[wp-trac] [WordPress Trac] #27452: Contributors can publish privately

WordPress Trac noreply at wordpress.org
Fri Mar 21 09:57:11 UTC 2014 

#27452: Contributors can publish privately
-------------------------------+------------------------------
 Reporter:  plocha             |       Owner:
     Type:  defect (bug)       |      Status:  new
 Priority:  normal             |   Milestone:  Awaiting Review
Component:  Posts, Post Types  |     Version:  3.8.1
 Severity:  normal             |  Resolution:
 Keywords:  has-patch          |     Focuses:  ui
-------------------------------+------------------------------
Changes (by bcworkz):

 * keywords:  needs-patch => has-patch


Comment:

 Replying to [comment:1 knutsp]:
 > It seems to that Quick Edit is the place to fix this, if inconsistent.
 Exactly! All it takes is adding a "disabled" attribute to the checkbox
 element if the user does not have publish_post capability. Then checking
 user capability again when the form is submitted.


 Replying to [comment:2 plocha]:
 > ...we shouldn't only implement the restriction in Quick Edit but also in
 edit processing. The latter should be done in wp_insert_post imho.
 No capabilities are ever checked in `wp_insert_post()`. It must be able
 function properly without restriction in order for remote procedure calls
 to work. In WordPress, capabilities are always verified at the user
 interface level, never at system calls.

 We do need to check user capability when the form is submitted, disabling
 the form element is not enough, that can be easily circumvented. The first
 code to process quick edit submits is `wp_ajax_inline_save()`. The patch
 checks user capability here.

 Until now, it's not totally clear what steps to take to replicate this
 error. Here they are:
 * Ensure the Contributor role only has the default capabilities: read,
 edit_posts, delete_posts
 * Log in as a user with Contributor role and create a post, then submit
 for review.
 * In the posts list table, open the post just created for quick edit.
 * Check the "Private" checkbox and click Update
 * The post is now published as a private post and is visible on the main
 index page to any logged in editor or administrator.
 After applying the patch, contributors can see the private condition but
 cannot change it.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/27452#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list