diff --git a/wp-admin/post.php b/wp-admin/post.php
index 7c24e3015..34704c6d6 100644
--- a/wp-admin/post.php
+++ b/wp-admin/post.php
@@ -40,6 +40,10 @@ case 'post':
$standalone = 1;
require_once('admin-header.php');
+ if (!user_can_create_draft($user_ID)) {
+ die('You are not allowed to create posts or drafts on this blog.');
+ }
+
$post_ID = $wpdb->get_var("SELECT MAX(ID) FROM $wpdb->posts") + 1;
$post_pingback = intval($_POST['post_pingback']);
@@ -59,7 +63,7 @@ case 'post':
if ( empty($post_status) )
$post_status = 'draft';
// Double-check
- if ( 'publish' == $post_status && 1 == $user_level && 2 != get_option('new_users_can_blog') )
+ if ( 'publish' == $post_status && (!user_can_create_post($user_ID)) && 2 != get_option('new_users_can_blog') )
$post_status = 'draft';
$comment_status = $_POST['comment_status'];
if ( empty($comment_status) )
@@ -79,10 +83,7 @@ case 'post':
$trackback = $_POST['trackback_url'];
$trackback = preg_replace('|\s+|', "\n", $trackback);
- if ($user_level == 0)
- die (__('Cheatin’ uh?'));
-
- if (($user_level > 4) && (!empty($_POST['edit_date']))) {
+ if (user_can_set_post_date($user_ID) && (!empty($_POST['edit_date']))) {
$aa = $_POST['aa'];
$mm = $_POST['mm'];
$jj = $_POST['jj'];
@@ -184,12 +185,12 @@ case 'edit':
require_once('admin-header.php');
$post = $post_ID = $p = (int) $_GET['post'];
- if ($user_level > 0) {
- $postdata = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID = '$post_ID'");
- $authordata = get_userdata($postdata->post_author);
- if ($user_level < $authordata->user_level)
- die ('You don’t have the right to edit '.$authordata[1].'’s posts.');
+ if (!user_can_edit_post($user_ID, $post_ID)) {
+ die ('You are not allowed to edit this post.');
+ }
+
+ $postdata = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID = '$post_ID'");
$content = $postdata->post_content;
$content = format_to_edit($content);
$content = apply_filters('content_edit_pre', $content);
@@ -229,14 +230,6 @@ echo $content;
-
-You can also e-mail the admin to ask for a promotion.
-When you’re promoted, just reload this page and you’ll be able to blog. :)'), get_settings('admin_email')); ?>
-
- 4) && (!empty($_POST['edit_date']))) {
+ if (user_can_edit_post_date($user_ID, $post_ID) && (!empty($_POST['edit_date']))) {
$aa = $_POST['aa'];
$mm = $_POST['mm'];
$jj = $_POST['jj'];
@@ -442,15 +436,10 @@ case 'delete':
check_admin_referer();
- if ($user_level == 0)
- die ('Cheatin’ uh?');
-
$post_id = intval($_GET['post']);
- $postdata = $post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID = '$post_id'") or die(sprintf(__('Oops, no post with this ID. Go back!'), 'post.php'));
- $authordata = get_userdata($postdata->post_author);
-
- if ($user_level < $authordata->user_level)
- die (sprintf(__('You don’t have the right to delete %s’s posts.'), $authordata[1]));
+ if (!user_can_delete_post($user_ID, $post_id)) {
+ die('You are not allowed to delete this post.');
+ }
$result = $wpdb->query("DELETE FROM $wpdb->posts WHERE ID=$post_id");
if (!$result)
@@ -477,12 +466,13 @@ case 'editcomment':
get_currentuserinfo();
- if ($user_level == 0) {
- die (__('Cheatin’ uh?'));
- }
-
$comment = $_GET['comment'];
$commentdata = get_commentdata($comment, 1, true) or die(sprintf(__('Oops, no comment with this ID. Go back!'), 'javascript:history.go(-1)'));
+
+ if (!user_can_edit_post_comments($user_ID, $commentdata['comment_post_id'])) {
+ die('You are not allowed to edit comments on this post.');
+ }
+
$content = $commentdata['comment_content'];
$content = format_to_edit($content);
$content = apply_filters('comment_edit_pre', $content);
@@ -496,13 +486,14 @@ case 'confirmdeletecomment':
$standalone = 0;
require_once('./admin-header.php');
-if ($user_level == 0)
- die (__('Cheatin’ uh?'));
-
$comment = $_GET['comment'];
$p = $_GET['p'];
$commentdata = get_commentdata($comment, 1, true) or die(sprintf(__('Oops, no comment with this ID. Go back!'), 'edit.php'));
+if (!user_can_delete_post_comments($user_ID, $commentdata['comment_post_id'])) {
+ die('You are not allowed to delete comments on this post.');
+}
+
echo "\n";
echo "
" . __('Caution: You are about to delete the following comment:') . "
\n";
echo "
\n";
@@ -533,10 +524,6 @@ require_once('./admin-header.php');
check_admin_referer();
-if ($user_level == 0)
- die (__('Cheatin’ uh?'));
-
-
$comment = $_GET['comment'];
$p = $_GET['p'];
if (isset($_GET['noredir'])) {
@@ -548,9 +535,9 @@ if (isset($_GET['noredir'])) {
$postdata = get_postdata($p) or die(sprintf(__('Oops, no post with this ID. Go back!'), 'edit.php'));
$commentdata = get_commentdata($comment, 1, true) or die(sprintf(__('Oops, no comment with this ID. Go back!'), 'post.php'));
-$authordata = get_userdata($postdata['Author_ID']);
-if ($user_level < $authordata->user_level)
- die (sprintf(__('You don’t have the right to delete %1$s’s post comments. Go back!'), $authordata->user_nickname, 'post.php'));
+if (!user_can_delete_post_comments($user_ID, $commentdata['comment_post_id'])) {
+ die('You are not allowed to edit comments on this post.');
+}
wp_set_comment_status($comment, "delete");
do_action('delete_comment', $comment);
@@ -570,9 +557,6 @@ require_once('./admin-header.php');
check_admin_referer();
-if ($user_level == 0)
- die (__('Cheatin’ uh?'));
-
$comment = $_GET['comment'];
$p = $_GET['p'];
if (isset($_GET['noredir'])) {
@@ -583,6 +567,10 @@ if (isset($_GET['noredir'])) {
$commentdata = get_commentdata($comment) or die(sprintf(__('Oops, no comment with this ID. Go back!'), 'edit.php'));
+if (!user_can_edit_post_comments($user_ID, $commentdata['comment_post_id'])) {
+ die('You are not allowed to edit comments on this post, so you cannot disapprove this comment.');
+}
+
wp_set_comment_status($comment, "hold");
if (($_SERVER['HTTP_REFERER'] != "") && (false == $noredir)) {
@@ -598,13 +586,14 @@ case 'mailapprovecomment':
$standalone = 1;
require_once('./admin-header.php');
-if ($user_level == 0)
- die (__('Cheatin’ uh?'));
-
$comment = (int) $_GET['comment'];
$commentdata = get_commentdata($comment, 1, true) or die(sprintf(__('Oops, no comment with this ID. Go back!'), 'edit.php'));
+if (!user_can_edit_post_comments($user_ID, $commentdata['comment_post_id'])) {
+ die('You are not allowed to edit comments on this post, so you cannot approve this comment.');
+}
+
if ('1' != $commentdata['comment_approved']) {
wp_set_comment_status($comment, 'approve');
if (true == get_option('comments_notify'))
@@ -620,9 +609,6 @@ case 'approvecomment':
$standalone = 1;
require_once('./admin-header.php');
-if ($user_level == 0)
- die (__('Cheatin’ uh?'));
-
$comment = $_GET['comment'];
$p = $_GET['p'];
if (isset($_GET['noredir'])) {
@@ -632,6 +618,10 @@ if (isset($_GET['noredir'])) {
}
$commentdata = get_commentdata($comment) or die(sprintf(__('Oops, no comment with this ID. Go back!'), 'edit.php'));
+if (!user_can_edit_post_comments($user_ID, $commentdata['comment_post_id'])) {
+ die('You are not allowed to edit comments on this post, so you cannot approve this comment.');
+}
+
wp_set_comment_status($comment, "approve");
if (get_settings("comments_notify") == true) {
wp_notify_postauthor($comment);
@@ -651,16 +641,17 @@ case 'editedcomment':
$standalone = 1;
require_once('./admin-header.php');
- if ($user_level == 0)
- die (__('Cheatin’ uh?'));
-
$comment_ID = $_POST['comment_ID'];
$comment_post_ID = $_POST['comment_post_ID'];
$newcomment_author = $_POST['newcomment_author'];
$newcomment_author_email = $_POST['newcomment_author_email'];
$newcomment_author_url = $_POST['newcomment_author_url'];
- if (($user_level > 4) && (!empty($_POST['edit_date']))) {
+ if (!user_can_edit_post_comments($user_ID, $comment_post_ID)) {
+ die('You are not allowed to edit comments on this post, so you cannot edit this comment.');
+ }
+
+ if (user_can_edit_post_date($user_ID, $post_ID) && (!empty($_POST['edit_date']))) {
$aa = $_POST['aa'];
$mm = $_POST['mm'];
$jj = $_POST['jj'];
@@ -698,7 +689,7 @@ default:
$title = __('Create New Post');
require_once ('./admin-header.php');
- if ($user_level > 0) {
+ if (user_can_create_draft($user_ID)) {
$action = 'post';
get_currentuserinfo();
$drafts = $wpdb->get_results("SELECT ID, post_title FROM $wpdb->posts WHERE post_status = 'draft' AND post_author = $user_ID");