[wp-trac] [WordPress Trac] #47443: REST-API prevents users with edit_published_posts capability updating published posts

WordPress Trac noreply at wordpress.org
Fri May 31 10:02:59 UTC 2019 

#47443: REST-API prevents users with edit_published_posts capability updating
published posts
--------------------------+-----------------------------
 Reporter:  derweili      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  REST API      |    Version:  5.2.1
 Severity:  normal        |   Keywords:  needs-patch
  Focuses:  rest-api      |
--------------------------+-----------------------------
 When a user has `edit_posts` and `edit_published_posts` capabilities but
 **not** `publish_posts` capability and they edit a published post they
 they get following error:
 {{{
 'Sorry, you are not allowed to publish posts in this post type.'
 }}}

 Because the Block Editor relies on the REST-API, you can see this behavior
 in the Gutenberg Editor as well.
 In Gutenberg they don't see the above error. Instead you see a "Submit for
 Review" button instead of an Update Button.

 == To Reproduce

 1. Create a user with edit_pages and edit_published_pages capabilities but
 not publish_pages capability
 2. Login as that user and edit a published page in the Classic Editor
 3. See that the primary action button is "Update"
 4. Switch to the Block Editor and see that the primary action button is
 "Submit for Review"

 == I think there are two changes that need to be done:


 === 1. in  wp-includes/rest-api/endpoints/class-wp-rest-posts-
 controller.php:1825
 The if statement should be changed to:

 {{{#!php
 <?php
 if ( 'attachment' !== $this->post_type && ( ( 'publish' ==
 $post->post_status && current_user_can(
 $post_type->cap->edit_published_posts ) ) || current_user_can(
 $post_type->cap->publish_posts ) )  ) {
 }}}

 After this first change you will have the "Update" Button back in the
 editor, but you still can't update the post. You will receive the above
 `Sorry, you are not allowed to publish posts in this post type.` answer
 from the REST-API. A additional change must be done:


 === 2. in  wp-includes/rest-api/endpoints/class-wp-rest-posts-
 controller.php:1148
 The if statement should be changed to
 {{{#!php
 <?php
 if ( ! current_user_can( $post_type->cap->publish_posts ) && !
 current_user_can( $post_type->cap->edit_published_posts ) ) {
     return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not
 allowed to publish posts in this post type.' ), array( 'status' =>
 rest_authorization_required_code() ) );
 }
 }}}



 == Related
 Github Issue for Gutenberg:
 https://github.com/WordPress/gutenberg/issues/13342

 I am concerned about introducing security risk with this changes.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/47443>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list