Ticket #38303: 38303.3.diff
| File 38303.3.diff, 18.0 KB (added by , 8 years ago) |
|---|
-
src/wp-admin/includes/schema.php
621 621 populate_roles_270(); 622 622 populate_roles_280(); 623 623 populate_roles_300(); 624 populate_roles_470(); 624 625 } 625 626 626 627 /** … … 861 862 } 862 863 } 863 864 865 864 866 /** 867 * Create and modify WordPress roles for WordPress 4.7. 868 * 869 * @since 4.7.0 870 */ 871 function populate_roles_470(){ 872 873 $administrator = get_role( 'administrator' ); 874 if ( !empty( $administrator ) ) { 875 $administrator->add_cap( 'edit_user_meta' ); 876 $administrator->add_cap( 'add_user_meta' ); 877 $administrator->add_cap( 'delete_user_meta' ); 878 $administrator->add_cap( 'edit_term_meta' ); 879 $administrator->add_cap( 'add_term_meta' ); 880 $administrator->add_cap( 'delete_term_meta' ); 881 $administrator->add_cap( 'edit_post_meta' ); 882 $administrator->add_cap( 'add_post_meta' ); 883 $administrator->add_cap( 'delete_post_meta' ); 884 $administrator->add_cap( 'edit_comment_meta' ); 885 $administrator->add_cap( 'add_comment_meta' ); 886 $administrator->add_cap( 'delete_comment_meta' ); 887 } 888 889 $editor = get_role( 'editor' ); 890 if ( !empty( $editor ) ) { 891 $editor->add_cap( 'edit_term_meta' ); 892 $editor->add_cap( 'add_term_meta' ); 893 $editor->add_cap( 'delete_term_meta' ); 894 $editor->add_cap( 'edit_post_meta' ); 895 $editor->add_cap( 'add_post_meta' ); 896 $editor->add_cap( 'delete_post_meta' ); 897 $editor->add_cap( 'edit_comment_meta' ); 898 $editor->add_cap( 'add_comment_meta' ); 899 $editor->add_cap( 'delete_comment_meta' ); 900 } 901 } 902 903 /** 865 904 * Install Network. 866 905 * 867 906 * @since 3.0.0 -
src/wp-includes/capabilities.php
29 29 function map_meta_cap( $cap, $user_id ) { 30 30 $args = array_slice( func_get_args(), 2 ); 31 31 $caps = array(); 32 33 32 switch ( $cap ) { 34 33 case 'remove_user': 35 34 $caps[] = 'remove_users'; … … 51 50 $caps[] = 'edit_users'; // edit_user maps to edit_users. 52 51 } 53 52 break; 53 case 'edit_user_meta': 54 case 'delete_user_meta': 55 case 'add_user_meta': 56 // There must be a user specified to edit their meta. 57 $user = ( ! empty( $args ) || ! empty( $args[0] ) ) ? get_user_by( 'id', $args[0] ) : false; 58 59 if( ! $user ){ 60 $caps[] = 'do_not_allow'; 61 break; 62 } 63 64 $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 65 66 if ( $meta_key && ( has_filter( "auth_user_meta_{$meta_key}" ) ) ) { 67 /** 68 * Filters whether the user is allowed to add user meta to a user. 69 * 70 * The dynamic portion of the hook name, `$meta_key`, refers to the 71 * meta key passed to map_meta_cap(). 72 * 73 * @since 4.7.0 74 * 75 * @param bool $allowed Whether the user can add the user meta. Default false. 76 * @param string $meta_key The meta key. 77 * @param int $user->ID The user being edited. 78 * @param int $user_id User ID. 79 * @param string $cap Capability name. 80 * @param array $caps User capabilities. 81 */ 82 $allowed = apply_filters( "auth_user_meta_{$meta_key}", false, $meta_key, $user->ID, $user_id, $cap, $caps ); 83 84 if ( ! $allowed ){ 85 $caps[] = 'do_not_allow'; 86 } 87 } elseif ( $user->ID === $user_id ) { 88 // If you can edit yourself, you can edit your meta. 89 $caps = map_meta_cap( 'edit_user', $user_id, $user->ID ); 90 } 91 else { 92 // The default is requiring the capability itself. 93 $caps[] = $cap; 94 } 95 break; 96 54 97 case 'delete_post': 55 98 case 'delete_page': 56 99 $post = get_post( $args[0] ); … … 242 285 case 'edit_post_meta': 243 286 case 'delete_post_meta': 244 287 case 'add_post_meta': 245 $post = get_post( $args[0] );288 $post = ( ! empty( $args ) && ! empty( $args[0] ) ) ? get_post( $args[0] ) : false; 246 289 if ( ! $post ) { 247 290 $caps[] = 'do_not_allow'; 248 291 break; 249 292 } 250 251 293 $post_type = get_post_type( $post ); 252 294 253 $caps = map_meta_cap( 'edit_post', $user_id, $post->ID );254 255 295 $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 256 296 257 297 if ( $meta_key && ( has_filter( "auth_post_meta_{$meta_key}" ) || has_filter( "auth_post_{$post_type}_meta_{$meta_key}" ) ) ) { … … 289 329 */ 290 330 $allowed = apply_filters( "auth_post_{$post_type}_meta_{$meta_key}", $allowed, $meta_key, $post->ID, $user_id, $cap, $caps ); 291 331 292 if ( ! $allowed ) 293 $caps[] = $cap; 332 if ( ! $allowed ){ 333 $caps[] = 'do_not_allow'; 334 } 294 335 } elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) { 336 $caps[] = 'do_not_allow'; 337 } elseif ( (int)$post->post_author === (int)$user_id ) { 338 // If you're the author, you can edit your own post if you're allowed 339 $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); 340 } else { 341 // The default is requiring the capability itself. 295 342 $caps[] = $cap; 296 343 } 297 344 break; 298 345 case 'edit_comment': 299 346 $comment = get_comment( $args[0] ); 347 300 348 if ( ! $comment ) { 301 349 $caps[] = 'do_not_allow'; 302 350 break; … … 314 362 $caps = map_meta_cap( 'edit_posts', $user_id ); 315 363 } 316 364 break; 365 case 'edit_comment_meta': 366 case 'delete_comment_meta': 367 case 'add_comment_meta': 368 $comment = ( ! empty( $args ) && ! empty( $args[0] ) ) ? get_comment( $args[0] ) : false; 369 if ( ! $comment ) { 370 $caps[] = 'do_not_allow'; 371 break; 372 } 373 374 $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 375 376 if ( $meta_key && ( has_filter( "auth_comment_meta_{$meta_key}" ) ) ) { 377 /** 378 * Filters whether the user is allowed to add comment meta to a comment. 379 * 380 * The dynamic portion of the hook name, `$meta_key`, refers to the 381 * meta key passed to map_meta_cap(). 382 * 383 * @since 4.7.0 384 * 385 * @param bool $allowed Whether the user can add the comment meta. Default false. 386 * @param string $meta_key The meta key. 387 * @param int $comment_id Comment ID. 388 * @param int $user_id User ID. 389 * @param string $cap Capability name. 390 * @param array $caps User capabilities. 391 */ 392 $allowed = apply_filters( "auth_comment_meta_{$meta_key}", false, $meta_key, $comment->comment_post_ID, $user_id, $cap, $caps ); 393 394 if ( ! $allowed ){ 395 $caps[] = 'do_not_allow'; 396 } 397 } elseif( !empty( $comment->user_id ) && ( $comment->user_id === $user_id ) ){ 398 // If there is no auth_callback, you can only edit the meta for comments you can edit. 399 $caps = map_meta_cap( 'edit_comment', $user_id, $comment->comment_ID ); 400 } 401 else { 402 // The default is requiring the capability itself. 403 $caps[] = $cap; 404 } 405 break; 317 406 case 'unfiltered_upload': 318 407 if ( defined('ALLOW_UNFILTERED_UPLOADS') && ALLOW_UNFILTERED_UPLOADS && ( !is_multisite() || is_super_admin( $user_id ) ) ) 319 408 $caps[] = $cap; … … 431 520 $caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id ); 432 521 433 522 break; 523 case 'edit_term_meta': 524 case 'delete_term_meta': 525 case 'add_term_meta': 526 $term_id = ( ! empty( $args ) && ! empty( $args[0] ) ) ? (int)$args[0] : false; 527 $term = ( ! empty( $term_id ) ) ? get_term( $term_id ) : false; 528 if ( ! $term || is_wp_error( $term ) ) { 529 $caps[] = 'do_not_allow'; 530 break; 531 } 532 533 $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 534 535 if ( $meta_key && ( has_filter( "auth_term_meta_{$meta_key}" ) ) ) { 536 /** 537 * Filters whether the user is allowed to add term meta to a term. 538 * 539 * The dynamic portion of the hook name, `$meta_key`, refers to the 540 * meta key passed to map_meta_cap(). 541 * 542 * @since 4.7.0 543 * 544 * @param bool $allowed Whether the user can add the term meta. Default false. 545 * @param string $meta_key The meta key. 546 * @param int $term_id Term ID. 547 * @param int $user_id User ID. 548 * @param string $cap Capability name. 549 * @param array $caps User capabilities. 550 */ 551 $allowed = apply_filters( "auth_term_meta_{$meta_key}", false, $meta_key, $term_id, $user_id, $cap, $caps ); 552 if ( ! $allowed ){ 553 $caps[] = 'do_not_allow'; 554 } 555 } else { 556 // The default is requiring the capability itself. 557 $caps[] = $cap; 558 } 559 break; 434 560 case 'manage_post_tags': 435 561 case 'edit_categories': 436 562 case 'edit_post_tags': -
src/wp-includes/meta.php
1038 1038 if ( empty( $args['auth_callback'] ) ) { 1039 1039 if ( is_protected_meta( $meta_key, $object_type ) ) { 1040 1040 $args['auth_callback'] = '__return_false'; 1041 } else { 1042 $args['auth_callback'] = '__return_true'; 1043 } 1041 } 1044 1042 } 1045 1043 1046 1044 // Back-compat: old sanitize and auth callbacks are applied to all of an object type. -
tests/phpunit/tests/meta/registerMeta.php
74 74 'description' => '', 75 75 'single' => false, 76 76 'sanitize_callback' => null, 77 'auth_callback' => '__return_true',77 'auth_callback' => null, 78 78 'show_in_rest' => false, 79 79 ), 80 80 ), … … 96 96 'description' => '', 97 97 'single' => false, 98 98 'sanitize_callback' => null, 99 'auth_callback' => '__return_true',99 'auth_callback' => null, 100 100 'show_in_rest' => false, 101 101 ), 102 102 ), … … 148 148 'description' => '', 149 149 'single' => false, 150 150 'sanitize_callback' => array( $this, '_new_sanitize_meta_cb' ), 151 'auth_callback' => '__return_true',151 'auth_callback' => null, 152 152 'show_in_rest' => false, 153 153 ), 154 154 ), -
tests/phpunit/tests/post/meta.php
237 237 $this->assertEquals($funky_meta, get_post_meta($this->post_id, 'test_funky_post_meta', true)); 238 238 239 239 } 240 241 public function test_edit_post_meta_cap(){ 242 $p = self::factory()->post->create( array( 'post_status' => 'publish' ) ); 243 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 244 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 245 246 register_meta( 'post', 'foo', array() ); 247 248 wp_set_current_user( $u1 ); 249 $admin_update = false; 250 if( current_user_can( 'edit_post_meta', $p, 'foo' ) ){ 251 $admin_update = update_post_meta( $p, 'foo', 'bar1' ); 252 } 253 $this->assertNotEmpty( $admin_update ); 254 255 wp_set_current_user( $u2 ); 256 $auth_update = false; 257 if( current_user_can( 'edit_post_meta', $p, 'foo' ) ){ 258 $auth_update = update_post_meta( $p, 'foo', 'bar2' ); 259 } 260 $this->assertFalse( $auth_update ); 261 262 unregister_meta_key( 'post', 'foo' ); 263 264 } 265 266 public function test_edit_post_meta_with_auth_callback(){ 267 $p = self::factory()->post->create( array( 'post_status' => 'publish' ) ); 268 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 269 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 270 271 $args1 = array( 272 'auth_callback' => array( $this, 'test_edit_post_meta_auth_callback_false' ) 273 ); 274 275 $args2 = array( 276 'auth_callback' => array( $this, 'test_edit_post_meta_auth_callback_true' ) 277 ); 278 279 register_meta( 'post', 'foo1', $args1 ); 280 register_meta( 'post', 'foo2', $args2 ); 281 282 wp_set_current_user( $u1 ); 283 $admin_update = false; 284 if( current_user_can( 'edit_post_meta', $p, 'foo1' ) ){ 285 $admin_update = update_post_meta( $p, 'foo1', 'bar1' ); 286 } 287 $this->assertFalse( $admin_update ); 288 289 wp_set_current_user( $u2 ); 290 $auth_update = false; 291 if( current_user_can( 'edit_post_meta', $p, 'foo2' ) ){ 292 $auth_update = update_post_meta( $p, 'foo2', 'bar2' ); 293 } 294 $this->assertNotEmpty( $auth_update ); 295 296 unregister_meta_key( 'post', 'foo1' ); 297 unregister_meta_key( 'post', 'foo2' ); 298 299 } 300 301 public function test_user_can_edit_own_post_meta_as_default(){ 302 303 $u = self::factory()->user->create( array( 'role' => 'author' ) ); 304 $p = self::factory()->post->create( array( 'post_status' => 'publish', 'post_author' => $u ) ); 305 306 register_meta( 'post', 'foo', array() ); 307 308 wp_set_current_user( $u ); 309 $update = false; 310 if( current_user_can( 'edit_post_meta', $p, 'foo' ) ){ 311 $update = update_post_meta( $p, 'foo', 'bar' ); 312 } 313 $this->assertNotEmpty( $update ); 314 315 unregister_meta_key( 'post', 'foo' ); 316 317 } 318 319 public function test_edit_post_meta_auth_callback_false(){ 320 return false; 321 } 322 323 public function test_edit_post_meta_auth_callback_true(){ 324 return true; 325 } 240 326 } -
tests/phpunit/tests/term/meta.php
407 407 public static function set_cache_results( $q ) { 408 408 $q->set( 'cache_results', true ); 409 409 } 410 411 public function test_edit_term_meta_cap(){ 412 $t = self::factory()->term->create( array( 'taxonomy' => 'wptests_tax' ) ); 413 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 414 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 415 416 register_meta( 'term', 'foo', array() ); 417 418 wp_set_current_user( $u1 ); 419 $admin_update = false; 420 if( current_user_can( 'edit_term_meta', $t, 'foo' ) ){ 421 $admin_update = update_term_meta( $t, 'foo', 'bar1' ); 422 } 423 $this->assertNotEmpty( $admin_update ); 424 425 wp_set_current_user( $u2 ); 426 $auth_update = false; 427 if( current_user_can( 'edit_term_meta', $t, 'foo' ) ){ 428 $auth_update = update_term_meta( $t, 'foo', 'bar2' ); 429 } 430 $this->assertFalse( $auth_update ); 431 432 unregister_meta_key( 'term', 'foo' ); 433 434 } 435 436 public function test_edit_term_meta_with_auth_callback(){ 437 $t = self::factory()->term->create( array( 'taxonomy' => 'wptests_tax' ) ); 438 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 439 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 440 441 $args1 = array( 442 'auth_callback' => array( $this, 'test_edit_term_meta_auth_callback_false' ) 443 ); 444 445 $args2 = array( 446 'auth_callback' => array( $this, 'test_edit_term_meta_auth_callback_true' ) 447 ); 448 449 register_meta( 'term', 'foo1', $args1 ); 450 register_meta( 'term', 'foo2', $args2 ); 451 452 wp_set_current_user( $u1 ); 453 $admin_update = false; 454 if( current_user_can( 'edit_term_meta', $t, 'foo1' ) ){ 455 $admin_update = update_term_meta( $t, 'foo1', 'bar1' ); 456 } 457 $this->assertFalse( $admin_update ); 458 459 wp_set_current_user( $u2 ); 460 $auth_update = false; 461 if( current_user_can( 'edit_term_meta', $t, 'foo2' ) ){ 462 $auth_update = update_term_meta( $t, 'foo2', 'bar2' ); 463 } 464 $this->assertNotEmpty( $auth_update ); 465 466 unregister_meta_key( 'term', 'foo1' ); 467 unregister_meta_key( 'term', 'foo2' ); 468 469 } 470 471 public function test_edit_term_meta_auth_callback_false(){ 472 return false; 473 } 474 475 public function test_edit_term_meta_auth_callback_true(){ 476 return true; 477 } 410 478 } -
tests/phpunit/tests/user/capabilities.php
318 318 // `manage_links` is a special case 319 319 $user_caps['manage_links'], 320 320 // `unfiltered_upload` is a special case 321 $user_caps['unfiltered_upload'] 321 $user_caps['unfiltered_upload'], 322 // All of the object type meta capabilities are special cases. They are primitive capabilities but depend on a particular object. 323 $user_caps['edit_term_meta'], 324 $user_caps['add_term_meta'], 325 $user_caps['delete_term_meta'], 326 $user_caps['edit_post_meta'], 327 $user_caps['add_post_meta'], 328 $user_caps['delete_post_meta'], 329 $user_caps['edit_user_meta'], 330 $user_caps['add_user_meta'], 331 $user_caps['delete_user_meta'], 332 $user_caps['edit_comment_meta'], 333 $user_caps['add_comment_meta'], 334 $user_caps['delete_comment_meta'] 322 335 ); 323 336 324 337 $diff = array_diff( array_keys( $user_caps ), array_keys( $caps ) ); … … 354 367 // `manage_links` is a special case in the caps tests: 355 368 $expected['manage_links'], 356 369 // `unfiltered_upload` is a special case in the caps tests: 357 $expected['unfiltered_upload'] 370 $expected['unfiltered_upload'], 371 // All of the object type meta capabilities are special cases. They are primitive capabilities but depend on a particular object. 372 $expected['edit_term_meta'], 373 $expected['add_term_meta'], 374 $expected['delete_term_meta'], 375 $expected['edit_post_meta'], 376 $expected['add_post_meta'], 377 $expected['delete_post_meta'], 378 $expected['edit_user_meta'], 379 $expected['add_user_meta'], 380 $expected['delete_user_meta'], 381 $expected['edit_comment_meta'], 382 $expected['add_comment_meta'], 383 $expected['delete_comment_meta'] 358 384 ); 359 385 360 386 $expected = array_keys( $expected ); … … 410 436 // Singular object meta capabilities (where an object ID is passed) are not tested: 411 437 $expected['remove_user'], 412 438 $expected['promote_user'], 413 $expected['edit_user'], 439 $expected['edit_user'], 414 440 $expected['delete_post'], 415 441 $expected['delete_page'], 416 442 $expected['edit_post'], … … 418 444 $expected['read_post'], 419 445 $expected['read_page'], 420 446 $expected['publish_post'], 421 $expected['edit_post_meta'],422 $expected['delete_post_meta'],423 $expected['add_post_meta'],424 447 $expected['edit_comment'], 425 448 $expected['edit_term'], 426 449 $expected['delete_term'], 427 $expected['assign_term'], 428 $expected['delete_user'] 450 $expected['assign_term'], 451 $expected['delete_user'], 452 $expected['edit_term_meta'], 453 $expected['add_term_meta'], 454 $expected['delete_term_meta'], 455 $expected['edit_comment_meta'], 456 $expected['add_comment_meta'], 457 $expected['delete_comment_meta'], 458 $expected['edit_post_meta'], 459 $expected['add_post_meta'], 460 $expected['delete_post_meta'], 461 $expected['edit_user_meta'], 462 $expected['add_user_meta'], 463 $expected['delete_user_meta'] 429 464 ); 430 465 431 466 $expected = array_keys( $expected );