Make WordPress Core

Ticket #44079: 44079.diff

File 44079.diff, 2.2 KB (added by iandunn, 7 years ago)
  • src/wp-admin/includes/misc.php

    diff --git src/wp-admin/includes/misc.php src/wp-admin/includes/misc.php
    index 1d8615899f..863a4a0b63 100644
    All at ###SITENAME### 
    12631263        }
    12641264}
    12651265
     1266/**
     1267 * Require the `manage_privacy_options` capability to edit Privacy Policy page.
     1268 *
     1269 * Normally Editors can edit any page, but the Privacy Policy page is special,
     1270 * and only users with the `manage_privacy_options` capability can determine
     1271 * which page is considered the Privacy Policy page. The most common use case
     1272 * is likely to be one where the site administrator wants to either make decisions
     1273 * related to privacy themselves, or designate a specific person to do that on
     1274 * behalf of the organization. In light of those, most administrator will probably
     1275 * not expect Editors to be able to edit the page, and allowing them to could
     1276 * lead to edits that the admin does not desire.
     1277 *
     1278 * @since 4.9.6
     1279 *
     1280 * @param string[] $caps    Array of the user's capabilities.
     1281 * @param string   $cap     Capability name.
     1282 * @param int      $user_id The user ID.
     1283 * @param array    $args    Adds the context to the cap. Typically the object ID.
     1284 *
     1285 * @return array   Capabilities.
     1286 */
     1287function _restrict_privacy_policy_page_edits( $caps, $cap, $user_id, $args ) {
     1288        $restricted_capabilities = array( 'edit_post', 'delete_post' );
     1289
     1290        if ( ! in_array( $cap, $restricted_capabilities, true ) ) {
     1291                return $caps;
     1292        }
     1293
     1294        $privacy_policy_page_id = (int) get_option( 'wp_page_for_privacy_policy' );
     1295
     1296        if ( ! $privacy_policy_page_id || empty( $args[0] ) || $privacy_policy_page_id !== $args[0] ) {
     1297                return $caps;
     1298        }
     1299
     1300        $caps[] = 'manage_privacy_options';
     1301
     1302        return $caps;
     1303}
     1304add_filter( 'map_meta_cap', '_restrict_privacy_policy_page_edits', 1, 4 ); // Before plugins because this is default behavior.
     1305
    12661306/**
    12671307 * WP_Privacy_Policy_Content class.
    12681308 * TODO: move this to a new file.
    final class WP_Privacy_Policy_Content { 
    15641604                        return;
    15651605                }
    15661606
    1567                 if ( ! current_user_can( 'manage_privacy_options' ) ) {
    1568                         return;
    1569                 }
    1570 
    15711607                $policy_page_id = (int) get_option( 'wp_page_for_privacy_policy' );
    15721608
    15731609                if ( ! $policy_page_id || $policy_page_id != $post->ID ) {