Support » Plugin: Revisionize » Permissions/capability issue

  • Resolved 9Xpi

    (@9xpi)


    Very nice plugin @jamiechong, it’s simple but works.

    However I’ve spotted a permissions issue.

    If a user has the ‘publish_posts’ capability, this means they can only publish their own posts, not other users’. However using this plugin they can Revisionize someone else’s post, and then Publish that, which then overwrites the other person’s original post.

    I guess there needs to be a check to see if the original post’s author matches the logged-in user, and only allow a Revisionize draft to be Published then.

    What do you think?

    • This topic was modified 2 years, 10 months ago by 9Xpi.
Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author jamiechong

    (@jamiechong)

    Sounds like you’re right. I haven’t tested extensively with different user permissions, but I agree this should be fixed.

    If possible, could you provide an explicit list of steps to show this bug? For example, are you using another role/capabilities plugin or just using built in Editor, Contributor, Admin roles?

    Sure. I used the User Role Editor plugin to create a new Role and I gave it the following Post capabilities:

    • create_posts
    • delete_posts
    • delete_published_posts
    • edit_posts
    • edit_published_posts
    • publish_posts
    1. Sign in with a user that’s been assigned this Role.
    2. You’ll see other users’ posts that you can’t edit, choose to Revisionize one.
    3. Now that you’re the owner of this Revisionized draft post, you have the capability to Publish it, thus overwriting the original post.

    I guess we’d need to remove the Publish button and only allow them to save this Draft? Ideally we should check to see if they’re the owner of the original post and only allow them to Publish if they are, although this might be a bit tricky.

    Plugin Author jamiechong

    (@jamiechong)

    I’m able to reproduce the issue and yes, it’s a tricky one to solve. Is it too naive to just disallow users from Revisionizing other’s posts unless they also have the edit_others_posts capability?

    Plugin Author jamiechong

    (@jamiechong)

    I’ve made it such that users can only revisionize posts that they can also edit.

    I spent some time trying, but was unsuccessful implementing the “Submit for Review” workflow. Regardless, version 1.1.0 should resolve the main permissions problem.

    Please let me know if you see any other issues!

    Great news jamiechong, thanks for your time.

    I think that solution sounds like a good one. If I have some time in the future, I’ll try and take a look at it as well.

    I’ve been having a think about this solution and I guess it depends on different individual use-cases. For the time being I’m partly reverting back to the previous version as I need some users to be able to Revisionize someone else’s post (just not Publish it)

    My temporary solution will be to only give the capabilities create_posts and edit_posts. It will be the job of the Admin/Editor to Publish the final version.

    In the future I’ll also have a look at the “Submit for Review” work-flow as I think this will be a better solution.

    I like your plugin and thank you for sharing.

    I am using wordpress like a content management system and Marketing wants to be able to review any and all page edits made by the Sales team before they get published. Revisionize works well for this for new pages, but if the page is already published, I have conflicts. I can either give sales publish_pages and then they can revisionize published stuff, but they also get an Update button which just updates the published page without marketing review, or marketing has to press the revisionize button, then sales edits and submits for review. THen marketing publishes and presses the revisionize button so that sales can edit it again.

    Seems like it would be good if there was a revisionize capability that you could grant to users or roles which would separate the creation of revisions from the publishing.

    It would also be handy to have a notification when a post or page was submitted for review.

    Morning

    Just to add to the ticket (even though resolved) we use Jamie’s excellent plugin alongside URE (User Role Editor) to enable colleagues to make amends to published content including others content and then submit this for approval by the central communications team.

    The client I am working for uses a page builder (Beaverbuilder) which creates some unique challenges as it uses core WP capabilities, so it doesn’t matter what you do with URE as when you hit paegbuiilder (as an end user) these are overwrittem. This is where Revisionize comes in. I have used URE to add capabilities to Contributor role so but they only have the option to “view” or “revisionize” published/live content. Once they revisionize this then creates a draft (whilst retaining the original live on the site). They then use pagebuilder to make amends and then they can submit for review.

    This pushes the changed version into pending status which can be seen from the main page view by Comms. They can then go in and check the revision using the wordpress compare versions function and if required either just update from the backend and this pushed live or go to Pagebuilder to check the formatting etc.

    They then have to go and clean-up the pages and put the revision draft (original) in the bin etc.

    We have retained version 1.0.1 as whilst the change in 1.1 to retain original author is great, the restriction on editing content etc. made the set-up with URE we had not work. We have however isolated the snippet that deals with the retain author and added this into version 1.0.1.

    Any queries please fire away and apologies for any typos my fingers are freezing and I subsequently can’t type.

    Anthony

    • This reply was modified 2 years, 9 months ago by slackadder.

    What configuration of capabilities enables colleagues to amend published content and submit for approval?

    Hi MTbikes

    What are you using – just Core WP or a Pagebuilder like my client? We had the issue that to allow colleagues to edit content (without) URE this would then allow them (using Pagebuilder) if they could edit a published page then they could then publish without any approval – it’s pretty complicated to explain.

    Using Revisionize we can really dumb down the rights of users (or in effect upskill contributor role) to only allow view or revisionize and when this becomes a new draft and then the usual workflow will apply (core WP).

    Sorry if this isn’t clear but happy to try and help further.

    Anthony

    Plugin Author jamiechong

    (@jamiechong)

    Hi Everyone, I’m hearing what you all are saying. It’s great feedback. I understand for the most part the use-case you’re looking for. As soon as I have some time (active on another project right now) I’ll try to tackle this. I need to figure out a safe way to implement it as we don’t want users with limited permissions overwriting posts/pages they couldn’t otherwise edit.

    It sounds like some of you are able to use work-arounds for now. Thanks for your patience!

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Permissions/capability issue’ is closed to new replies.