From 4bfee774d5f5918cefb690238f8bf75ffdecd5ad Mon Sep 17 00:00:00 2001 From: iandunn Date: Tue, 15 May 2018 20:59:25 +0000 Subject: [PATCH] Privacy: Require `manage_privacy_options` to edit policy page. A user is required to have the `manage_privacy_options` capability in order to determine which page is set as the privacy policy (the `wp_page_for_privacy_policy`). Given that, it doesn't make sense to allow users without that capability to edit or delete the page. A similar situation exists with the `page_for_posts` and `page_on_front` options, but Editors are allowed to edit those pages. The reason that this situation is different is because it is more likely that an administrator will want to restrict modifications to the privacy policy, than it is that they will want to allow modifications. Modifications to the policy often require specialized knowledge of local laws, and can have implications for compliance with those laws. Props dlh, desrosj. Merges [43286] to the 4.9 branch. Fixes #44079. Built from https://develop.svn.wordpress.org/branches/4.9@43287 git-svn-id: http://core.svn.wordpress.org/branches/4.9@43116 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/capabilities.php | 18 ++++++++++++++++++ wp-includes/version.php | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php index f2c8765cef..e71cbfa928 100644 --- a/wp-includes/capabilities.php +++ b/wp-includes/capabilities.php @@ -119,6 +119,15 @@ function map_meta_cap( $cap, $user_id ) { $caps[] = $post_type->cap->delete_private_posts; } } + + /* + * Setting the privacy policy page requires `manage_privacy_options`, + * so deleting it should require that too. + */ + if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) { + $caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) ); + } + break; // edit_post breaks down to edit_posts, edit_published_posts, or // edit_others_posts @@ -180,6 +189,15 @@ function map_meta_cap( $cap, $user_id ) { $caps[] = $post_type->cap->edit_private_posts; } } + + /* + * Setting the privacy policy page requires `manage_privacy_options`, + * so editing it should require that too. + */ + if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) { + $caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) ); + } + break; case 'read_post': case 'read_page': diff --git a/wp-includes/version.php b/wp-includes/version.php index c788255a69..d41ecec860 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.9.6-RC1-43285'; +$wp_version = '4.9.6-RC1-43287'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.