('publish' == get_post_meta($post->ID, '_wp_trash_meta_status', true) ) if ( 'publish' == get_post_meta( $post->ID, '_wp_trash_meta_status', true ) ) {
$caps[] = $post_type->cap->edit_published_posts; $caps[] = $post_type->cap->edit_published_posts;
}
} else { } else {
// If the post is draft... // If the post is draft...
$caps[] = $post_type->cap->edit_posts; $caps[] = $post_type->cap->edit_posts;
@ -1143,10 +1134,11 @@ function map_meta_cap( $cap, $user_id ) {
// The user is trying to edit someone else's post. // The user is trying to edit someone else's post.
$caps[] = $post_type->cap->edit_others_posts; $caps[] = $post_type->cap->edit_others_posts;
// The post is published, extra cap required. // The post is published, extra cap required.
if ( 'publish' == $post->post_status ) if ( 'publish' == $post->post_status ) {
$caps[] = $post_type->cap->edit_published_posts; $caps[] = $post_type->cap->edit_published_posts;
elseif ( 'private' == $post->post_status ) } elseif ( 'private' == $post->post_status ) {
$caps[] = $post_type->cap->edit_private_posts; $caps[] = $post_type->cap->edit_private_posts;
}
} }
break; break;
case 'read_post': case 'read_post':
@ -1173,18 +1165,13 @@ function map_meta_cap( $cap, $user_id ) {
break; break;
} }
$post_author_id = $post->post_author; if ( $post->post_author && $user_id == $post->post_author ) {
// If no author set yet, default to current user for cap checks.
if ( ! $post_author_id )
$post_author_id = $user_id;
if ( $user_id == $post_author_id )
$caps[] = $post_type->cap->read; $caps[] = $post_type->cap->read;
elseif ( $status_obj->private ) } elseif ( $status_obj->private ) {
$caps[] = $post_type->cap->read_private_posts; $caps[] = $post_type->cap->read_private_posts;
else } else {
$caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); $caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
}
break; break;
case 'publish_post': case 'publish_post':
$post = get_post( $args[0] ); $post = get_post( $args[0] );

27
tests/phpunit/tests/user/capabilities.php
View File

@ -524,6 +524,33 @@ class Tests_User_Capabilities extends WP_UnitTestCase {
} }
} }
function authorless_post_statuses() {
return array( array( 'draft' ), array( 'private' ), array( 'publish' ) );
}
/**
* @ticket 27020
* @dataProvider authorless_post_statuses
*/
function test_authorless_post( $status ) {
// Make a post without an author
$post = $this->factory->post->create( array( 'post_author' => 0, 'post_type' => 'post', 'post_status' => $status ) );
// Add an editor and contributor
$editor = $this->factory->user->create_and_get( array( 'role' => 'editor' ) );
$contributor = $this->factory->user->create_and_get( array( 'role' => 'contributor' ) );
// editor can edit, view, and trash
$this->assertTrue( $editor->has_cap( 'edit_post', $post ) );
$this->assertTrue( $editor->has_cap( 'delete_post', $post ) );
$this->assertTrue( $editor->has_cap( 'read_post', $post ) );
// a contributor cannot (except read a published post)
$this->assertFalse( $contributor->has_cap( 'edit_post', $post ) );
$this->assertFalse( $contributor->has_cap( 'delete_post', $post ) );
$this->assertEquals( $status === 'publish', $contributor->has_cap( 'read_post', $post ) );
}
/** /**
* @ticket 16714 * @ticket 16714
*/ */

14
tests/phpunit/tests/user/mapMetaCap.php
View File

@ -232,4 +232,18 @@ class Tests_User_MapMetaCap extends WP_UnitTestCase {
$this->assertEquals( array( 'update_core' ), map_meta_cap( 'update_core', $this->user_id ) ); $this->assertEquals( array( 'update_core' ), map_meta_cap( 'update_core', $this->user_id ) );
$this->assertEquals( array( 'edit_plugins' ), map_meta_cap( 'edit_plugins', $this->user_id ) ); $this->assertEquals( array( 'edit_plugins' ), map_meta_cap( 'edit_plugins', $this->user_id ) );
} }
/**
* Test a post without an author.
*
* @ticket 27020
*/
function test_authorless_posts_capabilties() {
$post_id = $this->factory->post->create( array( 'post_author' => 0, 'post_type' => 'post', 'post_status' => 'publish' ) );
$editor = $this->factory->user->create( array( 'role' => 'editor' ) );
$this->assertEquals( array( 'edit_others_posts', 'edit_published_posts' ), map_meta_cap( 'edit_post', $editor, $post_id ) );
$this->assertEquals( array( 'delete_others_posts', 'delete_published_posts' ), map_meta_cap( 'delete_post', $editor, $post_id ) );
}
} }