WordPress.org

Making WordPress.org

Changeset 2996


Ignore:
Timestamp:
04/21/2016 10:01:04 PM (3 years ago)
Author:
obenland
Message:

Plugin Directory: Make sure post_status changes are kosher.

Adds a cap check to make sure everyone can only set plugins to the status they
are supposed to:

  • Plugin Admins: Any post status.
  • Plugin Reviewers: Draft and Pending.
  • Everyone else: No changes allowed.

See #1570.

Location:
sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-status-transitions.php

    r2995 r2996  
    2727        add_action( 'publish_plugin', array( $this, 'publish' ), 10, 2 );
    2828        add_action( 'rejected_plugin', array( $this, 'rejected' ), 10, 2 );
     29    }
     30
     31    /**
     32     * Checks permissions before allowing a post_status change for plugins.
     33     *
     34     * @param array $data    An array of slashed post data.
     35     * @param array $postarr An array of sanitized, but otherwise unmodified post data.
     36     * @return array
     37     */
     38    public static function can_change_post_status( $data, $postarr ) {
     39        $old_status = get_post_field( 'post_status', $postarr['ID'] );
     40
     41        // Keep going if this is not a plugin...
     42        if ( 'plugin' !== $postarr['post_type'] ) {
     43            return $data;
     44        }
     45
     46        // ...or the status never changed...
     47        if ( $old_status === $postarr['post_status'] ) {
     48            return $data;
     49        }
     50
     51        // ...or it's a plugin admin...
     52        if ( current_user_can( 'plugin_approve', $postarr['ID'] ) ) {
     53            return $data;
     54        }
     55
     56        // ...or it's a white-listed status for plugin reviewers.
     57        if ( current_user_can( 'plugin_review', $postarr['ID'] ) && in_array( $postarr['post_status'], array( 'draft', 'pending' ) ) ) {
     58            return $data;
     59        }
     60
     61        // ...DIE!!!!!
     62        wp_die( __( 'You do not have permission to assign this post status to a plugin.', 'wporg-plugins' ), '', array(
     63            'back_link' => true,
     64        ) );
    2965    }
    3066
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-controls.php

    r2994 r2996  
    4343        $statuses = array( 'draft', 'pending' );
    4444        if ( current_user_can( 'plugin_approve', $post ) ) {
    45             $statuses = array_merge( $statuses, array( 'publish', 'disabled', 'closed', 'rejected' ) );
     45            if ( in_array( $post->post_status, array( 'draft', 'pending', 'rejected' ) ) ) {
     46                $statuses = array_merge( $statuses, array( 'publish', 'rejected' ) );
     47            } else {
     48                $statuses = array( 'publish', 'disabled', 'closed' );
     49            }
    4650        }
    4751        ?>
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-plugin-directory.php

    r2994 r2996  
    4242            Customizations::instance();
    4343
     44            add_action( 'wp_insert_post_data', array( __NAMESPACE__ . '\Admin\Status_Transitions', 'can_change_post_status' ), 10, 2 );
    4445            add_action( 'transition_post_status', array( __NAMESPACE__ . '\Admin\Status_Transitions', 'instance' ) );
    4546        }
Note: See TracChangeset for help on using the changeset viewer.