WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Privacy: Require `manage_privacy_options` to edit policy page. 

A user is required to have the `manage_privacy_options` capability in order to determine which page is set as the privacy policy (the `wp_page_for_privacy_policy`). Given that, it doesn't make sense to allow users without that capability to edit or delete the page. 

A similar situation exists with the `page_for_posts` and `page_on_front` options, but Editors are allowed to edit those pages. The reason that this situation is different is because it is more likely that an administrator will want to restrict modifications to the privacy policy, than it is that they will want to allow modifications. Modifications to the policy often require specialized knowledge of local laws, and can have implications for compliance with those laws.

Props dlh, desrosj.
Fixes #44079.

Built from https://develop.svn.wordpress.org/trunk@43286


git-svn-id: http://core.svn.wordpress.org/trunk@43115 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
iandunn 2018-05-15 20:44:21 +00:00
parent fdd5b8dacd
commit 461d17576c
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
wp-includes/capabilities.php
View File

@ -121,6 +121,15 @@ function map_meta_cap( $cap, $user_id ) {
$caps[] = $post_type->cap->delete_private_posts;
}
}
/*
* Setting the privacy policy page requires `manage_privacy_options`,
* so deleting it should require that too.
*/
if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) {
$caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) );
}
break;
// edit_post breaks down to edit_posts, edit_published_posts, or
// edit_others_posts
@ -183,6 +192,15 @@ function map_meta_cap( $cap, $user_id ) {
$caps[] = $post_type->cap->edit_private_posts;
}
}
/*
* Setting the privacy policy page requires `manage_privacy_options`,
* so editing it should require that too.
*/
if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) {
$caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) );
}
break;
case 'read_post':
case 'read_page':

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '5.0-alpha-43284';
$wp_version = '5.0-alpha-43286';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.