Merge pull request #452 from Yoast/fix/permission-check

Improves permissions checks for the Bulk Clone action and the republishing of a copy.

Author: leonidasmi

src/handlers/bulk-handler.php

@@ -89,18 +89,28 @@ public function rewrite_bulk_action_handler( $redirect_to, $doaction, $post_ids
 		}
 
 		$counter = 0;
+		$skipped = 0;
 		if ( \is_array( $post_ids ) ) {
 			foreach ( $post_ids as $post_id ) {
 				$post = \get_post( $post_id );
-				if ( ! empty( $post ) && $this->permissions_helper->should_rewrite_and_republish_be_allowed( $post ) ) {
-					$new_post_id = $this->post_duplicator->create_duplicate_for_rewrite_and_republish( $post );
-					if ( ! \is_wp_error( $new_post_id ) ) {
-						++$counter;
-					}
+				if ( empty( $post ) || ! $this->permissions_helper->should_rewrite_and_republish_be_allowed( $post ) ) {
+					continue;
+				}
+				if ( ! \current_user_can( 'edit_post', $post_id ) ) {
+					++$skipped;
+					continue;
+				}
+				$new_post_id = $this->post_duplicator->create_duplicate_for_rewrite_and_republish( $post );
+				if ( ! \is_wp_error( $new_post_id ) ) {
+					++$counter;
 				}
 			}
 		}
-		return \add_query_arg( 'bulk_rewriting', $counter, $redirect_to );
+		$redirect_to = \add_query_arg( 'bulk_rewriting', $counter, $redirect_to );
+		if ( $skipped > 0 ) {
+			$redirect_to = \add_query_arg( 'bulk_rewriting_skipped', $skipped, $redirect_to );
+		}
+		return $redirect_to;
 	}
 
 	/**
@@ -118,21 +128,32 @@ public function clone_bulk_action_handler( $redirect_to, $doaction, $post_ids )
 		}
 
 		$counter = 0;
+		$skipped = 0;
 		if ( \is_array( $post_ids ) ) {
 			foreach ( $post_ids as $post_id ) {
 				$post = \get_post( $post_id );
-				if ( ! empty( $post ) && ! $this->permissions_helper->is_rewrite_and_republish_copy( $post ) ) {
-					if ( \intval( \get_option( 'duplicate_post_copychildren' ) !== 1 )
-						|| ! \is_post_type_hierarchical( $post->post_type )
-						|| ( \is_post_type_hierarchical( $post->post_type ) && ! Utils::has_ancestors_marked( $post, $post_ids ) )
-					) {
-						if ( ! \is_wp_error( \duplicate_post_create_duplicate( $post ) ) ) {
-							++$counter;
-						}
-					}
+				if ( empty( $post ) || $this->permissions_helper->is_rewrite_and_republish_copy( $post ) ) {
+					continue;
+				}
+				if ( \intval( \get_option( 'duplicate_post_copychildren' ) ) === 1
+					&& \is_post_type_hierarchical( $post->post_type )
+					&& Utils::has_ancestors_marked( $post, $post_ids )
+				) {
+					continue;
+				}
+				if ( ! \current_user_can( 'edit_post', $post_id ) ) {
+					++$skipped;
+					continue;
+				}
+				if ( ! \is_wp_error( \duplicate_post_create_duplicate( $post ) ) ) {
+					++$counter;
 				}
 			}
 		}
-		return \add_query_arg( 'bulk_cloned', $counter, $redirect_to );
+		$redirect_to = \add_query_arg( 'bulk_cloned', $counter, $redirect_to );
+		if ( $skipped > 0 ) {
+			$redirect_to = \add_query_arg( 'bulk_cloned_skipped', $skipped, $redirect_to );
+		}
+		return $redirect_to;
 	}
 }

src/post-republisher.php

@@ -142,6 +142,14 @@ public function republish_request( $post ) {
 			return;
 		}
 
+		if ( ! \current_user_can( 'edit_post', $original_post->ID ) ) {
+			\wp_die(
+				\esc_html__( 'You are not allowed to republish this post.', 'duplicate-post' ),
+				\esc_html__( 'Permission denied', 'duplicate-post' ),
+				[ 'response' => 403 ]
+			);
+		}
+
 		$this->republish( $post, $original_post );
 
 		// Trigger the redirect in the Classic Editor.

src/watchers/bulk-actions-watcher.php

@@ -35,7 +35,9 @@ public function register_hooks() {
 	public function add_removable_query_args( $removable_query_args ) {
 		if ( \is_array( $removable_query_args ) ) {
 			$removable_query_args[] = 'bulk_cloned';
+			$removable_query_args[] = 'bulk_cloned_skipped';
 			$removable_query_args[] = 'bulk_rewriting';
+			$removable_query_args[] = 'bulk_rewriting_skipped';
 		}
 		return $removable_query_args;
 	}
@@ -62,6 +64,22 @@ public function add_bulk_clone_admin_notice() {
 				\esc_html( $copied_posts ),
 			);
 		}
+		if ( ! empty( $_REQUEST['bulk_cloned_skipped'] ) ) {
+			$skipped_posts = \intval( $_REQUEST['bulk_cloned_skipped'] );
+			\printf(
+				'<div id="message" class="notice notice-warning fade"><p>'
+				. \esc_html(
+					/* translators: %s: Number of posts skipped. */
+					\_n(
+						'%s item skipped due to insufficient permissions.',
+						'%s items skipped due to insufficient permissions.',
+						$skipped_posts,
+						'duplicate-post'
+					)
+				) . '</p></div>',
+				\esc_html( $skipped_posts )
+			);
+		}
 	}
 
 	/**
@@ -86,5 +104,21 @@ public function add_bulk_rewrite_and_republish_admin_notice() {
 				\esc_html( $copied_posts ),
 			);
 		}
+		if ( ! empty( $_REQUEST['bulk_rewriting_skipped'] ) ) {
+			$skipped_posts = \intval( $_REQUEST['bulk_rewriting_skipped'] );
+			\printf(
+				'<div id="message" class="notice notice-warning fade"><p>'
+				. \esc_html(
+					/* translators: %s: Number of posts skipped. */
+					\_n(
+						'%s item skipped due to insufficient permissions.',
+						'%s items skipped due to insufficient permissions.',
+						$skipped_posts,
+						'duplicate-post'
+					)
+				) . '</p></div>',
+				\esc_html( $skipped_posts )
+			);
+		}
 	}
 }