[wp-trac] [WordPress Trac] #5329: "submit for review" feature
checks wrong permission and publishes
WordPress Trac
wp-trac at lists.automattic.com
Thu Nov 8 14:55:08 GMT 2007
#5329: "submit for review" feature checks wrong permission and publishes
----------------------------+-----------------------------------------------
Reporter: jeremyclarke | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.4
Component: Administration | Version: 2.3.1
Severity: normal | Keywords: has-patch
----------------------------+-----------------------------------------------
The bug relates to the new post submission feature where users who can't
publish their own posts can submit them for review rather than just saving
them as draft and informing the site admin that they want it published.
The worst case scenario has users clicking on a button that says "submit
for review" but actually publishing the articles to the blog.
in /wp-admin/edit-form-advanced.php on line 172 the logic checks to see if
a user has the publish_posts capability/role and if they do not, it labels
the "publish" button as "submit for review" instead.
172 <?php if ( current_user_can('publish_posts') ) : ?>
173 <input name="publish" type="submit" id="publish" tabindex="5"
accesskey="p" value="<?php _e('Publish') ?>" />
174 <?php else : ?>
175 <input name="publish" type="submit" id="publish" tabindex="5"
accesskey="p" value="<?php _e('Submit for Review') ?>" />
176 <?php endif; ?>
This is linked with line 69 of /wp-admin/includes/post.php which processes
the post status and sets it to pending based on user capabilities:
69 if ('publish' == $_POST['post_status'] && !current_user_can(
'edit_published_posts' ))
70 $_POST['post_status'] = 'pending';
71 }
As far as I can tell, there is no reason why the processing check should
use the "edit_published_posts" role rather than the publish_posts role,
especially considering that the publish_posts role was the one originally
used to determine the text on the button. In the case of our site, or any
where authors need help initially editing their posts but are trusted to
make changes once the post is approved (and thus have edit_published_posts
but not publish_posts), this results in people seeing the text "submit for
review" but actually having their posts published to the blog, which of
course can have terrible results.
Any reason why this is this way? Seems like it should be fast-tracked into
core and anyone using this functionality should probably patch it for
themselves.
NOTE: the edit_published_posts role I think is only available to authors
through the role manager plugin, so if you aren't using it you probably
aren't at risk, i think that's why this wasn't noticed when it was first
implemented, for most installs publish_posts and edit_published_posts are
available/unnavailable to the same user types).
This is my first patch, so if there's a problem with the diff please let
me know.
--
Ticket URL: <http://trac.wordpress.org/ticket/5329>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list