[wp-trac] [WordPress Trac] #33694: Capability missing for editing scheduled posts created by one self (implicit permission bypass)

WordPress Trac noreply at wordpress.org
Wed Sep 2 20:02:45 UTC 2015 

#33694: Capability missing for editing scheduled posts created by one self
(implicit permission bypass)
-------------------------------+-----------------------------
 Reporter:  SimpleBugReporter  |      Owner:
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Role/Capability    |    Version:  4.3
 Severity:  normal             |   Keywords:
  Focuses:  administration     |
-------------------------------+-----------------------------
 The following capabilities exist today in the Wordpress privilege system:

 Edit Posts
 Edit Others Posts
 Edit Published Posts
 Publish Posts

 The standard Wordpress role "Contributor" only has the capability "Edit
 Posts" out of the four above, which in reality translates to "Edit posts
 only created by one self".

 This is good, because editorial staff can then edit the posts before they
 are published, which is the entire purpose of this role, i.e. a
 contributor can never publish any content that has not first been vetted
 by senior staff.

 BUT, there is a dangerous logic hole in this permission system right now,
 which makes it possible for the contributor role to publish arbitrary
 contents after all!

 Namely, when a post created by a "contributor" has been edited by senior
 staff and subsequently scheduled for publishing (say, in three hours), the
 permission system apparently still considers the post as both "non-
 published" and still "owned by its initial creator", i.e. the
 "contributor" user. Thus, the current permission setup in Wordpress and
 for the contributor roles does in this situation allow the "contributor"
 user to freely modify the contents of the post, and subsequently thus have
 these arbitrary modifications published on the pre-scheduled moment in
 time.

 In addition to the fact that scheduled posts most of the time won't be re-
 visited by the editorial staff before being published (thus giving lots of
 time for the original "contributor" user to edit them even without any
 malicious intent), this can also be exploited with explicit malice by such
 a "contributor" user, by purposely making the desired edits to the post,
 say, five seconds before the scheduled publishing time, thereby having
 these new contents published instantly thereafter, before any members of
 the editorial staff has had any chance to vet these changes, or most of
 the time even know of them.

 There are two possible simple solutions to this problem, out of which I
 therefore suggest you choose one for implementation as soon as possible:

 1.
 Make the permission system consider scheduled posts as "Published" already
 from the moment they are scheduled, thus blocking any edits of them given
 already today's alotted capabilities in Wordpress for the "contributor"
 role.

 2.
 Add a new capability to the permission system called "Edit Scheduled
 Posts", which the "contributor" role does NOT have by default, therefore
 blocking this role from editing scheduled posts, EVEN if they are
 originally created by the "contributor" user in question.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33694>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list