Fix: Revisors could Quick Edit published posts

.gitignore

@@ -17,3 +17,5 @@ wp-content/plugins/hello.php
 /sitemap.xml
 /sitemap.xml.gz
 
+.idea/*.*
+.vscode/*.*

readme.txt

@@ -47,7 +47,8 @@ Revisionary enables qualified users to submit changes to currently published pos
 
 == Changelog ==
 
-= 1.3.8 - 15 Jul 2019 =
+= 1.3.8 - 30 Aug 2019 =
+* Fixed : Revisors could Quick Edit published posts (changing post title, slug, author, date, parent or template) since version 1.3. This could be used to unpublish (but not publish) posts. Sites also running PressPermit Pro were not affected.
 * Compat : PressPermit Pro - Under some configurations, Revisors were not allowed appropriate access (due to publish capability check)
 
 = 1.3.7 - 24 May 2019 =
@@ -364,6 +365,9 @@ Initial release.  Feature Changes and Bug Fixes are vs. Pending Revisions functi
 
 == Upgrade Notice ==
 
+= 1.3.8 =
+SECURITY FIX: Revisors could Quick Edit published posts (see Change Log for details)
+
 = 1.2.3 =
 Important Fix: Scheduled Revision publication failure with runaway email notifications (since 1.2)
 

revisionary_main.php

@@ -210,6 +210,10 @@ function flt_user_has_cap($wp_blogcaps, $reqd_caps, $args)	{
 		else
 			$object_type = rvy_detect_post_type();
 
+		if (!empty($_REQUEST['action']) && ('inline-save' == $_REQUEST['action']) && ('revision' != $post->post_type)) {
+			$this->skip_revision_allowance = true;
+		}
+
 		if ( rvy_get_option( 'revisor_lock_others_revisions' ) ) {
 			if ( $post ) {
 				// Revisors are enabled to edit other users' posts for revision, but cannot edit other users' revisions unless cap is explicitly set sitewide