[wp-trac] [WordPress Trac] #27020: Use a safer capability default when post_author == 0

WordPress Trac noreply at wordpress.org
Wed Feb 5 13:32:46 UTC 2014 

#27020: Use a safer capability default when post_author == 0
-----------------------------+-----------------------------
 Reporter:  danielbachhuber  |      Owner:
     Type:  enhancement      |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Role/Capability  |    Version:
 Severity:  normal           |   Keywords:  dev-feedback
  Focuses:                   |
-----------------------------+-----------------------------
 There are a few cases in which posts can get created without an assigned
 author:

 * WP-CLI needs a `--user` argument in order to set the user context for
 performing any action. It's easy to forget to do this.
 * WP-Cron performing, say, a syndication import can create posts without
 assigned authors if no author is explicitly identified when using
 `wp_insert_post()`.
 * Co-Authors Plus supports creating posts without assigning a byline, as
 well as assigning a "guest author", which doesn't exist as a user entity
 and so no `post_author` assignment is made.

 Although core doesn't explicitly support it via UI, there are valid ways
 in which posts can get created without an assigned author.

 With that being said, a post without an assigned author currently can be
 edited by any user with `edit_posts`
 ([https://core.trac.wordpress.org/browser/tags/3.8.1/src/wp-
 includes/capabilities.php#L1126 ref]). This means that contributors, often
 untrusted users within media companies, get more editing capabilities than
 expected.

 I propose that changing the capability check to `edit_others_posts` when
 an author isn't assigned would be much safer. A concern is that this
 change will break some obscure use-case that's been possible for four
 years.

 Genesis commit was r12053, although it looks like that problem should've
 been fixed higher up the stack.

 Related #26659

--
Ticket URL: <https://core.trac.wordpress.org/ticket/27020>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list