This is actually not hard. To add a new capability, call WP_Roles->add_cap(). You have to do this just once, because it will be stored in the database. So we use a plugin activation hook.
Note to other readers: All of the following code is plugin territory.
register_activation_hook( __FILE__, 'epp_add_cap' );
/**
* Add new capability to "editor" role.
*
* @wp-hook "activate_" . __FILE__
* @return void
*/
function epp_add_cap()
{
global $wp_roles;
if ( ! isset( $wp_roles ) )
$wp_roles = new WP_Roles;
$wp_roles->add_cap( 'editor', 'edit_pending_posts' );
}
Now we have to filter all calls for …
current_user_can( $post_type_object->cap->edit_post, $post->ID );
… because that is how WordPress checks if an user can edit a post. Internally, this will be mapped to the edit_others_posts capability for other authors posts.
So we have to filter user_has_cap and look into our new edit_pending_posts capability when some wants to use the edit_post capability.
I have included delete_post too, because this also a kind of an edit.
Sound complicated, but it is really simple:
add_filter( 'user_has_cap', 'epp_filter_cap', 10, 3 );
/**
* Allow editing others pending posts only with "edit_pending_posts" capability.
* Administrators can still edit those posts.
*
* @wp-hook user_has_cap
* @param array $allcaps All the capabilities of the user
* @param array $caps [0] Required capability ('edit_others_posts')
* @param array $args [0] Requested capability
* [1] User ID
* [2] Post ID
* @return array
*/
function epp_filter_cap( $allcaps, $caps, $args )
{
// Not our capability
if ( ( 'edit_post' !== $args[0] && 'delete_post' !== $args[0] )
or empty ( $allcaps['edit_pending_posts'] )
)
return $allcaps;
$post = get_post( $args[2] );
// Let users edit their own posts
if ( (int) $args[1] === (int) $post->post_author
and in_array(
$post->post_status,
array ( 'draft', 'pending', 'auto-draft' )
)
)
{
$allcaps[ $caps[0] ] = TRUE;
}
elseif ( 'pending' !== $post->post_status )
{ // Not our post status
$allcaps[ $caps[0] ] = FALSE;
}
return $allcaps;
}