[wp-trac] [WordPress Trac] #47443: REST-API prevents users with edit_published_posts capability updating published posts
WordPress Trac
noreply at wordpress.org
Fri Jan 24 22:28:16 UTC 2020
#47443: REST-API prevents users with edit_published_posts capability updating
published posts
----------------------------------------+-----------------------
Reporter: derweili | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.4
Component: REST API | Version: 5.2.1
Severity: normal | Resolution:
Keywords: has-patch needs-unit-tests | Focuses: rest-api
----------------------------------------+-----------------------
Comment (by apieschel):
Nevermind, thinking it over again, since "future" means "to be published
in the future" it doesn't really make sense to have different permissions
for the "publish" and "future" cases. The original edit to ''wp-includes
/rest-api/endpoints/class-wp-rest-posts-controller.php'' is better. Added
a new patch that reverts the change to this file but keeps my new unit
test.
But is it a problem that the patch would allow a user to publish posts via
the Rest API, even if they only had the "edit_published_posts" capability?
This seems tricky. If it's not a problem, then I could simply edit the
unit test (test_create_post_publish_without_permission) that's failing. It
would pass if I removed the "edit_published_posts" capability in addition
to the "publish_posts" capability. What is the best practice for adjusting
previous unit tests in a case like this?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47443#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list