From 46951e0b178ff5ca7585d5ca1741ae6afee46bd8 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Tue, 4 Feb 2020 22:15:08 +0000 Subject: [PATCH] Posts, Post Types: Fail gracefully when checking mapped cap against unregistered post status. With `map_meta_cap` enabled for a post type, the `read_post` capability for posts with a public status is supposed to be mapped to the post type's `read` capability. When a post is left in the database after the post status is no longer present, and WP does a `read_post` check against it, a PHP notice was thrown, and the cap check always failed. As a more graceful fallback, the cap is now mapped onto `edit_others_posts`, which allows highly privileged users to be able to access orphaned content. A `_doing_it_wrong()` notice is also added, so that developers and site administrators are aware that the cap mapping is failing in the absence of the registered post status. Follow-up to [34091], which introduced a similar approach to checking mapped caps against an unregistered post type. Props roytanck, SergeyBiryukov. Fixes #48653. Built from https://develop.svn.wordpress.org/trunk@47178 git-svn-id: http://core.svn.wordpress.org/trunk@46978 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/capabilities.php | 7 +++++++ wp-includes/version.php | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php index 38287dc7c3..f05c504cc1 100644 --- a/wp-includes/capabilities.php +++ b/wp-includes/capabilities.php @@ -241,6 +241,13 @@ function map_meta_cap( $cap, $user_id, ...$args ) { } $status_obj = get_post_status_object( $post->post_status ); + if ( ! $status_obj ) { + /* translators: 1: Post status, 2: Capability name. */ + _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post status %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post with that status.' ), $post->post_status, $cap ), '5.4.0' ); + $caps[] = 'edit_others_posts'; + break; + } + if ( $status_obj->public ) { $caps[] = $post_type->cap->read; break; diff --git a/wp-includes/version.php b/wp-includes/version.php index dcdf41c1ae..54832bdbce 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.4-alpha-47177'; +$wp_version = '5.4-alpha-47178'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.