[wp-trac] [WordPress Trac] #7070: users with 'edit_published_posts' can't edit posts without unpublishing them.

WordPress Trac wp-trac at lists.automattic.com
Fri May 30 22:36:55 GMT 2008


#7070: users with 'edit_published_posts' can't edit posts without unpublishing
them.
--------------------------+-------------------------------------------------
 Reporter:  jeremyclarke  |       Owner:  jeremyclarke
     Type:  defect        |      Status:  new         
 Priority:  high          |   Milestone:  2.5.2       
Component:  General       |     Version:  2.5.1       
 Severity:  major         |    Keywords:  has-patch   
--------------------------+-------------------------------------------------
 Right now the save box display and post edit processing functions don't
 take into account the existence of the 'edit_published_posts' capability
 (since 2.5).

 Effectively both bits of code only check for the 'publish_posts'
 capability and deny publishing rights (hiding it from the pulldown menu
 and changing the status during processing to pending) if the user doesn't
 have it.

 The problem is that users with 'edit_published_posts' (the ability to edit
 your own posts once they have been published, seperate from
 'publish_posts' and 'edit_others_posts'), are only given the option of
 'pending' when they edit their posts. This is not only frustrating, but
 because the screen only shows the 'save' button, it means that loading
 your article, making a change, and saving (without looking at the status
 dropdown) results in unpublishing your article, which you are unlikely to
 even notice potentially forever.

 The solution is to not only check for


 {{{
 current_user_can('publish_posts')
 }}}


 but also for


 {{{
 current_user_can('edit_post', $post->ID)
 }}}


 which automatically checks whether a user is allowed to edit a post based
 on whether they are the author, it is published etc. That way users with
 the 'edit_published_posts' capability are able to use it in those
 situations where it's appropriate.

 The code is affected in two places:

 1) wp-admin/edit-form-advanced.php ~line 94 (which controls whether the
 'published' item displays in the status dropdown menu)


 {{{
 <?php if ( current_user_can('publish_posts') ) :?>
 }}}


 becomes


 {{{
 if ( current_user_can('publish_posts') OR ( $post->post_status ==
 'publish' AND current_user_can('edit_post', $post->ID)) ) :
 }}}



 2) wp-admin/includes/post.php ~line   64  (which controls whether the
 post_status in $_POST is shunted from publish down to 'pending')


 {{{
 if ( 'publish' == $_POST['post_status'] && !current_user_can(
 'publish_posts' ) )
 }}}


 becomes


 {{{
 if ('publish' == $_POST['post_status'] && !current_user_can(
 'publish_posts' ) && !current_user_can( 'edit_post', $_POST['ID'] ))
 }}}


 That way users can 1) choose the publish option when they edit their
 published posts (and it's selected by default) and 2) the posts aren't
 downgraded while being processed after saving (otherwise the post is
 silently unpublished!).

 In 2.6 the second part is in a function called _wp_translate_postdata(),
 whereas in <2.6 its in edit_post(). My personal impression is that if the
 permissions check is going to be moved out of edit_posts it should live in
 wp_insert_post(), which gets called at the same times as
 _wp_translate_postdata() but contains other similar processing (unlike
 _wp_translate_postdata() who's main purpose is validation and cleaning of
 the raw $_POST contents). Ryan Boren said that you want to keep capability
 conditions out of the api, not sure what that means, but figured I'd float
 another idea anyway. The changes will work in their current positions
 either way (the 2.6 patch is for the current location in
 _wp_translate_postdata()).

 I tried to fix the same thing for PAGES but in 2.6 the capability checks
 for pages didn't seem to be working at all (before i changed anything
 anyone could publish pages). i think fixing posts is more urgent either
 way, please let me konw if you want help fixing the pages as well (though
 the exact same changes but with 'edit_page' should work in wp-
 admin/includes/post.php a few lines above and in wp-admin/edit-page-
 form.php).

-- 
Ticket URL: <http://trac.wordpress.org/ticket/7070>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list