[wp-trac] Re: [WordPress Trac] #5727: Post gets published even
though user can't publish_posts
WordPress Trac
wp-trac at lists.automattic.com
Mon Mar 3 21:30:22 GMT 2008
#5727: Post gets published even though user can't publish_posts
-----------------------------------------------------------------------------+
Reporter: SimonK | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.5
Component: Administration | Version: 2.3.3
Severity: normal | Resolution:
Keywords: capabilities edit_published_posts publish_posts bug needs-patch |
-----------------------------------------------------------------------------+
Changes (by Otto42):
* version: 2.3.2 => 2.3.3
Comment:
Bringing this up again:
No, this is not a bug in the plugin, the plugin in question is simply the
Role Manager. This is a definite WordPress bug.
To reproduce:
1. Make a user who can edit_published_posts but not publish_posts himself.
As these are separate capabilities, it's possible to create a user this
way.
2. Create a new post.
3. Save it as draft.
4. Submit it for review.
Result: it publishes instead of going to pending.
Desired result: As the user does not have publish_posts, it should not
publish.
Fix:
Change this:
`if ('publish' == $_POST['post_status'] && !current_user_can(
'edit_published_posts' ))
$_POST['post_status'] = 'pending';`
to this:
`if ('publish' == $_POST['post_status'] && !current_user_can(
'edit_published_posts' ) && !current_user_can( 'publish_posts' ))
$_POST['post_status'] = 'pending';`
Same with pages just above that.
--
Ticket URL: <http://trac.wordpress.org/ticket/5727#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list