sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Customize: Do not allow changesets to be deleted when someone is editing them.

Browse Source 
This makes the behavior consistent with that of locked posts, which can't be deleted via the list tables when another user is editing them.

Props dlh.
Fixes #50501.

git-svn-id: https://develop.svn.wordpress.org/trunk@48211 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Sergey Biryukov 2020-06-29 10:31:12 +00:00
parent 52f139829c
commit 6a3d4fe520
3 changed files with 34 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/wp-includes/admin-bar.php
View File

@ -425,7 +425,9 @@ function wp_admin_bar_customize_menu( $wp_admin_bar ) {
}
// Don't show if the user cannot edit a given customize_changeset post currently being previewed.
if ( is_customize_preview() && $wp_customize->changeset_post_id() && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $wp_customize->changeset_post_id() ) ) {
if ( is_customize_preview() && $wp_customize->changeset_post_id()
&& ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $wp_customize->changeset_post_id() )
) {
return;
}

28
src/wp-includes/class-wp-customize-manager.php
View File

@ -3139,13 +3139,27 @@ final class WP_Customize_Manager {
return;
}
if ( $changeset_post_id && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->delete_post, $changeset_post_id ) ) {
wp_send_json_error(
array(
'code' => 'changeset_trash_unauthorized',
'message' => __( 'Unable to trash changes.' ),
)
);
if ( $changeset_post_id ) {
if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->delete_post, $changeset_post_id ) ) {
wp_send_json_error(
array(
'code' => 'changeset_trash_unauthorized',
'message' => __( 'Unable to trash changes.' ),
)
);
}
$lock_user = (int) wp_check_post_lock( $changeset_post_id );
if ( $lock_user && get_current_user_id() !== $lock_user ) {
wp_send_json_error(
array(
'code' => 'changeset_locked',
'message' => __( 'Changeset is being edited by other user.' ),
'lockUser' => $this->get_lock_user_data( $lock_user ),
)
);
}
}
if ( 'trash' === get_post_status( $changeset_post_id ) ) {

10
tests/phpunit/tests/ajax/CustomizeManager.php
View File

@ -514,6 +514,16 @@ class Tests_Ajax_CustomizeManager extends WP_Ajax_UnitTestCase {
$this->assertEquals( 'changeset_trash_unauthorized', $this->_last_response_parsed['data']['code'] );
remove_filter( 'map_meta_cap', array( $this, 'return_do_not_allow' ) );
$lock_user_id = static::factory()->user->create( array( 'role' => 'administrator' ) );
$previous_user = get_current_user_id();
wp_set_current_user( $lock_user_id );
$wp_customize->set_changeset_lock( $wp_customize->changeset_post_id() );
wp_set_current_user( $previous_user );
$this->make_ajax_call( 'customize_trash' );
$this->assertFalse( $this->_last_response_parsed['success'] );
$this->assertEquals( 'changeset_locked', $this->_last_response_parsed['data']['code'] );
delete_post_meta( $wp_customize->changeset_post_id(), '_edit_lock' );
wp_update_post(
array(
'ID' => $wp_customize->changeset_post_id(),