[wp-hackers] "Submit for review" checks wrong role

Jeremy Clarke jer-wphackers at simianuprising.com
Mon Nov 5 20:21:53 GMT 2007 

[appologies if this is a double post, having problems with list]

Hey guys, this seems like a bug to me, but might be by design:

It has to do with the new post submission feature where users who
can't publish their own posts can submit them for review rather than
just saving them as draft and informing the site admin that they want
it published.

in /wp-admin/edit-form-advanced.php on line 172 the logic checks to
see if a user has the publish_posts capability/role and if they do
not, it labels the "publish" button as "submit for review" instead.

 172  <?php if ( current_user_can('publish_posts') ) : ?>
 173      <input name="publish" type="submit" id="publish"
tabindex="5" accesskey="p" value="<?php _e('Publish') ?>" />
 174  <?php else : ?>
 175      <input name="publish" type="submit" id="publish"
tabindex="5" accesskey="p" value="<?php _e('Submit for Review') ?>" />
 176  <?php endif; ?>

This is linked with line 69 of /wp-admin/includes/post.php which
processes the post status and sets it to pending based on user
capabilities:

 69          if ('publish' == $_POST['post_status'] &&
!current_user_can( 'edit_published_posts' ))
 70              $_POST['post_status'] = 'pending';
 71      }

As far as I can tell, there is no reason why the processing check
should use the "edit_published_posts" role rather than the
publish_posts role, especially considering that the publish_posts role
was the one originally used to determine the text on the button. In
the case of our site, or any where authors need help initially editing
their posts but are trusted to make changes once the post is approved
(and thus have edit_published_posts but not publish_posts), this
results in people seeing the text "submit for review" but actually
having their posts published to the blog, which of course can have
terrible results.

Any reason why this is this way? Seems like it should be fast-tracked
into core and anyone using this functionality should probably patch it
for themselves.

NOTE: the edit_published_posts role I think is only available to
authors through the role manager plugin, so if you aren't using it you
probably aren't at risk, i think that's why this wasn't noticed when
it was first implemented, for most installs publish_posts and
edit_published_posts are available/unnavailable to the same group
categories).

Thanks,

Jeremy Clarke
tech, GlobalVoicesOnline.org
jer [at] simianuprising.com

More information about the wp-hackers mailing list