From ee51200c50f1d437426880c23cceb1db6467d907 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 9 Dec 2017 22:51:54 +0000 Subject: [PATCH] Role/Capability: When checking capabilities before setting a post slug, ensure the correct post type capabilities are used. Previously, only the `publish_posts` capability was checked. Now, the correct meta or primitive capability for the post type is used where appropriate. Props peterwilsoncc Fixes #42464 Built from https://develop.svn.wordpress.org/trunk@42380 git-svn-id: http://core.svn.wordpress.org/trunk@42209 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/post.php | 12 ++++++++++-- wp-includes/version.php | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/wp-includes/post.php b/wp-includes/post.php index 45fb3573b8..94a450f438 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -3304,8 +3304,16 @@ function wp_insert_post( $postarr, $wp_error = false ) { } } - // Don't allow contributors to set the post slug for pending review posts. - if ( 'pending' == $post_status && ! current_user_can( 'publish_posts' ) ) { + /* + * Don't allow contributors to set the post slug for pending review posts. + * + * For new posts check the primitive capability, for updates check the meta capability. + */ + $post_type_object = get_post_type_object( $post_type ); + + if ( ! $update && 'pending' === $post_status && ! current_user_can( $post_type_object->cap->publish_posts ) ) { + $post_name = ''; + } elseif ( $update && 'pending' === $post_status && ! current_user_can( 'publish_post', $post_ID ) ) { $post_name = ''; } diff --git a/wp-includes/version.php b/wp-includes/version.php index 4397e887f3..1fb4a183b5 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '5.0-alpha-42379'; +$wp_version = '5.0-alpha-42380'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.