[wp-trac] [WordPress Trac] #42489: New pages scheduled via Customizer trashed when changeset publish triggered by visitor

WordPress Trac noreply at wordpress.org
Thu Nov 9 18:23:06 UTC 2017 

#42489: New pages scheduled via Customizer trashed when changeset publish triggered
by visitor
--------------------------+-----------------------------
 Reporter:  bwmarkle      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  4.9
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 '''Here is the bug I believe''':
 When a page is scheduled (via the Customizer) to be published, it is only
 published if the customize_changeset publishing is triggered by a user
 with permission to do so. When a visitor to the site triggers wp-cron.php
 > check_and_publish_future_post, the page is instead trashed.

 I posted a Google Doc with steps to reproduce and screenshots here:
 https://docs.google.com/document/d/1HtSemFofPAmYbDReit-
 zygmlKcvHo6ACQpZJGvEdwY8/edit?usp=sharing

 '''If the document is unreachable, here are the steps from the doc''':
 # I just installed a brand new WordPress site via Softaculous.
 # I used the WordPress Beta plugin to install WordPress 4.9-RC2-42139.
 # Via the Customizer, I added a new page to a menu, “Test Page 1”. (Menus
 > Top Menu > Add Items > (Add New Page) Test Page 1 > Add.
 # I scheduled to publish the changes in 5 minutes.
 # Before that 5 minutes comes, I can see my Test Page 1 is a Customization
 Draft.
 # I log out.
 # When the time comes for the scheduled changes to be published, I access
 the front page a few times to run the scheduled cron.
 # 2 minutes after the scheduled time for the change to go live, I login to
 the dashboard.
 # I go to Pages > All Pages > Trash, and my “Test Page 1” has been
 trashed, instead of published.

 I believe this bug is triggered by the check_capabilities method in wp-
 includes/class-wp-customize-setting.php:
 https://github.com/WordPress/WordPress/blob/master/wp-includes/class-wp-
 customize-setting.php#L811-L826
 When a visitor to the site triggers '''wp-cron.php >
 check_and_publish_future_post''', the '''current_user_can''' calls return
 ''false'', and so the page is not published.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42489>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list