From ea3e47bc0882ed2e10297bc73fb6fe5bf240b88c Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Fri, 30 Nov 2012 14:03:47 +0000 Subject: [PATCH] Add a create_posts check to _wp_translate_postdata(). Move the edit_post check to the top of the function. Props nacin fixes #22417 git-svn-id: http://core.svn.wordpress.org/trunk@22950 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/post.php | 40 ++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index e4eca553cc..5a4d966258 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -26,6 +26,20 @@ function _wp_translate_postdata( $update = false, $post_data = null ) { if ( $update ) $post_data['ID'] = (int) $post_data['post_ID']; + $ptype = get_post_type_object( $post_data['post_type'] ); + + if ( $update && ! current_user_can( $ptype->cap->edit_post, $post_data['ID'] ) ) { + if ( 'page' == $post_data['post_type'] ) + return new WP_Error( 'edit_others_pages', __( 'You are not allowed to edit pages as this user.' ) ); + else + return new WP_Error( 'edit_others_posts', __( 'You are not allowed to edit posts as this user.' ) ); + } elseif ( ! $update && ! current_user_can( $ptype->cap->create_posts ) ) { + if ( 'page' == $post_data['post_type'] ) + return new WP_Error( 'edit_others_pages', __( 'You are not allowed to create pages as this user.' ) ); + else + return new WP_Error( 'edit_others_posts', __( 'You are not allowed to create posts as this user.' ) ); + } + if ( isset( $post_data['content'] ) ) $post_data['post_content'] = $post_data['content']; @@ -51,25 +65,13 @@ function _wp_translate_postdata( $update = false, $post_data = null ) { } } - $ptype = get_post_type_object( $post_data['post_type'] ); - if ( isset($post_data['user_ID']) && ($post_data['post_author'] != $post_data['user_ID']) ) { - if ( $update ) { - if ( ! current_user_can( $ptype->cap->edit_post, $post_data['ID'] ) ) { - if ( 'page' == $post_data['post_type'] ) { - return new WP_Error( 'edit_others_pages', __( 'You are not allowed to edit pages as this user.' ) ); - } else { - return new WP_Error( 'edit_others_posts', __( 'You are not allowed to edit posts as this user.' ) ); - } - } - } else { - if ( ! current_user_can( $ptype->cap->edit_others_posts ) ) { - if ( 'page' == $post_data['post_type'] ) { - return new WP_Error( 'edit_others_pages', __( 'You are not allowed to create pages as this user.' ) ); - } else { - return new WP_Error( 'edit_others_posts', __( 'You are not allowed to create posts as this user.' ) ); - } - } - } + if ( ! $update && isset( $post_data['user_ID'] ) && ( $post_data['post_author'] != $post_data['user_ID'] ) + && ! current_user_can( $ptype->cap->edit_others_posts ) ) { + + if ( 'page' == $post_data['post_type'] ) + return new WP_Error( 'edit_others_pages', __( 'You are not allowed to create pages as this user.' ) ); + else + return new WP_Error( 'edit_others_posts', __( 'You are not allowed to create posts as this user.' ) ); } // What to do based on which button they pressed