[wp-trac] [WordPress Trac] #5727: Post gets published even though
user can't publish_posts
WordPress Trac
wp-trac at lists.automattic.com
Mon Jan 28 19:11:58 GMT 2008
#5727: Post gets published even though user can't publish_posts
----------------------------+-----------------------------------------------
Reporter: SimonK | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.6
Component: Administration | Version: 2.3.2
Severity: normal | Keywords: capabilities edit_published_posts publish_posts bug
----------------------------+-----------------------------------------------
When users don't have the "publish_posts" capability, but DO have the
"edit_published_posts" capability, they can publish posts directly. This
happens when they press "Submit for Review" AFTER the post has been saved
(either manually or autosave). I've located the bug in /wp-
admin/includes/post.php, and fixed it (temporarily) by adding the
following code after line 71.
{{{
// START fix
if ('publish' == $_POST['post_status'] && !current_user_can(
'publish_posts' )) {
$_POST['post_status'] = 'pending';
}
// END fix
}}}
This is the piece of code that causes the bug (I think..):
{{{
} else {
if ('publish' == $_POST['post_status'] &&
!current_user_can( 'edit_published_posts' ))
$_POST['post_status'] = 'pending';
}
}}}
(line 68-71 in /wp-admin/includes/post.php)
Note: this bug only occures when using a plugin to change
roles/capabilities, but that doesn't make it a bug in the plugin I think.
--
Ticket URL: <http://trac.wordpress.org/ticket/5727>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list