From 6a3d4fe520cf280828513f244afeb9cdbf5149f0 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Mon, 29 Jun 2020 10:31:12 +0000 Subject: [PATCH] Customize: Do not allow changesets to be deleted when someone is editing them. This makes the behavior consistent with that of locked posts, which can't be deleted via the list tables when another user is editing them. Props dlh. Fixes #50501. git-svn-id: https://develop.svn.wordpress.org/trunk@48211 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/admin-bar.php | 4 ++- .../class-wp-customize-manager.php | 28 ++++++++++++++----- tests/phpunit/tests/ajax/CustomizeManager.php | 10 +++++++ 3 files changed, 34 insertions(+), 8 deletions(-) diff --git a/src/wp-includes/admin-bar.php b/src/wp-includes/admin-bar.php index 15cb441668..048ca3011a 100644 --- a/src/wp-includes/admin-bar.php +++ b/src/wp-includes/admin-bar.php @@ -425,7 +425,9 @@ function wp_admin_bar_customize_menu( $wp_admin_bar ) { } // Don't show if the user cannot edit a given customize_changeset post currently being previewed. - if ( is_customize_preview() && $wp_customize->changeset_post_id() && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $wp_customize->changeset_post_id() ) ) { + if ( is_customize_preview() && $wp_customize->changeset_post_id() + && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $wp_customize->changeset_post_id() ) + ) { return; } diff --git a/src/wp-includes/class-wp-customize-manager.php b/src/wp-includes/class-wp-customize-manager.php index c44c33a450..9832099f91 100644 --- a/src/wp-includes/class-wp-customize-manager.php +++ b/src/wp-includes/class-wp-customize-manager.php @@ -3139,13 +3139,27 @@ final class WP_Customize_Manager { return; } - if ( $changeset_post_id && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->delete_post, $changeset_post_id ) ) { - wp_send_json_error( - array( - 'code' => 'changeset_trash_unauthorized', - 'message' => __( 'Unable to trash changes.' ), - ) - ); + if ( $changeset_post_id ) { + if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->delete_post, $changeset_post_id ) ) { + wp_send_json_error( + array( + 'code' => 'changeset_trash_unauthorized', + 'message' => __( 'Unable to trash changes.' ), + ) + ); + } + + $lock_user = (int) wp_check_post_lock( $changeset_post_id ); + + if ( $lock_user && get_current_user_id() !== $lock_user ) { + wp_send_json_error( + array( + 'code' => 'changeset_locked', + 'message' => __( 'Changeset is being edited by other user.' ), + 'lockUser' => $this->get_lock_user_data( $lock_user ), + ) + ); + } } if ( 'trash' === get_post_status( $changeset_post_id ) ) { diff --git a/tests/phpunit/tests/ajax/CustomizeManager.php b/tests/phpunit/tests/ajax/CustomizeManager.php index d0c70893d3..1126e8e667 100644 --- a/tests/phpunit/tests/ajax/CustomizeManager.php +++ b/tests/phpunit/tests/ajax/CustomizeManager.php @@ -514,6 +514,16 @@ class Tests_Ajax_CustomizeManager extends WP_Ajax_UnitTestCase { $this->assertEquals( 'changeset_trash_unauthorized', $this->_last_response_parsed['data']['code'] ); remove_filter( 'map_meta_cap', array( $this, 'return_do_not_allow' ) ); + $lock_user_id = static::factory()->user->create( array( 'role' => 'administrator' ) ); + $previous_user = get_current_user_id(); + wp_set_current_user( $lock_user_id ); + $wp_customize->set_changeset_lock( $wp_customize->changeset_post_id() ); + wp_set_current_user( $previous_user ); + $this->make_ajax_call( 'customize_trash' ); + $this->assertFalse( $this->_last_response_parsed['success'] ); + $this->assertEquals( 'changeset_locked', $this->_last_response_parsed['data']['code'] ); + delete_post_meta( $wp_customize->changeset_post_id(), '_edit_lock' ); + wp_update_post( array( 'ID' => $wp_customize->changeset_post_id(),