Merge branch 'develop'

Author: tlovett1

Gruntfile.js

@@ -15,7 +15,8 @@ module.exports = function ( grunt ) {
 		jshint : {
 			options : {
 				smarttabs : true
-			}
+			},
+			all: ['js/*']
 		},
 		sass : {
 			dist : {

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "editorial-access-manager-wp",
-  "version": "0.2.0",
+  "version": "0.3.1",
   "homepage": "https://github.com/tlovett1/editorial-access-manager",
   "authors": [
     "Taylor Lovett <[email protected]>"

classes/class-editorial-access-manager.php

@@ -128,17 +128,17 @@ public function filter_map_meta_cap( $caps, $cap, $user_id, $args ) {
 				// If user is admin, we do nothing
 				if ( ! in_array( 'administrator', $user->roles ) ) {
 
-					if ( 'roles' == $enable_custom_access ) {
+					if ( 'roles' === $enable_custom_access ) {
 						// Limit access to whitelisted roles
 
 						$allowed_roles = (array) get_post_meta( $post_id, 'eam_allowed_roles', true );
 
-						if ( count( array_diff( $user->roles, $allowed_roles ) ) >= 1 ) {
+						if ( empty( $user->roles ) || count( array_diff( $user->roles, $allowed_roles ) ) >= 1 ) {
 							$caps[] = 'do_not_allow';
 						} else {
 							$caps = array();
 						}
-					} elseif ( 'users' == $enable_custom_access ) {
+					} elseif ( 'users' === $enable_custom_access ) {
 						// Limit access to whitelisted users
 
 						$allowed_users = (array) get_post_meta( $post_id, 'eam_allowed_users', true );

editorial-access-manager.php

@@ -4,7 +4,7 @@
  * Plugin URI: http://www.taylorlovett.com
  * Description: Allow for granular editorial access control for all post types
  * Author: Taylor Lovett
- * Version: 0.3.0
+ * Version: 0.3.1
  * Author URI: http://www.taylorlovett.com
  */
 

languages/editorial-access-manager.pot

@@ -2,17 +2,17 @@
 # This file is distributed under the same license as the Editorial Access Manager package.
 msgid ""
 msgstr ""
-"Project-Id-Version: Editorial Access Manager 0.1.1\n"
+"Project-Id-Version: Editorial Access Manager 0.3.1\n"
 "Report-Msgid-Bugs-To: "
 "https://github.com/tlovett1/editorial-access-manager/issues\n"
-"POT-Creation-Date: 2014-10-08 19:32:32+00:00\n"
+"POT-Creation-Date: 2014-11-26 15:26:48+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "PO-Revision-Date: 2014-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <[email protected]>\n"
-"X-Generator: grunt-wp-i18n 0.4.8\n"
+"X-Generator: grunt-wp-i18n 0.4.9\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
 "X-Poedit-Basepath: .\n"
 "X-Poedit-Language: English\n"
@@ -29,34 +29,38 @@ msgstr ""
 msgid "Editorial Access Manager"
 msgstr ""
 
-#: classes/class-editorial-access-manager.php:269
+#: classes/class-editorial-access-manager.php:346
 msgid "Enable custom access management by"
 msgstr ""
 
-#: classes/class-editorial-access-manager.php:271
-#: classes/class-editorial-access-manager.php:365
+#: classes/class-editorial-access-manager.php:348
+msgid "&mdash; No Change &mdash;"
+msgstr ""
+
+#: classes/class-editorial-access-manager.php:349
+#: classes/class-editorial-access-manager.php:443
 msgid "Off"
 msgstr ""
 
-#: classes/class-editorial-access-manager.php:272
-#: classes/class-editorial-access-manager.php:340
+#: classes/class-editorial-access-manager.php:350
+#: classes/class-editorial-access-manager.php:418
 msgid "Roles"
 msgstr ""
 
-#: classes/class-editorial-access-manager.php:273
-#: classes/class-editorial-access-manager.php:353
+#: classes/class-editorial-access-manager.php:351
+#: classes/class-editorial-access-manager.php:431
 msgid "Users"
 msgstr ""
 
-#: classes/class-editorial-access-manager.php:278
+#: classes/class-editorial-access-manager.php:356
 msgid "Manage access for roles:"
 msgstr ""
 
-#: classes/class-editorial-access-manager.php:293
+#: classes/class-editorial-access-manager.php:371
 msgid "Manage access for users:"
 msgstr ""
 
-#: classes/class-editorial-access-manager.php:319
+#: classes/class-editorial-access-manager.php:398
 msgid "Editorial access"
 msgstr ""
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "editorial-access-manager-wp",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "repository": {
     "type": "git",
     "url": "https://github.com/tlovett1/editorial-access-manager.git"

readme.txt

@@ -4,7 +4,7 @@ Donate link: http://www.taylorlovett.com
 Tags: editorial access management, user roles, user capabilities, role management, user permissions, administrator permissions
 Requires at least: 3.6
 Tested up to: 4.1
-Stable tag: 0.3.0
+Stable tag: 0.3.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -48,6 +48,9 @@ the sidebar.
 
 == Changelog ==
 
+= 0.3.1 =
+* Fix bug where logged out user could edit role restricted post [@tripgrass](https://github.com/tripgrass)
+
 = 0.3.0 =
 * Bulk edit access. Props [@marcochiesi](https://github.com/marcochiesi)
 * Filterable post types. Props [@marcochiesi](https://github.com/marcochiesi)

tests/test-core.php

@@ -362,4 +362,42 @@ public function testPageEditByNonWhitelistedEditorUser() {
 
 		$this->assertTrue( ! ( current_user_can( 'edit_page', $page_id ) && current_user_can( 'publish_posts' ) && current_user_can( 'edit_others_posts' ) ) );
 	}
+
+	/**
+	 * Test an edit of a role restricted post by a logged out user
+	 *
+	 * @since 0.3.1
+	 */
+	public function testLoggedOutUserRoleAccess() {
+		wp_set_current_user( 0 );
+
+		$page_id = $this->factory->post->create( array( 'post_type' => 'page' ) );
+
+		$this->_configureAccess( $page_id, 'roles', array( 'editor' ) );
+
+		$_POST['post_ID'] = $page_id;
+		$_GET['post'] = $page_id;
+
+		$this->assertTrue( ! current_user_can( 'edit_page', $page_id ) );
+	}
+
+	/**
+	 * Test an edit of a user restricted post by a logged out user
+	 *
+	 * @since 0.3.1
+	 */
+	public function testLoggedOutUserUserAccess() {
+		$page_id = $this->factory->post->create( array( 'post_type' => 'page' ) );
+
+		$user = $this->_createAndSignInUser( 'author' );
+
+		$this->_configureAccess( $page_id, 'users', array(), array( $user->ID ) );
+
+		wp_set_current_user( 0 );
+
+		$_POST['post_ID'] = $page_id;
+		$_GET['post'] = $page_id;
+
+		$this->assertTrue( ! current_user_can( 'edit_page', $page_id ) );
+	}
 }