[wp-trac] [WordPress Trac] #24153: Sticky flag gets unset if author doesn't have publish_posts permission
WordPress Trac
noreply at wordpress.org
Mon May 25 07:29:27 UTC 2015
#24153: Sticky flag gets unset if author doesn't have publish_posts permission
-----------------------------+-----------------------------
Reporter: archon810 | Owner: chriscct7
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 4.3
Component: Role/Capability | Version: 3.5
Severity: normal | Resolution:
Keywords: has-patch | Focuses: administration
-----------------------------+-----------------------------
Comment (by chriscct7):
Replying to [comment:15 obenland]:
> The problem lies in the
[https://core.trac.wordpress.org/browser/tags/4.2.2/src/wp-admin/includes
/meta-boxes.php#L137 Publish meta box], where the sticky option only gets
added when the user has both caps. If they lack `publish_post` the sticky
input is never added to the form. The cap check in `edit_post()` goes
through, but `'sticky'` is not set in the `$_POST` array, hence removing
the sticky flag.
We should do a permissions check before changing as the patch does as
opposed to adding a hidden field or something can be manipulated by
editing the source output of a page or using a POST replay
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24153#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list