Ticket #35614: 35614.2.patch
File 35614.2.patch, 18.0 KB (added by , 8 years ago) |
---|
-
src/wp-includes/taxonomy.php
61 61 'show_ui' => true, 62 62 'show_admin_column' => true, 63 63 '_builtin' => true, 64 'capabilities' => array( 65 'manage_terms' => 'manage_categories', 66 'edit_terms' => 'edit_categories', 67 'delete_terms' => 'delete_categories', 68 'assign_terms' => 'assign_categories', 69 ), 64 70 ) ); 65 71 66 72 register_taxonomy( 'post_tag', 'post', array( … … 71 77 'show_ui' => true, 72 78 'show_admin_column' => true, 73 79 '_builtin' => true, 80 'capabilities' => array( 81 'manage_terms' => 'manage_post_tags', 82 'edit_terms' => 'edit_post_tags', 83 'delete_terms' => 'delete_post_tags', 84 'assign_terms' => 'assign_post_tags', 85 ), 74 86 ) ); 75 87 76 88 register_taxonomy( 'nav_menu', 'nav_menu_item', array( -
src/wp-includes/link-template.php
930 930 } 931 931 932 932 $tax = get_taxonomy( $term->taxonomy ); 933 if ( ! $tax || ! current_user_can( $tax->cap->edit_terms) ) {933 if ( ! $tax || ! current_user_can( 'edit_term', $term->term_id ) ) { 934 934 return; 935 935 } 936 936 … … 984 984 return; 985 985 986 986 $tax = get_taxonomy( $term->taxonomy ); 987 if ( ! current_user_can( $tax->cap->edit_terms) ) {987 if ( ! current_user_can( 'edit_term', $term->term_id ) ) { 988 988 return; 989 989 } 990 990 -
src/wp-includes/class-wp-xmlrpc-server.php
1882 1882 1883 1883 $taxonomy = get_taxonomy( $content_struct['taxonomy'] ); 1884 1884 1885 if ( ! current_user_can( $taxonomy->cap-> manage_terms ) )1885 if ( ! current_user_can( $taxonomy->cap->edit_terms ) ) { 1886 1886 return new IXR_Error( 401, __( 'Sorry, you are not allowed to create terms in this taxonomy.' ) ); 1887 } 1887 1888 1888 1889 $taxonomy = (array) $taxonomy; 1889 1890 … … 1969 1970 1970 1971 $taxonomy = get_taxonomy( $content_struct['taxonomy'] ); 1971 1972 1972 if ( ! current_user_can( $taxonomy->cap->edit_terms ) )1973 return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ) );1974 1975 1973 $taxonomy = (array) $taxonomy; 1976 1974 1977 1975 // hold the data of the term … … 1985 1983 if ( ! $term ) 1986 1984 return new IXR_Error( 404, __( 'Invalid term ID.' ) ); 1987 1985 1986 if ( ! current_user_can( 'edit_term', $term_id ) ) { 1987 return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this term.' ) ); 1988 } 1989 1988 1990 if ( isset( $content_struct['name'] ) ) { 1989 1991 $term_data['name'] = trim( $content_struct['name'] ); 1990 1992 … … 2064 2066 return new IXR_Error( 403, __( 'Invalid taxonomy.' ) ); 2065 2067 2066 2068 $taxonomy = get_taxonomy( $taxonomy ); 2067 2068 if ( ! current_user_can( $taxonomy->cap->delete_terms ) )2069 return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete terms in this taxonomy.' ) );2070 2071 2069 $term = get_term( $term_id, $taxonomy->name ); 2072 2070 2073 2071 if ( is_wp_error( $term ) ) … … 2076 2074 if ( ! $term ) 2077 2075 return new IXR_Error( 404, __( 'Invalid term ID.' ) ); 2078 2076 2077 if ( ! current_user_can( 'delete_term', $term_id ) ) { 2078 return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this term.' ) ); 2079 } 2080 2079 2081 $result = wp_delete_term( $term_id, $taxonomy->name ); 2080 2082 2081 2083 if ( is_wp_error( $result ) ) … … 2136 2138 2137 2139 $taxonomy = get_taxonomy( $taxonomy ); 2138 2140 2139 if ( ! current_user_can( $taxonomy->cap->assign_terms ) )2140 return new IXR_Error( 401, __( 'Sorry, you are not allowed to assign terms in this taxonomy.' ) );2141 2142 2141 $term = get_term( $term_id , $taxonomy->name, ARRAY_A ); 2143 2142 2144 2143 if ( is_wp_error( $term ) ) … … 2147 2146 if ( ! $term ) 2148 2147 return new IXR_Error( 404, __( 'Invalid term ID.' ) ); 2149 2148 2149 if ( ! current_user_can( 'assign_term', $term_id ) ) { 2150 return new IXR_Error( 401, __( 'Sorry, you are not allowed to assign this term.' ) ); 2151 } 2152 2150 2153 return $this->_prepare_term( $term ); 2151 2154 } 2152 2155 -
src/wp-includes/capabilities.php
402 402 case 'delete_site': 403 403 $caps[] = 'manage_options'; 404 404 break; 405 case 'edit_term': 406 case 'delete_term': 407 case 'assign_term': 408 $term_id = $args[0]; 409 $term = get_term( $term_id ); 410 if ( ! $term || is_wp_error( $term ) ) { 411 $caps[] = 'do_not_allow'; 412 break; 413 } 414 415 $tax = get_taxonomy( $term->taxonomy ); 416 if ( ! $tax ) { 417 $caps[] = 'do_not_allow'; 418 break; 419 } 420 421 if ( 'delete_term' === $cap && ( $term->term_id == get_option( 'default_' . $term->taxonomy ) ) ) { 422 $caps[] = 'do_not_allow'; 423 break; 424 } 425 426 $taxo_cap = $cap . 's'; 427 428 $caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id ); 429 430 break; 431 case 'manage_categories': 432 case 'manage_post_tags': 433 case 'edit_categories': 434 case 'edit_post_tags': 435 case 'delete_categories': 436 case 'delete_post_tags': 437 $caps[] = 'manage_categories'; 438 break; 439 case 'assign_categories': 440 case 'assign_post_tags': 441 $caps[] = 'edit_posts'; 442 break; 405 443 default: 406 444 // Handle meta capabilities for custom post types. 407 445 global $post_type_meta_caps; … … 413 451 // If no meta caps match, return the original cap. 414 452 $caps[] = $cap; 415 453 } 416 454 417 455 /** 418 456 * Filters a user's capabilities depending on specific context and/or privilege. 419 457 * -
src/wp-includes/admin-bar.php
607 607 ) ); 608 608 } elseif ( ! empty( $current_object->taxonomy ) 609 609 && ( $tax = get_taxonomy( $current_object->taxonomy ) ) 610 && current_user_can( $tax->cap->edit_terms)610 && current_user_can( 'edit_term', $current_object->term_id ) 611 611 && $edit_term_link = get_edit_term_link( $current_object->term_id, $current_object->taxonomy ) ) 612 612 { 613 613 $wp_admin_bar->add_menu( array( -
src/wp-admin/term.php
31 31 $title = $tax->labels->edit_item; 32 32 33 33 if ( ! in_array( $taxonomy, get_taxonomies( array( 'show_ui' => true ) ) ) || 34 ! current_user_can( $tax->cap->manage_terms)34 ! current_user_can( 'edit_term', $tag->term_id ) 35 35 ) { 36 36 wp_die( 37 37 '<h1>' . __( 'Cheatin’ uh?' ) . '</h1>' . 38 '<p>' . __( 'Sorry, you are not allowed to managethis item.' ) . '</p>',38 '<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>', 39 39 403 40 40 ); 41 41 } -
src/wp-admin/includes/meta-boxes.php
434 434 <input type="button" class="button tagadd" value="<?php esc_attr_e('Add'); ?>" /></p> 435 435 </div> 436 436 <p class="howto" id="new-tag-<?php echo $tax_name; ?>-desc"><?php echo $taxonomy->labels->separate_items_with_commas; ?></p> 437 <?php elseif ( empty( $terms_to_edit ) ): ?> 438 <p><?php echo $taxonomy->labels->no_terms; ?></p> 437 439 <?php endif; ?> 438 440 </div> 439 441 <div class="tagchecklist"></div> -
src/wp-admin/includes/class-wp-terms-list-table.php
151 151 */ 152 152 protected function get_bulk_actions() { 153 153 $actions = array(); 154 $actions['delete'] = __( 'Delete' ); 154 155 if ( current_user_can( get_taxonomy( $this->screen->taxonomy )->cap->delete_terms ) ) { 156 $actions['delete'] = __( 'Delete' ); 157 } 155 158 156 159 return $actions; 157 160 } … … 332 335 * @return string 333 336 */ 334 337 public function column_cb( $tag ) { 335 $default_term = get_option( 'default_' . $this->screen->taxonomy ); 336 337 if ( current_user_can( get_taxonomy( $this->screen->taxonomy )->cap->delete_terms ) && $tag->term_id != $default_term ) 338 if ( current_user_can( 'delete_term', $tag->term_id ) ) { 338 339 return '<label class="screen-reader-text" for="cb-select-' . $tag->term_id . '">' . sprintf( __( 'Select %s' ), $tag->name ) . '</label>' 339 340 . '<input type="checkbox" name="delete_tags[]" value="' . $tag->term_id . '" id="cb-select-' . $tag->term_id . '" />'; 341 } 340 342 341 343 return ' '; 342 344 } … … 423 425 424 426 $taxonomy = $this->screen->taxonomy; 425 427 $tax = get_taxonomy( $taxonomy ); 426 $default_term = get_option( 'default_' . $taxonomy );427 428 428 $uri = wp_doing_ajax() ? wp_get_referer() : $_SERVER['REQUEST_URI']; 429 429 430 430 $edit_link = add_query_arg( … … 434 434 ); 435 435 436 436 $actions = array(); 437 if ( current_user_can( $tax->cap->edit_terms) ) {437 if ( current_user_can( 'edit_term', $tag->term_id ) ) { 438 438 $actions['edit'] = sprintf( 439 439 '<a href="%s" aria-label="%s">%s</a>', 440 440 esc_url( $edit_link ), … … 449 449 __( 'Quick Edit' ) 450 450 ); 451 451 } 452 if ( current_user_can( $tax->cap->delete_terms ) && $tag->term_id != $default_term) {452 if ( current_user_can( 'delete_term', $tag->term_id ) ) { 453 453 $actions['delete'] = sprintf( 454 454 '<a href="%s" class="delete-tag aria-button-if-js" aria-label="%s">%s</a>', 455 455 wp_nonce_url( "edit-tags.php?action=delete&taxonomy=$taxonomy&tag_ID=$tag->term_id", 'delete-tag_' . $tag->term_id ), -
src/wp-admin/includes/ajax-actions.php
597 597 $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag'; 598 598 $tax = get_taxonomy($taxonomy); 599 599 600 if ( ! current_user_can( $tax->cap->delete_terms ) )600 if ( ! current_user_can( 'delete_term', $tag_id ) ) { 601 601 wp_die( -1 ); 602 } 602 603 603 604 $tag = get_term( $tag_id, $taxonomy ); 604 605 if ( !$tag || is_wp_error( $tag ) ) … … 796 797 if ( empty( $action ) ) 797 798 $action = 'add-link-category'; 798 799 check_ajax_referer( $action ); 799 if ( !current_user_can( 'manage_categories' ) ) 800 $tax = get_taxonomy( 'link_category' ); 801 if ( ! current_user_can( $tax->cap->manage_terms ) ) { 800 802 wp_die( -1 ); 803 } 801 804 $names = explode(',', wp_unslash( $_POST['newcat'] ) ); 802 805 $x = new WP_Ajax_Response(); 803 806 foreach ( $names as $cat_name ) { … … 1703 1706 if ( ! $tax ) 1704 1707 wp_die( 0 ); 1705 1708 1706 if ( ! current_user_can( $tax->cap->edit_terms ) )1709 if ( ! isset( $_POST['tax_ID'] ) || ! ( $id = (int) $_POST['tax_ID'] ) ) { 1707 1710 wp_die( -1 ); 1711 } 1708 1712 1709 $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) ); 1710 1711 if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) ) 1713 if ( ! current_user_can( 'edit_term', $id ) ) { 1712 1714 wp_die( -1 ); 1715 } 1716 1717 $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) ); 1713 1718 1714 1719 $tag = get_term( $id, $taxonomy ); 1715 1720 $_POST['description'] = $tag->description; -
src/wp-admin/edit-tags.php
108 108 $tag_ID = (int) $_REQUEST['tag_ID']; 109 109 check_admin_referer( 'delete-tag_' . $tag_ID ); 110 110 111 if ( ! current_user_can( $tax->cap->delete_terms) ) {111 if ( ! current_user_can( 'delete_term', $tag_ID ) ) { 112 112 wp_die( 113 113 '<h1>' . __( 'Cheatin’ uh?' ) . '</h1>' . 114 114 '<p>' . __( 'Sorry, you are not allowed to delete this item.' ) . '</p>', … … 168 168 $tag_ID = (int) $_POST['tag_ID']; 169 169 check_admin_referer( 'update-tag_' . $tag_ID ); 170 170 171 if ( ! current_user_can( $tax->cap->edit_terms) ) {171 if ( ! current_user_can( 'edit_term', $tag_ID ) ) { 172 172 wp_die( 173 173 '<h1>' . __( 'Cheatin’ uh?' ) . '</h1>' . 174 174 '<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>', … … 294 294 295 295 require_once( ABSPATH . 'wp-admin/admin-header.php' ); 296 296 297 if ( ! current_user_can( $tax->cap->edit_terms ) ) {298 wp_die(299 '<h1>' . __( 'Cheatin’ uh?' ) . '</h1>' .300 '<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>',301 403302 );303 }304 305 297 /** Also used by the Edit Tag form */ 306 298 require_once( ABSPATH . 'wp-admin/includes/edit-tag-messages.php' ); 307 299 -
tests/phpunit/tests/xmlrpc/wp/getTerm.php
43 43 $result = $this->myxmlrpcserver->wp_getTerm( array( 1, 'subscriber', 'subscriber', 'category', $this->term['term_id'] ) ); 44 44 $this->assertInstanceOf( 'IXR_Error', $result ); 45 45 $this->assertEquals( 401, $result->code ); 46 $this->assertEquals( __( 'Sorry, you are not allowed to assign t erms in this taxonomy.' ), $result->message );46 $this->assertEquals( __( 'Sorry, you are not allowed to assign this term.' ), $result->message ); 47 47 } 48 48 49 49 -
tests/phpunit/tests/xmlrpc/wp/editTerm.php
49 49 $result = $this->myxmlrpcserver->wp_editTerm( array( 1, 'subscriber', 'subscriber', $this->parent_term['term_id'], array( 'taxonomy' => 'category' ) ) ); 50 50 $this->assertInstanceOf( 'IXR_Error', $result ); 51 51 $this->assertEquals( 401, $result->code ); 52 $this->assertEquals( __( 'Sorry, you are not allowed to edit t erms in this taxonomy.' ), $result->message );52 $this->assertEquals( __( 'Sorry, you are not allowed to edit this term.' ), $result->message ); 53 53 } 54 54 55 55 function test_term_not_exists() { -
tests/phpunit/tests/xmlrpc/wp/deleteTerm.php
43 43 $result = $this->myxmlrpcserver->wp_deleteTerm( array( 1, 'subscriber', 'subscriber', 'category', $this->term['term_id'] ) ); 44 44 $this->assertInstanceOf( 'IXR_Error', $result ); 45 45 $this->assertEquals( 401, $result->code ); 46 $this->assertEquals( __( 'Sorry, you are not allowed to delete t erms in this taxonomy.' ), $result->message );46 $this->assertEquals( __( 'Sorry, you are not allowed to delete this term.' ), $result->message ); 47 47 } 48 48 49 49 function test_empty_term() { -
tests/phpunit/tests/user/capabilities.php
231 231 'customize' => array( 'administrator' ), 232 232 'delete_site' => array( 'administrator' ), 233 233 'add_users' => array( 'administrator' ), 234 235 'edit_categories' => array( 'administrator', 'editor' ), 236 'delete_categories' => array( 'administrator', 'editor' ), 237 'manage_post_tags' => array( 'administrator', 'editor' ), 238 'edit_post_tags' => array( 'administrator', 'editor' ), 239 'delete_post_tags' => array( 'administrator', 'editor' ), 240 241 'assign_categories' => array( 'administrator', 'editor', 'author', 'contributor' ), 242 'assign_post_tags' => array( 'administrator', 'editor', 'author', 'contributor' ), 234 243 ); 235 244 } 236 245 … … 238 247 return array( 239 248 'upload_plugins' => array(), 240 249 'upload_themes' => array(), 250 241 251 'customize' => array( 'administrator' ), 242 252 'delete_site' => array( 'administrator' ), 243 253 'add_users' => array( 'administrator' ), 254 255 'edit_categories' => array( 'administrator', 'editor' ), 256 'delete_categories' => array( 'administrator', 'editor' ), 257 'manage_post_tags' => array( 'administrator', 'editor' ), 258 'edit_post_tags' => array( 'administrator', 'editor' ), 259 'delete_post_tags' => array( 'administrator', 'editor' ), 260 261 'assign_categories' => array( 'administrator', 'editor', 'author', 'contributor' ), 262 'assign_post_tags' => array( 'administrator', 'editor', 'author', 'contributor' ), 244 263 ); 245 264 } 246 265 … … 972 991 } 973 992 } 974 993 994 /** 995 * @dataProvider dataTaxonomies 996 * 997 * @ticket 35614 998 */ 999 public function test_default_taxonomy_term_cannot_be_deleted( $taxonomy ) { 1000 if ( ! taxonomy_exists( $taxonomy ) ) { 1001 register_taxonomy( $taxonomy, 'post' ); 1002 } 1003 1004 $tax = get_taxonomy( $taxonomy ); 1005 $user = self::$users['administrator']; 1006 $term = self::factory()->term->create_and_get( array( 1007 'taxonomy' => $taxonomy, 1008 ) ); 1009 1010 update_option( "default_{$taxonomy}", $term->term_id ); 1011 1012 $this->assertTrue( user_can( $user->ID, $tax->cap->delete_terms ) ); 1013 $this->assertFalse( user_can( $user->ID, 'delete_term', $term->term_id ) ); 1014 } 1015 1016 /** 1017 * @dataProvider dataTaxonomies 1018 * 1019 * @ticket 35614 1020 */ 1021 public function test_taxonomy_caps_map_correctly_to_their_meta_cap( $taxonomy ) { 1022 if ( ! taxonomy_exists( $taxonomy ) ) { 1023 register_taxonomy( $taxonomy, 'post' ); 1024 } 1025 1026 $tax = get_taxonomy( $taxonomy ); 1027 $term = self::factory()->term->create_and_get( array( 1028 'taxonomy' => $taxonomy, 1029 ) ); 1030 1031 foreach ( self::$users as $role => $user ) { 1032 $this->assertSame( 1033 user_can( $user->ID, 'edit_term', $term->term_id ), 1034 user_can( $user->ID, $tax->cap->edit_terms ), 1035 "Role: {$role}" 1036 ); 1037 $this->assertSame( 1038 user_can( $user->ID, 'delete_term', $term->term_id ), 1039 user_can( $user->ID, $tax->cap->delete_terms ), 1040 "Role: {$role}" 1041 ); 1042 $this->assertSame( 1043 user_can( $user->ID, 'assign_term', $term->term_id ), 1044 user_can( $user->ID, $tax->cap->assign_terms ), 1045 "Role: {$role}" 1046 ); 1047 } 1048 1049 } 1050 975 1051 public function dataTaxonomies() { 976 1052 return array( 977 1053 array(