From c0c884b522e0d7690f76e006506046d342bb6278 Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Fri, 21 Jun 2013 06:00:59 +0000 Subject: [PATCH] Better cap checks in _wp_translate_post_data(). git-svn-id: http://core.svn.wordpress.org/trunk@24478 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/post.php | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index 17771408c3..a2ad81dd05 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -65,15 +65,24 @@ function _wp_translate_postdata( $update = false, $post_data = null ) { } } - if ( ! $update && isset( $post_data['user_ID'] ) && ( $post_data['post_author'] != $post_data['user_ID'] ) + if ( isset( $post_data['user_ID'] ) && ( $post_data['post_author'] != $post_data['user_ID'] ) && ! current_user_can( $ptype->cap->edit_others_posts ) ) { - - if ( 'page' == $post_data['post_type'] ) - return new WP_Error( 'edit_others_pages', __( 'You are not allowed to create pages as this user.' ) ); - else - return new WP_Error( 'edit_others_posts', __( 'You are not allowed to create posts as this user.' ) ); + if ( $update ) { + if ( 'page' == $post_data['post_type'] ) + return new WP_Error( 'edit_others_pages', __( 'You are not allowed to edit pages as this user.' ) ); + else + return new WP_Error( 'edit_others_posts', __( 'You are not allowed to edit posts as this user.' ) ); + } else { + if ( 'page' == $post_data['post_type'] ) + return new WP_Error( 'edit_others_pages', __( 'You are not allowed to create pages as this user.' ) ); + else + return new WP_Error( 'edit_others_posts', __( 'You are not allowed to create posts as this user.' ) ); + } } + if ( ! empty( $post_data['post_status'] ) ) + $post_data['post_status'] = sanitize_key( $post_data['post_status'] ); + // What to do based on which button they pressed if ( isset($post_data['saveasdraft']) && '' != $post_data['saveasdraft'] ) $post_data['post_status'] = 'draft'; @@ -92,10 +101,12 @@ function _wp_translate_postdata( $update = false, $post_data = null ) { $post_id = false; $previous_status = $post_id ? get_post_field( 'post_status', $post_id ) : false; + $published_statuses = array( 'publish', 'future' ); + // Posts 'submitted for approval' present are submitted to $_POST the same as if they were being published. // Change status from 'publish' to 'pending' if user lacks permissions to publish or to resave published posts. - if ( isset($post_data['post_status']) && ('publish' == $post_data['post_status'] && !current_user_can( $ptype->cap->publish_posts )) ) - if ( $previous_status != 'publish' || !current_user_can( 'edit_post', $post_id ) ) + if ( isset($post_data['post_status']) && (in_array( $post_data['post_status'], $published_statuses ) && !current_user_can( $ptype->cap->publish_posts )) ) + if ( ! in_array( $previous_status, $published_statuses ) || !current_user_can( 'edit_post', $post_id ) ) $post_data['post_status'] = 'pending'; if ( ! isset($post_data['post_status']) )