Don't let users who cannot publish edit published posts, even their own. Make consistent use of user_can_create_post(). http://mosquito.wordpress.org/view.php?id=1004 Props: MC_incubus

git-svn-id: https://develop.svn.wordpress.org/trunk@2441 602fd350-edb4-49c9-b593-d223f7449a82

wp-admin/edit-form-advanced.php

@@ -115,7 +115,7 @@ edCanvas = document.getElementById('content');
 <?php 
 if ('publish' != $post_status || 0 == $post_ID) {
 ?>
-<?php if ( 1 < $user_level || (1 == $user_level && 2 == get_option('new_users_can_blog')) ) : ?>
+<?php if ( user_can_create_post($user_ID) ) : ?>
 	<input name="publish" type="submit" id="publish" tabindex="10" value="<?php _e('Publish') ?>" /> 
 <?php endif; ?>
 <?php
@@ -135,7 +135,7 @@ if ('publish' != $post_status || 0 == $post_ID) {
 <table width="100%" cellspacing="2" cellpadding="5" class="editform">
 	<tr>
 		<th scope="row" valign="top"><?php _e('Post Status') ?>:</th>
-		<td><?php if ( 1 < $user_level || (1 == $user_level && 2 == get_option('new_users_can_blog')) ) : ?>
+		<td><?php if ( user_can_create_post($user_ID) ) : ?>
 <label for="post_status_publish" class="selectit"><input id="post_status_publish" name="post_status" type="radio" value="publish" <?php checked($post_status, 'publish'); ?> /> <?php _e('Published') ?></label><br />
 <?php endif; ?>
 	  <label for="post_status_draft" class="selectit"><input id="post_status_draft" name="post_status" type="radio" value="draft" <?php checked($post_status, 'draft'); ?> /> <?php _e('Draft') ?></label><br />

wp-admin/edit-form.php

@@ -58,7 +58,7 @@ edCanvas = document.getElementById('content');
 <p class="submit"><input name="saveasdraft" type="submit" id="saveasdraft" tabindex="9" value="<?php _e('Save as Draft') ?>" /> 
   <input name="saveasprivate" type="submit" id="saveasprivate" tabindex="10" value="<?php _e('Save as Private') ?>" />
 
-<?php if ( 1 < $user_level || (1 == $user_level && 2 == get_option('new_users_can_blog')) ) : ?>
+	 <?php if ( user_can_create_post($user_ID) ) : ?>
   <input name="publish" type="submit" id="publish" tabindex="6" style="font-weight: bold;" value="<?php _e('Publish') ?>" /> 
 <?php endif; ?>
 

wp-admin/post.php

@@ -61,7 +61,7 @@ case 'post':
 	if ( empty($post_status) )
 		$post_status = 'draft';
 	// Double-check
-	if ( 'publish' == $post_status && (!user_can_create_post($user_ID)) && 2 != get_option('new_users_can_blog') )
+	if ( 'publish' == $post_status && (!user_can_create_post($user_ID)) )
 		$post_status = 'draft';
 	$comment_status = $_POST['comment_status'];
 	if ( empty($comment_status) && !isset($_POST['advanced_view']) )
@@ -229,6 +229,11 @@ case 'edit':
 	if( 'private' == $postdata->post_status && $postdata->post_author != $user_ID )
 		die ( __('You are not allowed to view other users\' private posts.') );
 
+	if ( 'publish' == $post_status && (!user_can_create_post($user_ID)) ) {
+		 _e('You are not allowed to edit published posts.');
+		 break;
+	}
+
 	if ($post_status == 'static') {
 		$page_template = get_post_meta($post_ID, '_wp_page_template', true);
 		include('edit-page-form.php');
@@ -305,7 +310,7 @@ case 'editpost':
 	
 	if (isset($_POST['publish'])) $post_status = 'publish';
 	// Double-check
-	if ( 'publish' == $post_status && (!user_can_create_post($user_ID)) && 2 != get_option('new_users_can_blog') )
+	if ( 'publish' == $post_status && (!user_can_create_post($user_ID)) )
 		$post_status = 'draft';
 
 	if (empty($post_name) || 'draft' == $post_status ) {

wp-register.php

@@ -54,7 +54,7 @@ case 'register':
 	$user_nickname = $user_login;
    $user_nicename = sanitize_title($user_nickname);
 	$now = gmdate('Y-m-d H:i:s');
-	if (get_settings('new_users_can_blog') >= 1) $user_level = 1;
+	$user_level = get_settings('new_users_can_blog');
 	$password = substr( md5( uniqid( microtime() ) ), 0, 7);
 
 	$result = $wpdb->query("INSERT INTO $wpdb->users