[wp-trac] [WordPress Trac] #17668: wp_post_revision_title capabilities

WordPress Trac wp-trac at lists.automattic.com
Tue Jun 7 06:18:27 UTC 2011 

#17668: wp_post_revision_title capabilities
--------------------------+------------------
 Reporter:  ejdanderson   |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  3.2
Component:  Revisions     |     Version:  3.2
 Severity:  minor         |  Resolution:
 Keywords:  2nd-opinion   |
--------------------------+------------------
Changes (by aaroncampbell):

 * keywords:  has-patch => 2nd-opinion


Comment:

 The issue is deeper than just `get_edit_post_link`.  The truth is that you
 can edit a revision even if you don't have the rights to edit it's parent.
 If we're wanting to change this it's not going to be a simple fix like
 what's proposed here.  It even looks like there are some places that are
 using 'edit_post' instead of post_type->cap->edit_post.  It looks like the
 code would look like this:
 {{{
 if ( 'revision' == $post->post_type ) {
         $post_cap_id = $post->post_parent;
         $parent_post = get_post( $post_cap_id );
         $post_type_object = get_post_type_object( $parent_post->post_type
 );
 } else {
         $post_cap_id = $post->ID;
         $post_type_object = get_post_type_object( $post->post_type );
 }
 if ( !$post_type_object )
         return;

 if ( !current_user_can( $post_type_object->cap->edit_post, $post_cap_id )
 )
         return;
 }}}

 But it looks like we would need this in quite a few places.  Grepping
 around for a few minutes turned up these:
 * get_edit_post_link()
 * wp_post_revision_title() - Here we could check the return of
 get_edit_post_link
 * get_inline_data()
 * post_preview() - looks like it might use 'edit_post' incorrectly
 * edit_post()
 * _wp_translate_postdata() - looks like it might use 'edit_post'
 incorrectly
 * WP_Posts_List_Table::single_row()
 * WP_Posts_List_Table::ajax_user_can() - This seems to JUST check the
 current $post_type_object so we don't really have a parent to check if
 it's revision
 * wp-admin/revision.php?action=restore - looks like it might use
 'edit_post' incorrectly
 * wp-admin/post.php?action=edit

 Obviously some of these might have checks prior to what I was looking at
 (and it's been a really long day, so I'm going a bit cross-eyed), but the
 rabbit hole seems to be deeper than it looked.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/17668#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list