[wp-trac] [WordPress Trac] #5727: Post gets published even though user can't publish_posts

WordPress Trac wp-trac at lists.automattic.com
Mon Jan 28 19:11:58 GMT 2008


#5727: Post gets published even though user can't publish_posts
----------------------------+-----------------------------------------------
 Reporter:  SimonK          |       Owner:  anonymous                                          
     Type:  defect          |      Status:  new                                                
 Priority:  normal          |   Milestone:  2.6                                                
Component:  Administration  |     Version:  2.3.2                                              
 Severity:  normal          |    Keywords:  capabilities edit_published_posts publish_posts bug
----------------------------+-----------------------------------------------
 When users don't have the "publish_posts" capability, but DO have the
 "edit_published_posts" capability, they can publish posts directly. This
 happens when they press "Submit for Review" AFTER the post has been saved
 (either manually or autosave). I've located the bug in /wp-
 admin/includes/post.php, and fixed it (temporarily) by adding the
 following code after line 71.

 {{{
 // START fix
 if ('publish' == $_POST['post_status'] && !current_user_can(
 'publish_posts' )) {
         $_POST['post_status'] = 'pending';
 }
 // END fix
 }}}

 This is the piece of code that causes the bug (I think..):

 {{{
         } else {
                 if ('publish' == $_POST['post_status'] &&
 !current_user_can( 'edit_published_posts' ))
                         $_POST['post_status'] = 'pending';
         }
 }}}
 (line 68-71 in /wp-admin/includes/post.php)

 Note: this bug only occures when using a plugin to change
 roles/capabilities, but that doesn't make it a bug in the plugin I think.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5727>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list