[wp-trac] [WordPress Trac] #24280: Privilege check in mt_publishPost

WordPress Trac noreply at wordpress.org
Tue May 12 23:52:30 UTC 2015


#24280: Privilege check in mt_publishPost
--------------------------+------------------------
 Reporter:  fgauthier     |       Owner:  chriscct7
     Type:  defect (bug)  |      Status:  accepted
 Priority:  normal        |   Milestone:  4.3
Component:  XML-RPC       |     Version:  3.0
 Severity:  normal        |  Resolution:
 Keywords:  close         |     Focuses:
--------------------------+------------------------
Changes (by johnbillion):

 * keywords:  has-patch needs-testing => close


Comment:

 [attachment:24280.patch] has the opposite of the intended affect. It
 allows someone with ''either'' the `edit_posts` or `publish_posts` cap to
 publish a post.

 Replying to [comment:2 fgauthier]:
 > In fact, I meant functions like blogger_newPost($args) and
 mw_newPost($args) that do not check the edit_post privilege when the
 status of the new post is set to 'publish'.

 `blogger_newPost()` and `blogger_newPost()` both check the `edit_posts`
 cap too. Those functions, along with `mt_publishPost()`, all look correct
 to me. In order to publish a post, you also need the ability to edit that
 post.

 I think this ticket is invalid.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/24280#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list