[wp-trac] [WordPress Trac] #37917: Users without the edit_private_posts capability can still create private posts

WordPress Trac noreply at wordpress.org
Sun Sep 4 11:56:11 UTC 2016


#37917: Users without the edit_private_posts capability can still create private
posts
-------------------------------+------------------------------
 Reporter:  ryan.kanner        |       Owner:
     Type:  defect (bug)       |      Status:  new
 Priority:  normal             |   Milestone:  Awaiting Review
Component:  Posts, Post Types  |     Version:  trunk
 Severity:  normal             |  Resolution:
 Keywords:                     |     Focuses:  administration
-------------------------------+------------------------------

Comment (by akibjorklund):

 Hi @ryan.kanner, welcome to the WordPress Trac! Thanks for your report and
 for taking the time to create a patch.

 While your assumption is indeed very reasonable, I think this is at least
 partly intended behavior. It is just unintuitive and does not allow fine
 grained enough control. That is, if I'm understanding things right after
 doing some research on the subject.

 Users, who have the capability to `publish_posts`, but do not have
 `edit_published_posts`, can publish posts. They just can't edit them
 afterwards without the capability. Similarly, it makes sense that users
 cannot edit private posts afterwards without `edit_private_posts`. But
 alas, there is no separate `make_posts_private` (the equivalent to
 `publish_posts` for private posts).

 When trying to publish or make posts private without `publish_posts` their
 status status is set to `pending` in `wp-admin/includes/post.php`. XML-RPC
 does it's own similar validation, but throws an error. [https://github.com
 /WP-API/WP-API/blob/develop/lib/endpoints/class-wp-rest-posts-
 controller.php#L880 REST API too requires `publish_posts`] for private
 status.

 So the `publish_posts` capability is used instead to also cover cases
 where status is changing to `private`. It makes sense, because if this
 capability is missing, none of the visibility choices would appear. For
 more fine-grained control, a new capability would have to be introduced.
 And that would have to be enforced in many more places than on the UI
 level. XML-RPC and REST API included.

 I'm not totally convinced it makes sense to tie `publish_posts` with
 making posts `private`, but that is how it works and it is would probably
 be very hard to change. So if we were to introduce `make_posts_private`,
 then that would have to depend on `publish_posts`.

 I think the next step would be to hear some arguments why such new
 capability would need to exist, other than just for completeness (which
 would be a valid reason to me). What are the use cases for this? What sort
 of harm is done if people with `publish_posts` can also set status to
 `private`? If there is not much harm and the thinking behind the tickets
 is just to prevent users accidentally setting posts to private, creating a
 plugin that hides the options with CSS based on for example a custom
 capability or a user role would do just fine. (It is another issue
 altogether, but personally I think private posts don't have much use, so
 they mostly just clutter the UI.)

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37917#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list