Privacy: Require manage_privacy_options to edit policy page.

A user is required to have the `manage_privacy_options` capability in order to determine which page is set as the privacy policy (the `wp_page_for_privacy_policy`). Given that, it doesn't make sense to allow users without that capability to edit or delete the page. 

A similar situation exists with the `page_for_posts` and `page_on_front` options, but Editors are allowed to edit those pages. The reason that this situation is different is because it is more likely that an administrator will want to restrict modifications to the privacy policy, than it is that they will want to allow modifications. Modifications to the policy often require specialized knowledge of local laws, and can have implications for compliance with those laws.

Props dlh, desrosj.
Merges [43286] to the 4.9 branch.
Fixes #44079.

Built from https://develop.svn.wordpress.org/branches/4.9@43287


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43116 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
iandunn 2018-05-15 20:59:25 +00:00
parent f4a436c522
commit 4bfee774d5
2 changed files with 19 additions and 1 deletions

View File

@ -119,6 +119,15 @@ function map_meta_cap( $cap, $user_id ) {
$caps[] = $post_type->cap->delete_private_posts; $caps[] = $post_type->cap->delete_private_posts;
} }
} }
/*
* Setting the privacy policy page requires `manage_privacy_options`,
* so deleting it should require that too.
*/
if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) {
$caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) );
}
break; break;
// edit_post breaks down to edit_posts, edit_published_posts, or // edit_post breaks down to edit_posts, edit_published_posts, or
// edit_others_posts // edit_others_posts
@ -180,6 +189,15 @@ function map_meta_cap( $cap, $user_id ) {
$caps[] = $post_type->cap->edit_private_posts; $caps[] = $post_type->cap->edit_private_posts;
} }
} }
/*
* Setting the privacy policy page requires `manage_privacy_options`,
* so editing it should require that too.
*/
if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) {
$caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) );
}
break; break;
case 'read_post': case 'read_post':
case 'read_page': case 'read_page':

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.9.6-RC1-43285'; $wp_version = '4.9.6-RC1-43287';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.