[wp-hackers] "Submit for review" checks wrong role

Kimmo Suominen kimmo at global-wire.fi
Wed Nov 7 09:54:50 GMT 2007 

Wasn't the edit_published_posts capability the one to allow or
disallow authors to edit their published posts?  I.e. when the
submitted post is reviewed and published, can the author make
changes or do the changes need to go through review again.

Best regards,
+ Kimmo
-- 
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>


On Tue, Nov 06, 2007 at 12:29:56PM -0500, Callum Macdonald wrote:
> I agree, it looks like it's a bug. I'd suggest submitting a patch to 
> trac, it'll probably get implemented pretty quickly.
> 
> Cheers - Callum.
> 
> PS> Give me a shout if need any help submitting the ticket / patch to trac.
> 
> Jeremy Clarke wrote:
> >[appologies if this is a double post, having problems with list]
> >
> >Hey guys, this seems like a bug to me, but might be by design:
> >
> >It has to do with the new post submission feature where users who
> >can't publish their own posts can submit them for review rather than
> >just saving them as draft and informing the site admin that they want
> >it published.
> >
> >in /wp-admin/edit-form-advanced.php on line 172 the logic checks to
> >see if a user has the publish_posts capability/role and if they do
> >not, it labels the "publish" button as "submit for review" instead.
> >
> > 172  <?php if ( current_user_can('publish_posts') ) : ?>
> > 173      <input name="publish" type="submit" id="publish"
> >tabindex="5" accesskey="p" value="<?php _e('Publish') ?>" />
> > 174  <?php else : ?>
> > 175      <input name="publish" type="submit" id="publish"
> >tabindex="5" accesskey="p" value="<?php _e('Submit for Review') ?>" />
> > 176  <?php endif; ?>
> >
> >This is linked with line 69 of /wp-admin/includes/post.php which
> >processes the post status and sets it to pending based on user
> >capabilities:
> >
> > 69          if ('publish' == $_POST['post_status'] &&
> >!current_user_can( 'edit_published_posts' ))
> > 70              $_POST['post_status'] = 'pending';
> > 71      }
> >
> >As far as I can tell, there is no reason why the processing check
> >should use the "edit_published_posts" role rather than the
> >publish_posts role, especially considering that the publish_posts role
> >was the one originally used to determine the text on the button. In
> >the case of our site, or any where authors need help initially editing
> >their posts but are trusted to make changes once the post is approved
> >(and thus have edit_published_posts but not publish_posts), this
> >results in people seeing the text "submit for review" but actually
> >having their posts published to the blog, which of course can have
> >terrible results.
> >
> >Any reason why this is this way? Seems like it should be fast-tracked
> >into core and anyone using this functionality should probably patch it
> >for themselves.
> >
> >NOTE: the edit_published_posts role I think is only available to
> >authors through the role manager plugin, so if you aren't using it you
> >probably aren't at risk, i think that's why this wasn't noticed when
> >it was first implemented, for most installs publish_posts and
> >edit_published_posts are available/unnavailable to the same group
> >categories).
> >
> >Thanks,
> >
> >Jeremy Clarke
> >tech, GlobalVoicesOnline.org
> >jer [at] simianuprising.com
> >_______________________________________________
> >wp-hackers mailing list
> >wp-hackers at lists.automattic.com
> >http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> >
> >  
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list