[wp-trac] Re: [WordPress Trac] #7070: users with 'edit_published_posts' can't edit posts without unpublishing them.

WordPress Trac wp-trac at lists.automattic.com
Mon Jun 2 20:27:24 GMT 2008 

#7070: users with 'edit_published_posts' can't edit posts without unpublishing
them.
--------------------------+-------------------------------------------------
 Reporter:  jeremyclarke  |        Owner:  jeremyclarke
     Type:  defect        |       Status:  new         
 Priority:  high          |    Milestone:  2.5.2       
Component:  General       |      Version:  2.5.1       
 Severity:  major         |   Resolution:              
 Keywords:  has-patch,    |  
--------------------------+-------------------------------------------------
Comment (by jeremyclarke):

 Okay, so the jun2 patch for trunk fixes the problem above. The edit-form-
 advanced.php part is the same, but I added to the wp-
 admin/includes/post.php part.

 In the _wp_translate_postdata() function, where the permissions checking
 for post publishing/pending status is done while screening the other
 $_POST values, it recieves both requests to PUBLISH and to SUBMIT FOR
 APPROVAL as

 {{{
  $_POST['post_status'] = 'publish'
 }}}

 Personally, i would expect pending submissions to be submitted to _POST
 with their own status (i.e. 'pending'), but as of now it just claims to
 want to be published. What _wp_translate_postdata() does is switch that
 'publish' status to 'pending' IF the person submitting doesn't have the
 right permissions.

 This wasn't serving the 'edit_published_posts' capability very well
 because it was only checking if the NEW status (in $_POST) was 'publish'
 and switching it to 'pending' if the user didn't have the 'publish_posts'
 capability.

 Instead what needs to happen is another layer of checking, where even if
 the person can't publish posts but is asking to publish, it checks to make
 sure the old status wasn't already 'publish' (i.e. that it isn't a
 previously published post) and if WAS aldready published, and the person
 is allowed to 'edit_published_posts' then it leaves the status as
 'published' rather than switching it to pending.


 {{{

 $previous_status = get_post_field('post_status',  $_POST['ID']);

 if ( 'publish' == $_POST['post_status'] && !current_user_can(
 'publish_posts' ) ) :
         // Stop attempts to publish new posts, but allow already published
 posts to be saved if appropriate.
         if ( $previous_status != 'publish' OR !current_user_can(
 'edit_published_posts') )
                 $_POST['post_status'] = 'pending';
 endif;

 }}}


 I think that it's pretty solid and should be implemented ASAP. I will make
 a 2.5 patch of these changes soon.

 For the record: The edit-page-form.php file is completely screwed up in
 the way it handles the status dropdown menu if someone has edit_pages but
 not 'publish_pages', it marks things as private when you ask to publish
 and then tells it was published, I'm pretty sure that there was just never
 anyone who tried giving that privilege combination, but it's worth taking
 a look at. The changes in this patch won't fix the problesm with pages
 until that is sorted out, I might do it eventually, but post permissions
 is my priority atm.

 Feedback very welcome, i'd love to hear from a core dev.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/7070#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list