Customize: Do not allow changesets to be deleted when someone is editing them.

This makes the behavior consistent with that of locked posts, which can't be deleted via the list tables when another user is editing them.

Props dlh.
Fixes #50501.

git-svn-id: https://develop.svn.wordpress.org/trunk@48211 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Sergey Biryukov 2020-06-29 10:31:12 +00:00
parent 52f139829c
commit 6a3d4fe520
3 changed files with 34 additions and 8 deletions

View File

@ -425,7 +425,9 @@ function wp_admin_bar_customize_menu( $wp_admin_bar ) {
} }
// Don't show if the user cannot edit a given customize_changeset post currently being previewed. // Don't show if the user cannot edit a given customize_changeset post currently being previewed.
if ( is_customize_preview() && $wp_customize->changeset_post_id() && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $wp_customize->changeset_post_id() ) ) { if ( is_customize_preview() && $wp_customize->changeset_post_id()
&& ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $wp_customize->changeset_post_id() )
) {
return; return;
} }

View File

@ -3139,13 +3139,27 @@ final class WP_Customize_Manager {
return; return;
} }
if ( $changeset_post_id && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->delete_post, $changeset_post_id ) ) { if ( $changeset_post_id ) {
wp_send_json_error( if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->delete_post, $changeset_post_id ) ) {
array( wp_send_json_error(
'code' => 'changeset_trash_unauthorized', array(
'message' => __( 'Unable to trash changes.' ), 'code' => 'changeset_trash_unauthorized',
) 'message' => __( 'Unable to trash changes.' ),
); )
);
}
$lock_user = (int) wp_check_post_lock( $changeset_post_id );
if ( $lock_user && get_current_user_id() !== $lock_user ) {
wp_send_json_error(
array(
'code' => 'changeset_locked',
'message' => __( 'Changeset is being edited by other user.' ),
'lockUser' => $this->get_lock_user_data( $lock_user ),
)
);
}
} }
if ( 'trash' === get_post_status( $changeset_post_id ) ) { if ( 'trash' === get_post_status( $changeset_post_id ) ) {

View File

@ -514,6 +514,16 @@ class Tests_Ajax_CustomizeManager extends WP_Ajax_UnitTestCase {
$this->assertEquals( 'changeset_trash_unauthorized', $this->_last_response_parsed['data']['code'] ); $this->assertEquals( 'changeset_trash_unauthorized', $this->_last_response_parsed['data']['code'] );
remove_filter( 'map_meta_cap', array( $this, 'return_do_not_allow' ) ); remove_filter( 'map_meta_cap', array( $this, 'return_do_not_allow' ) );
$lock_user_id = static::factory()->user->create( array( 'role' => 'administrator' ) );
$previous_user = get_current_user_id();
wp_set_current_user( $lock_user_id );
$wp_customize->set_changeset_lock( $wp_customize->changeset_post_id() );
wp_set_current_user( $previous_user );
$this->make_ajax_call( 'customize_trash' );
$this->assertFalse( $this->_last_response_parsed['success'] );
$this->assertEquals( 'changeset_locked', $this->_last_response_parsed['data']['code'] );
delete_post_meta( $wp_customize->changeset_post_id(), '_edit_lock' );
wp_update_post( wp_update_post(
array( array(
'ID' => $wp_customize->changeset_post_id(), 'ID' => $wp_customize->changeset_post_id(),