Yoast · leonidasmi · Feb 11, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/src/handlers/bulk-handler.php b/src/handlers/bulk-handler.php
@@ -89,8 +89,13 @@ public function rewrite_bulk_action_handler( $redirect_to, $doaction, $post_ids
 		}
 
 		$counter = 0;
+		$skipped = 0;
 		if ( \is_array( $post_ids ) ) {
 			foreach ( $post_ids as $post_id ) {
+				if ( ! \current_user_can( 'edit_post', $post_id ) ) {
+					++$skipped;
+					continue;
+				}
 				$post = \get_post( $post_id );
 				if ( ! empty( $post ) && $this->permissions_helper->should_rewrite_and_republish_be_allowed( $post ) ) {
 					$new_post_id = $this->post_duplicator->create_duplicate_for_rewrite_and_republish( $post );
@@ -100,7 +105,11 @@ public function rewrite_bulk_action_handler( $redirect_to, $doaction, $post_ids
 				}
 			}
 		}
-		return \add_query_arg( 'bulk_rewriting', $counter, $redirect_to );
+		$redirect_to = \add_query_arg( 'bulk_rewriting', $counter, $redirect_to );
+		if ( $skipped > 0 ) {
+			$redirect_to = \add_query_arg( 'bulk_rewriting_skipped', $skipped, $redirect_to );
+		}
+		return $redirect_to;
 	}
 
 	/**
@@ -118,8 +127,13 @@ public function clone_bulk_action_handler( $redirect_to, $doaction, $post_ids )
 		}
 
 		$counter = 0;
+		$skipped = 0;
 		if ( \is_array( $post_ids ) ) {
 			foreach ( $post_ids as $post_id ) {
+				if ( ! \current_user_can( 'edit_post', $post_id ) ) {
+					++$skipped;
+					continue;
+				}
 				$post = \get_post( $post_id );
 				if ( ! empty( $post ) && ! $this->permissions_helper->is_rewrite_and_republish_copy( $post ) ) {
 					if ( \intval( \get_option( 'duplicate_post_copychildren' ) !== 1 )
@@ -133,6 +147,10 @@ public function clone_bulk_action_handler( $redirect_to, $doaction, $post_ids )
 				}
 			}
 		}
-		return \add_query_arg( 'bulk_cloned', $counter, $redirect_to );
+		$redirect_to = \add_query_arg( 'bulk_cloned', $counter, $redirect_to );
+		if ( $skipped > 0 ) {
+			$redirect_to = \add_query_arg( 'bulk_cloned_skipped', $skipped, $redirect_to );
+		}
+		return $redirect_to;
 	}
 }
diff --git a/src/post-republisher.php b/src/post-republisher.php
@@ -140,6 +140,14 @@ public function republish_request( $post ) {
 			return;
 		}
 
+		if ( ! \current_user_can( 'edit_post', $original_post->ID ) ) {
+			\wp_die(
+				\esc_html__( 'You are not allowed to republish this post.', 'duplicate-post' ),
+				\esc_html__( 'Permission denied', 'duplicate-post' ),
+				[ 'response' => 403 ]
+			);
+		}
+
 		$this->republish( $post, $original_post );
 
 		// Trigger the redirect in the Classic Editor.

diff --git a/src/watchers/bulk-actions-watcher.php b/src/watchers/bulk-actions-watcher.php
@@ -35,7 +35,9 @@ public function register_hooks() {
 	public function add_removable_query_args( $removable_query_args ) {
 		if ( \is_array( $removable_query_args ) ) {
 			$removable_query_args[] = 'bulk_cloned';
+			$removable_query_args[] = 'bulk_cloned_skipped';
 			$removable_query_args[] = 'bulk_rewriting';
+			$removable_query_args[] = 'bulk_rewriting_skipped';
 		}
 		return $removable_query_args;
 	}
@@ -62,6 +64,22 @@ public function add_bulk_clone_admin_notice() {
 				\esc_html( $copied_posts )
 			);
 		}
+		if ( ! empty( $_REQUEST['bulk_cloned_skipped'] ) ) {
+			$skipped_posts = \intval( $_REQUEST['bulk_cloned_skipped'] );
+			\printf(
+				'<div id="message" class="notice notice-warning fade"><p>'
+				. \esc_html(
+					/* translators: %s: Number of posts skipped. */
+					\_n(
+						'%s item skipped due to insufficient permissions.',
+						'%s items skipped due to insufficient permissions.',
+						$skipped_posts,
+						'duplicate-post'
+					)
+				) . '</p></div>',
+				\esc_html( $skipped_posts )
+			);
+		}
 	}
 
 	/**
@@ -86,5 +104,21 @@ public function add_bulk_rewrite_and_republish_admin_notice() {
 				\esc_html( $copied_posts )
 			);
 		}
+		if ( ! empty( $_REQUEST['bulk_rewriting_skipped'] ) ) {
+			$skipped_posts = \intval( $_REQUEST['bulk_rewriting_skipped'] );
+			\printf(
+				'<div id="message" class="notice notice-warning fade"><p>'
+				. \esc_html(
+					/* translators: %s: Number of posts skipped. */
+					\_n(
+						'%s item skipped due to insufficient permissions.',
+						'%s items skipped due to insufficient permissions.',
+						$skipped_posts,
+						'duplicate-post'
+					)
+				) . '</p></div>',
+				\esc_html( $skipped_posts )
+			);
+		}
 	}
 }
diff --git a/tests/Unit/Handlers/Bulk_Handler_Test.php b/tests/Unit/Handlers/Bulk_Handler_Test.php
@@ -0,0 +1,258 @@
+<?php
+
+namespace Yoast\WP\Duplicate_Post\Tests\Unit\Handlers;
+
+use Brain\Monkey;
+use Mockery;
+use WP_Post;
+use Yoast\WP\Duplicate_Post\Handlers\Bulk_Handler;
+use Yoast\WP\Duplicate_Post\Permissions_Helper;
+use Yoast\WP\Duplicate_Post\Post_Duplicator;
+use Yoast\WP\Duplicate_Post\Tests\Unit\TestCase;
+
+/**
+ * Test the Bulk_Handler class.
+ */
+final class Bulk_Handler_Test extends TestCase {
+
+	/**
+	 * Holds the permissions helper.
+	 *
+	 * @var Permissions_Helper|Mockery\Mock
+	 */
+	protected $permissions_helper;
+
+	/**
+	 * Holds the post duplicator.
+	 *
+	 * @var Post_Duplicator|Mockery\Mock
+	 */
+	protected $post_duplicator;
+
+	/**
+	 * The instance.
+	 *
+	 * @var Bulk_Handler|Mockery\Mock
+	 */
+	protected $instance;
+
+	/**
+	 * Sets the instance.
+	 *
+	 * @return void
+	 */
+	protected function set_up() {
+		parent::set_up();
+
+		$this->post_duplicator    = Mockery::mock( Post_Duplicator::class );
+		$this->permissions_helper = Mockery::mock( Permissions_Helper::class );
+
+		$this->instance = new Bulk_Handler( $this->post_duplicator, $this->permissions_helper );
+	}
+
+	/**
+	 * Tests the constructor.
+	 *
+	 * @covers \Yoast\WP\Duplicate_Post\Handlers\Bulk_Handler::__construct
+	 *
+	 * @return void
+	 */
+	public function test_constructor() {
+		$this->assertInstanceOf(
+			Post_Duplicator::class,
+			$this->getPropertyValue( $this->instance, 'post_duplicator' )
+		);
+
+		$this->assertInstanceOf(
+			Permissions_Helper::class,
+			$this->getPropertyValue( $this->instance, 'permissions_helper' )
+		);
+	}
+
+	/**
+	 * Tests that clone_bulk_action_handler returns early when action is not clone.
+	 *
+	 * @covers \Yoast\WP\Duplicate_Post\Handlers\Bulk_Handler::clone_bulk_action_handler
+	 *
+	 * @return void
+	 */
+	public function test_clone_bulk_action_handler_returns_early_for_wrong_action() {
+		$redirect_to = 'http://example.com/wp-admin/edit.php';
+
+		$result = $this->instance->clone_bulk_action_handler( $redirect_to, 'trash', [ 1, 2 ] );
+
+		$this->assertEquals( $redirect_to, $result );
+	}
+
+	/**
+	 * Tests that clone_bulk_action_handler skips posts user cannot edit.
+	 *
+	 * @covers \Yoast\WP\Duplicate_Post\Handlers\Bulk_Handler::clone_bulk_action_handler
+	 *
+	 * @return void
+	 */
+	public function test_clone_bulk_action_handler_skips_posts_user_cannot_edit() {
+		$redirect_to = 'http://example.com/wp-admin/edit.php';
+
+		Monkey\Functions\expect( 'current_user_can' )
+			->with( 'edit_post', 1 )
+			->andReturn( false );
+
+		Monkey\Functions\expect( 'current_user_can' )
+			->with( 'edit_post', 2 )
+			->andReturn( false );
+
+		Monkey\Functions\expect( 'add_query_arg' )
+			->andReturnUsing(
+				static function ( $key, $value, $url ) {
+					return $url . ( ( \strpos( $url, '?' ) === false ) ? '?' : '&' ) . $key . '=' . $value;
+				}
+			);
+
+		$result = $this->instance->clone_bulk_action_handler( $redirect_to, 'duplicate_post_bulk_clone', [ 1, 2 ] );
+
+		$this->assertStringContainsString( 'bulk_cloned=0', $result );
+		$this->assertStringContainsString( 'bulk_cloned_skipped=2', $result );
+	}
+
+	/**
+	 * Tests that clone_bulk_action_handler processes posts user can edit.
+	 *
+	 * @covers \Yoast\WP\Duplicate_Post\Handlers\Bulk_Handler::clone_bulk_action_handler
+	 *
+	 * @return void
+	 */
+	public function test_clone_bulk_action_handler_processes_posts_user_can_edit() {
+		$redirect_to     = 'http://example.com/wp-admin/edit.php';
+		$post            = Mockery::mock( WP_Post::class );
+		$post->ID        = 1;
+		$post->post_type = 'post';
+
+		Monkey\Functions\expect( 'current_user_can' )
+			->with( 'edit_post', 1 )
+			->andReturn( true );
+
+		Monkey\Functions\expect( 'get_post' )
+			->with( 1 )
+			->andReturn( $post );
+
+		$this->permissions_helper
+			->expects( 'is_rewrite_and_republish_copy' )
+			->with( $post )
+			->andReturn( false );
+
+		Monkey\Functions\expect( 'get_option' )
+			->with( 'duplicate_post_copychildren' )
+			->andReturn( 0 );
+
+		Monkey\Functions\expect( 'is_post_type_hierarchical' )
+			->with( 'post' )
+			->andReturn( false );
+
+		Monkey\Functions\expect( 'duplicate_post_create_duplicate' )
+			->with( $post )
+			->andReturn( 2 );
+
+		Monkey\Functions\expect( 'is_wp_error' )
+			->with( 2 )
+			->andReturn( false );
+
+		Monkey\Functions\expect( 'add_query_arg' )
+			->with( 'bulk_cloned', 1, $redirect_to )
+			->andReturn( $redirect_to . '?bulk_cloned=1' );
+
+		$result = $this->instance->clone_bulk_action_handler( $redirect_to, 'duplicate_post_bulk_clone', [ 1 ] );
+
+		$this->assertEquals( $redirect_to . '?bulk_cloned=1', $result );
+	}
+
+	/**
+	 * Tests that rewrite_bulk_action_handler returns early when action is not rewrite.
+	 *
+	 * @covers \Yoast\WP\Duplicate_Post\Handlers\Bulk_Handler::rewrite_bulk_action_handler
+	 *
+	 * @return void
+	 */
+	public function test_rewrite_bulk_action_handler_returns_early_for_wrong_action() {
+		$redirect_to = 'http://example.com/wp-admin/edit.php';
+
+		$result = $this->instance->rewrite_bulk_action_handler( $redirect_to, 'trash', [ 1, 2 ] );
+
+		$this->assertEquals( $redirect_to, $result );
+	}
+
+	/**
+	 * Tests that rewrite_bulk_action_handler skips posts user cannot edit.
+	 *
+	 * @covers \Yoast\WP\Duplicate_Post\Handlers\Bulk_Handler::rewrite_bulk_action_handler
+	 *
+	 * @return void
+	 */
+	public function test_rewrite_bulk_action_handler_skips_posts_user_cannot_edit() {
+		$redirect_to = 'http://example.com/wp-admin/edit.php';
+
+		Monkey\Functions\expect( 'current_user_can' )
+			->with( 'edit_post', 1 )
+			->andReturn( false );
+
+		Monkey\Functions\expect( 'current_user_can' )
+			->with( 'edit_post', 2 )
+			->andReturn( false );
+
+		Monkey\Functions\expect( 'add_query_arg' )
+			->andReturnUsing(
+				static function ( $key, $value, $url ) {
+					return $url . ( ( \strpos( $url, '?' ) === false ) ? '?' : '&' ) . $key . '=' . $value;
+				}
+			);
+
+		$result = $this->instance->rewrite_bulk_action_handler( $redirect_to, 'duplicate_post_bulk_rewrite_republish', [ 1, 2 ] );
+
+		$this->assertStringContainsString( 'bulk_rewriting=0', $result );
+		$this->assertStringContainsString( 'bulk_rewriting_skipped=2', $result );
+	}
+
+	/**
+	 * Tests that rewrite_bulk_action_handler processes posts user can edit.
+	 *
+	 * @covers \Yoast\WP\Duplicate_Post\Handlers\Bulk_Handler::rewrite_bulk_action_handler
+	 *
+	 * @return void
+	 */
+	public function test_rewrite_bulk_action_handler_processes_posts_user_can_edit() {
+		$redirect_to       = 'http://example.com/wp-admin/edit.php';
+		$post              = Mockery::mock( WP_Post::class );
+		$post->ID          = 1;
+		$post->post_status = 'publish';
+
+		Monkey\Functions\expect( 'current_user_can' )
+			->with( 'edit_post', 1 )
+			->andReturn( true );
+
+		Monkey\Functions\expect( 'get_post' )
+			->with( 1 )
+			->andReturn( $post );
+
+		$this->permissions_helper
+			->expects( 'should_rewrite_and_republish_be_allowed' )
+			->with( $post )
+			->andReturn( true );
+
+		$this->post_duplicator
+			->expects( 'create_duplicate_for_rewrite_and_republish' )
+			->with( $post )
+			->andReturn( 2 );
+
+		Monkey\Functions\expect( 'is_wp_error' )
+			->with( 2 )
+			->andReturn( false );
+
+		Monkey\Functions\expect( 'add_query_arg' )
+			->with( 'bulk_rewriting', 1, $redirect_to )
+			->andReturn( $redirect_to . '?bulk_rewriting=1' );
+
+		$result = $this->instance->rewrite_bulk_action_handler( $redirect_to, 'duplicate_post_bulk_rewrite_republish', [ 1 ] );
+
+		$this->assertEquals( $redirect_to . '?bulk_rewriting=1', $result );
+	}
+}