From 7439dd735400df16d0fc33ca161813348ed5c253 Mon Sep 17 00:00:00 2001 From: Gary Pendergast Date: Wed, 22 Jul 2015 04:01:53 +0000 Subject: [PATCH] Capabilities: When creating an auto-draft, ensure that the current user still has permission to do so. git-svn-id: https://develop.svn.wordpress.org/trunk@33357 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/dashboard.php | 4 ++++ src/wp-admin/post.php | 5 +++-- src/wp-includes/capabilities.php | 4 +++- tests/phpunit/tests/user/capabilities.php | 10 ++++++++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/src/wp-admin/includes/dashboard.php b/src/wp-admin/includes/dashboard.php index 8aae3b7a2b..49fcdd926b 100644 --- a/src/wp-admin/includes/dashboard.php +++ b/src/wp-admin/includes/dashboard.php @@ -442,6 +442,10 @@ function wp_network_dashboard_right_now() { function wp_dashboard_quick_press( $error_msg = false ) { global $post_ID; + if ( ! current_user_can( 'edit_posts' ) ) { + return; + } + /* Check if a new auto-draft (= no new post_ID) is needed or if the old can be used */ $last_post_id = (int) get_user_option( 'dashboard_quick_press_last_post_id' ); // Get the last post_ID if ( $last_post_id ) { diff --git a/src/wp-admin/post.php b/src/wp-admin/post.php index c049d6a937..08b0232410 100644 --- a/src/wp-admin/post.php +++ b/src/wp-admin/post.php @@ -120,8 +120,9 @@ case 'post-quickdraft-save': if ( ! wp_verify_nonce( $nonce, 'add-post' ) ) $error_msg = __( 'Unable to submit this form, please refresh and try again.' ); - if ( ! current_user_can( 'edit_posts' ) ) - $error_msg = __( 'Oops, you don’t have access to add new drafts.' ); + if ( ! current_user_can( 'edit_posts' ) ) { + exit; + } if ( $error_msg ) return wp_dashboard_quick_press( $error_msg ); diff --git a/src/wp-includes/capabilities.php b/src/wp-includes/capabilities.php index f5262d9a79..dd97d98098 100644 --- a/src/wp-includes/capabilities.php +++ b/src/wp-includes/capabilities.php @@ -1188,8 +1188,10 @@ function map_meta_cap( $cap, $user_id ) { case 'edit_post': case 'edit_page': $post = get_post( $args[0] ); - if ( empty( $post ) ) + if ( empty( $post ) ) { + $caps[] = 'do_not_allow'; break; + } if ( 'revision' == $post->post_type ) { $post = get_post( $post->post_parent ); diff --git a/tests/phpunit/tests/user/capabilities.php b/tests/phpunit/tests/user/capabilities.php index 77970c52b7..886588341c 100644 --- a/tests/phpunit/tests/user/capabilities.php +++ b/tests/phpunit/tests/user/capabilities.php @@ -926,4 +926,14 @@ class Tests_User_Capabilities extends WP_UnitTestCase { $user->remove_cap( 'publish_pages' ); $this->assertFalse( $user->has_cap( 'publish_pages' ) ); } + + function test_subscriber_cant_edit_posts() { + $user = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) ); + wp_set_current_user( $user->ID ); + + $post = $this->factory->post->create( array( 'post_author' => 1 ) ); + + $this->assertFalse( current_user_can( 'edit_post', $post ) ); + $this->assertFalse( current_user_can( 'edit_post', $post + 1 ) ); + } }