[wp-trac] [WordPress Trac] #47443: REST-API prevents users with edit_published_posts capability updating published posts
WordPress Trac
noreply at wordpress.org
Thu Mar 26 03:13:34 UTC 2020
#47443: REST-API prevents users with edit_published_posts capability updating
published posts
-------------------------------------------------+-------------------------
Reporter: derweili | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.5
Component: REST API | Version: 5.2.1
Severity: normal | Resolution:
Keywords: has-patch needs-unit-tests needs- | Focuses: rest-api
refresh |
-------------------------------------------------+-------------------------
Comment (by peterwilsoncc):
@kadamwhite @TimothyBlynJacobs Sorry, I'd missed the comment.
Yes, when editing an existing post the correct check is the meta
capability; `current_user_can( 'publish_post', $id )` for the generic
post type `post`.
You'll need to fork the function for existing and new posts, in terms of
code I think you'll want the following
{{{#!php
<?php
// EXISTING POST
switch ( $post_status ) {
case 'draft':
case 'pending':
if ( ! current_user_can( $post_type->cap->edit_post,
$post_id ) ) {
// Error
}
break;
case 'publish':
case 'future':
case 'private':
if ( ! current_user_can( 'publish_post', $post_id ) ) {
// Error (same meta cap string for all post
types).
}
break;
default:
// I'm really not sure what this is for, sorry. Custom
statuses????
}
// NEW POST
switch ( $post_status ) {
case 'draft':
case 'pending':
if ( ! current_user_can( $post_type->cap->edit_posts ) ) {
// Error
}
break;
case 'publish':
case 'future':
case 'private':
default:
// Unchanged
break
}
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47443#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list