[wp-hackers] "Submit for review" checks wrong role

Callum Macdonald lists.automattic.com at callum-macdonald.com
Tue Nov 6 17:29:56 GMT 2007


I agree, it looks like it's a bug. I'd suggest submitting a patch to 
trac, it'll probably get implemented pretty quickly.

Cheers - Callum.

PS> Give me a shout if need any help submitting the ticket / patch to trac.

Jeremy Clarke wrote:
> [appologies if this is a double post, having problems with list]
>
> Hey guys, this seems like a bug to me, but might be by design:
>
> It has to do with the new post submission feature where users who
> can't publish their own posts can submit them for review rather than
> just saving them as draft and informing the site admin that they want
> it published.
>
> in /wp-admin/edit-form-advanced.php on line 172 the logic checks to
> see if a user has the publish_posts capability/role and if they do
> not, it labels the "publish" button as "submit for review" instead.
>
>  172  <?php if ( current_user_can('publish_posts') ) : ?>
>  173      <input name="publish" type="submit" id="publish"
> tabindex="5" accesskey="p" value="<?php _e('Publish') ?>" />
>  174  <?php else : ?>
>  175      <input name="publish" type="submit" id="publish"
> tabindex="5" accesskey="p" value="<?php _e('Submit for Review') ?>" />
>  176  <?php endif; ?>
>
> This is linked with line 69 of /wp-admin/includes/post.php which
> processes the post status and sets it to pending based on user
> capabilities:
>
>  69          if ('publish' == $_POST['post_status'] &&
> !current_user_can( 'edit_published_posts' ))
>  70              $_POST['post_status'] = 'pending';
>  71      }
>
> As far as I can tell, there is no reason why the processing check
> should use the "edit_published_posts" role rather than the
> publish_posts role, especially considering that the publish_posts role
> was the one originally used to determine the text on the button. In
> the case of our site, or any where authors need help initially editing
> their posts but are trusted to make changes once the post is approved
> (and thus have edit_published_posts but not publish_posts), this
> results in people seeing the text "submit for review" but actually
> having their posts published to the blog, which of course can have
> terrible results.
>
> Any reason why this is this way? Seems like it should be fast-tracked
> into core and anyone using this functionality should probably patch it
> for themselves.
>
> NOTE: the edit_published_posts role I think is only available to
> authors through the role manager plugin, so if you aren't using it you
> probably aren't at risk, i think that's why this wasn't noticed when
> it was first implemented, for most installs publish_posts and
> edit_published_posts are available/unnavailable to the same group
> categories).
>
> Thanks,
>
> Jeremy Clarke
> tech, GlobalVoicesOnline.org
> jer [at] simianuprising.com
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
>   



More information about the wp-hackers mailing list