WordPress.org

Make WordPress Core

Changeset 13786


Ignore:
Timestamp:
03/21/2010 02:29:11 AM (11 years ago)
Author:
dd32
Message:

Use correct cap checks and nonces for custom post_type's

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/meta-boxes.php

    r13778 r13786  
    1515    $post_type = $post->post_type;
    1616    $post_type_object = get_post_type_object($post_type);
    17     $type_cap = $post_type_object->capability_type;
    18     $can_publish = current_user_can("publish_${type_cap}s");
     17    $can_publish = current_user_can($post_type_object->publish_cap);
    1918?>
    2019<div class="submitbox" id="submitpost">
     
    195194<div id="delete-action">
    196195<?php
    197 if ( current_user_can( "delete_${type_cap}", $post->ID ) ) {
     196if ( current_user_can( "delete_post", $post->ID ) ) {
    198197    if ( !EMPTY_TRASH_DAYS ) {
    199198        $delete_url = wp_nonce_url( add_query_arg( array('action' => 'delete', 'post' => $post->ID) ), "delete-${post_type}_{$post->ID}" );
     
    408407
    409408/**
    410  * Displa comments for post table header
     409 * Display comments for post table header
    411410 *
    412411 * @since 3.0
  • trunk/wp-admin/includes/template.php

    r13779 r13786  
    864864        $taxonomy = get_taxonomy( $taxonomy_name);
    865865
    866         if( !$taxonomy->show_ui ) continue;
    867 
    868         if( $taxonomy->hierarchical )
     866        if ( !$taxonomy->show_ui )
     867            continue;
     868
     869        if ( $taxonomy->hierarchical )
    869870            $hierarchical_taxonomies[] = $taxonomy;
    870871        else
     
    876877    $col_count = count($columns) - count($hidden);
    877878    $m = ( isset($mode) && 'excerpt' == $mode ) ? 'excerpt' : 'list';
    878     // @todo use capability_type
    879879    $can_publish = current_user_can($post_type_object->publish_cap);
    880880    $core_columns = array( 'cb' => true, 'date' => true, 'title' => true, 'categories' => true, 'tags' => true, 'comments' => true, 'author' => true );
     
    15621562        if ( current_user_can($post_type_object->delete_cap, $page->ID) ) {
    15631563            if ( $post->post_status == 'trash' )
    1564                 $actions['untrash'] = "<a title='" . esc_attr(__('Remove this page from the Trash')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&amp;action=untrash&amp;post=$page->ID", 'untrash-page_' . $page->ID) . "'>" . __('Restore') . "</a>";
     1564                $actions['untrash'] = "<a title='" . esc_attr(__('Remove this page from the Trash')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&amp;action=untrash&amp;post=$page->ID", 'untrash-' . $post->post_type . '_' . $page->ID) . "'>" . __('Restore') . "</a>";
    15651565            elseif ( EMPTY_TRASH_DAYS )
    15661566                $actions['trash'] = "<a class='submitdelete' title='" . esc_attr(__('Move this page to the Trash')) . "' href='" . get_delete_post_link($page->ID) . "'>" . __('Trash') . "</a>";
    15671567            if ( $post->post_status == 'trash' || !EMPTY_TRASH_DAYS )
    1568                 $actions['delete'] = "<a class='submitdelete' title='" . esc_attr(__('Delete this page permanently')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&amp;action=delete&amp;post=$page->ID", 'delete-page_' . $page->ID) . "'>" . __('Delete Permanently') . "</a>";
     1568                $actions['delete'] = "<a class='submitdelete' title='" . esc_attr(__('Delete this page permanently')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&amp;action=delete&amp;post=$page->ID", 'delete-' . $post->post_type . '_' . $page->ID) . "'>" . __('Delete Permanently') . "</a>";
    15691569        }
    15701570        if ( in_array($post->post_status, array('pending', 'draft')) ) {
  • trunk/wp-includes/capabilities.php

    r13784 r13786  
    811811        $post_type = get_post_type_object( $post->post_type );
    812812        if ( $post_type && 'post' != $post_type->capability_type ) {
    813             $args = array_merge( array( 'delete_' . $post_type->capability_type, $user_id ), $args );
     813            $args = array_merge( array( $post_type->delete_cap, $user_id ), $args );
    814814            return call_user_func_array( 'map_meta_cap', $args );
    815815        }
     
    888888        $post_type = get_post_type_object( $post->post_type );
    889889        if ( $post_type && 'post' != $post_type->capability_type ) {
    890             $args = array_merge( array( 'edit_' . $post_type->capability_type, $user_id ), $args );
     890            $args = array_merge( array( $post_type->edit_cap, $user_id ), $args );
    891891            return call_user_func_array( 'map_meta_cap', $args );
    892892        }
     
    947947        $post_type = get_post_type_object( $post->post_type );
    948948        if ( $post_type && 'post' != $post_type->capability_type ) {
    949             $args = array_merge( array( 'read_' . $post_type->capability_type, $user_id ), $args );
     949            $args = array_merge( array( $post_type->read_cap, $user_id ), $args );
    950950            return call_user_func_array( 'map_meta_cap', $args );
    951951        }
Note: See TracChangeset for help on using the changeset viewer.