Changeset 38698

Timestamp:

09/30/2016 10:39:32 PM (8 years ago)

Author:

johnbillion

Message:

Taxonomy: Introduce more fine grained capabilities for managing taxonomy terms.

This introduces the singular edit_term, delete_term, and assign_term meta capabilities for terms, and switches the base capability name for tags from manage_categories to manage_post_tags and the corresponding edit_post_tags, delete_post_tags, and assign_post_tags.

All of these capabilities ultimately map to manage_categories so by default there is no change in the behaviour of the capabilities for categories, tags, or custom taxonomies. The map_meta_cap filter and the capabilities argument when registering a taxonomy now allow for control over editing, deleting, and assigning individual terms, as well as a separation of capabilities for tags from those of categories.

Fixes #35614
Props johnjamesjacoby for feedback

Location:

trunk

Files:

• src/wp-admin/edit-tags.php (modified) (3 diffs)
• src/wp-admin/includes/ajax-actions.php (modified) (3 diffs)
• src/wp-admin/includes/class-wp-terms-list-table.php (modified) (5 diffs)
• src/wp-admin/includes/meta-boxes.php (modified) (1 diff)
• src/wp-admin/term.php (modified) (1 diff)
• src/wp-includes/admin-bar.php (modified) (1 diff)
• src/wp-includes/capabilities.php (modified) (1 diff)
• src/wp-includes/class-wp-xmlrpc-server.php (modified) (7 diffs)
• src/wp-includes/link-template.php (modified) (2 diffs)
• src/wp-includes/taxonomy.php (modified) (2 diffs)
• tests/phpunit/tests/user/capabilities.php (modified) (4 diffs)
• tests/phpunit/tests/xmlrpc/wp/deleteTerm.php (modified) (1 diff)
• tests/phpunit/tests/xmlrpc/wp/editTerm.php (modified) (1 diff)
• tests/phpunit/tests/xmlrpc/wp/getTerm.php (modified) (1 diff)

trunk/src/wp-admin/edit-tags.php

@@ -109 +109 @@
     check_admin_referer( 'delete-tag_' . $tag_ID );
 
-    if ( ! current_user_can( $tax->cap->delete_terms ) ) {
+    if ( ! current_user_can( 'delete_term', $tag_ID ) ) {
         wp_die(
             '<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
@@ -169 +169 @@
     check_admin_referer( 'update-tag_' . $tag_ID );
 
-    if ( ! current_user_can( $tax->cap->edit_terms ) ) {
+    if ( ! current_user_can( 'edit_term', $tag_ID ) ) {
         wp_die(
             '<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
@@ -314 +314 @@
 
 require_once( ABSPATH . 'wp-admin/admin-header.php' );
-
-if ( ! current_user_can( $tax->cap->edit_terms ) ) {
-    wp_die(
-        '<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
-        '<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>',
-        403
-    );
-}
 
 /** Also used by the Edit Tag  form */

trunk/src/wp-admin/includes/ajax-actions.php

@@ -595 +595 @@
     check_ajax_referer( "delete-tag_$tag_id" );
 
+    if ( ! current_user_can( 'delete_term', $tag_id ) ) {
+        wp_die( -1 );
+    }
+
     $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
-    $tax = get_taxonomy($taxonomy);
-
-    if ( !current_user_can( $tax->cap->delete_terms ) )
-        wp_die( -1 );
-
     $tag = get_term( $tag_id, $taxonomy );
     if ( !$tag || is_wp_error( $tag ) )
@@ -797 +796 @@
         $action = 'add-link-category';
     check_ajax_referer( $action );
-    if ( !current_user_can( 'manage_categories' ) )
-        wp_die( -1 );
+    $tax = get_taxonomy( 'link_category' );
+    if ( ! current_user_can( $tax->cap->manage_terms ) ) {
+        wp_die( -1 );
+    }
     $names = explode(',', wp_unslash( $_POST['newcat'] ) );
     $x = new WP_Ajax_Response();
@@ -1704 +1705 @@
         wp_die( 0 );
 
-    if ( ! current_user_can( $tax->cap->edit_terms ) )
-        wp_die( -1 );
+    if ( ! isset( $_POST['tax_ID'] ) || ! ( $id = (int) $_POST['tax_ID'] ) ) {
+        wp_die( -1 );
+    }
+
+    if ( ! current_user_can( 'edit_term', $id ) ) {
+        wp_die( -1 );
+    }
 
     $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) );
-
-    if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) )
-        wp_die( -1 );
 
     $tag = get_term( $id, $taxonomy );

trunk/src/wp-admin/includes/class-wp-terms-list-table.php

@@ -152 +152 @@
     protected function get_bulk_actions() {
         $actions = array();
-        $actions['delete'] = __( 'Delete' );
+
+        if ( current_user_can( get_taxonomy( $this->screen->taxonomy )->cap->delete_terms ) ) {
+            $actions['delete'] = __( 'Delete' );
+        }
 
         return $actions;
@@ -333 +336 @@
      */
     public function column_cb( $tag ) {
-        $default_term = get_option( 'default_' . $this->screen->taxonomy );
-
-        if ( current_user_can( get_taxonomy( $this->screen->taxonomy )->cap->delete_terms ) && $tag->term_id != $default_term )
+        if ( current_user_can( 'delete_term', $tag->term_id ) ) {
             return '<label class="screen-reader-text" for="cb-select-' . $tag->term_id . '">' . sprintf( __( 'Select %s' ), $tag->name ) . '</label>'
                 . '<input type="checkbox" name="delete_tags[]" value="' . $tag->term_id . '" id="cb-select-' . $tag->term_id . '" />';
+        }
 
         return '&nbsp;';
@@ -424 +426 @@
         $taxonomy = $this->screen->taxonomy;
         $tax = get_taxonomy( $taxonomy );
-        $default_term = get_option( 'default_' . $taxonomy );
-
         $uri = wp_doing_ajax() ? wp_get_referer() : $_SERVER['REQUEST_URI'];
 
@@ -435 +435 @@
 
         $actions = array();
-        if ( current_user_can( $tax->cap->edit_terms ) ) {
+        if ( current_user_can( 'edit_term', $tag->term_id ) ) {
             $actions['edit'] = sprintf(
                 '<a href="%s" aria-label="%s">%s</a>',
@@ -450 +450 @@
             );
         }
-        if ( current_user_can( $tax->cap->delete_terms ) && $tag->term_id != $default_term ) {
+        if ( current_user_can( 'delete_term', $tag->term_id ) ) {
             $actions['delete'] = sprintf(
                 '<a href="%s" class="delete-tag aria-button-if-js" aria-label="%s">%s</a>',

trunk/src/wp-admin/includes/meta-boxes.php

@@ -435 +435 @@
     </div>
     <p class="howto" id="new-tag-<?php echo $tax_name; ?>-desc"><?php echo $taxonomy->labels->separate_items_with_commas; ?></p>
+    <?php elseif ( empty( $terms_to_edit ) ): ?>
+        <p><?php echo $taxonomy->labels->no_terms; ?></p>
     <?php endif; ?>
     </div>

trunk/src/wp-admin/term.php

@@ -32 +32 @@
 
 if ( ! in_array( $taxonomy, get_taxonomies( array( 'show_ui' => true ) ) ) ||
-     ! current_user_can( $tax->cap->manage_terms )
+     ! current_user_can( 'edit_term', $tag->term_id )
 ) {
     wp_die(
         '<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
-        '<p>' . __( 'Sorry, you are not allowed to manage this item.' ) . '</p>',
+        '<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>',
         403
     );

trunk/src/wp-includes/admin-bar.php

@@ -636 +636 @@
         } elseif ( ! empty( $current_object->taxonomy )
             && ( $tax = get_taxonomy( $current_object->taxonomy ) )
-            && current_user_can( $tax->cap->edit_terms )
+            && current_user_can( 'edit_term', $current_object->term_id )
             && $edit_term_link = get_edit_term_link( $current_object->term_id, $current_object->taxonomy ) )
         {

trunk/src/wp-includes/capabilities.php

@@ -403 +403 @@
         $caps[] = 'manage_options';
         break;
+    case 'edit_term':
+    case 'delete_term':
+    case 'assign_term':
+        $term_id = $args[0];
+        $term = get_term( $term_id );
+        if ( ! $term || is_wp_error( $term ) ) {
+            $caps[] = 'do_not_allow';
+            break;
+        }
+
+        $tax = get_taxonomy( $term->taxonomy );
+        if ( ! $tax ) {
+            $caps[] = 'do_not_allow';
+            break;
+        }
+
+        if ( 'delete_term' === $cap && ( $term->term_id == get_option( 'default_' . $term->taxonomy ) ) ) {
+            $caps[] = 'do_not_allow';
+            break;
+        }
+
+        $taxo_cap = $cap . 's';
+
+        $caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id );
+
+        break;
+    case 'manage_post_tags':
+    case 'edit_categories':
+    case 'edit_post_tags':
+    case 'delete_categories':
+    case 'delete_post_tags':
+        $caps[] = 'manage_categories';
+        break;
+    case 'assign_categories':
+    case 'assign_post_tags':
+        $caps[] = 'edit_posts';
+        break;
     case 'create_sites':
     case 'delete_sites':

trunk/src/wp-includes/class-wp-xmlrpc-server.php

@@ -1887 +1887 @@
         $taxonomy = get_taxonomy( $content_struct['taxonomy'] );
 
-        if ( ! current_user_can( $taxonomy->cap->manage_terms ) )
+        if ( ! current_user_can( $taxonomy->cap->edit_terms ) ) {
             return new IXR_Error( 401, __( 'Sorry, you are not allowed to create terms in this taxonomy.' ) );
+        }
 
         $taxonomy = (array) $taxonomy;
@@ -1974 +1975 @@
         $taxonomy = get_taxonomy( $content_struct['taxonomy'] );
 
-        if ( ! current_user_can( $taxonomy->cap->edit_terms ) )
-            return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ) );
-
         $taxonomy = (array) $taxonomy;
 
@@ -1989 +1987 @@
         if ( ! $term )
             return new IXR_Error( 404, __( 'Invalid term ID.' ) );
+
+        if ( ! current_user_can( 'edit_term', $term_id ) ) {
+            return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this term.' ) );
+        }
 
         if ( isset( $content_struct['name'] ) ) {
@@ -2069 +2071 @@
 
         $taxonomy = get_taxonomy( $taxonomy );
-
-        if ( ! current_user_can( $taxonomy->cap->delete_terms ) )
-            return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete terms in this taxonomy.' ) );
-
         $term = get_term( $term_id, $taxonomy->name );
 
@@ -2080 +2078 @@
         if ( ! $term )
             return new IXR_Error( 404, __( 'Invalid term ID.' ) );
+
+        if ( ! current_user_can( 'delete_term', $term_id ) ) {
+            return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this term.' ) );
+        }
 
         $result = wp_delete_term( $term_id, $taxonomy->name );
@@ -2141 +2143 @@
         $taxonomy = get_taxonomy( $taxonomy );
 
-        if ( ! current_user_can( $taxonomy->cap->assign_terms ) )
-            return new IXR_Error( 401, __( 'Sorry, you are not allowed to assign terms in this taxonomy.' ) );
-
         $term = get_term( $term_id , $taxonomy->name, ARRAY_A );
 
@@ -2151 +2150 @@
         if ( ! $term )
             return new IXR_Error( 404, __( 'Invalid term ID.' ) );
+
+        if ( ! current_user_can( 'assign_term', $term_id ) ) {
+            return new IXR_Error( 401, __( 'Sorry, you are not allowed to assign this term.' ) );
+        }
 
         return $this->_prepare_term( $term );

trunk/src/wp-includes/link-template.php

@@ -931 +931 @@
 
     $tax = get_taxonomy( $term->taxonomy );
-    if ( ! $tax || ! current_user_can( $tax->cap->edit_terms ) ) {
+    if ( ! $tax || ! current_user_can( 'edit_term', $term->term_id ) ) {
         return;
     }
@@ -985 +985 @@
 
     $tax = get_taxonomy( $term->taxonomy );
-    if ( ! current_user_can( $tax->cap->edit_terms ) ) {
+    if ( ! current_user_can( 'edit_term', $term->term_id ) ) {
         return;
     }

trunk/src/wp-includes/taxonomy.php

@@ -62 +62 @@
         'show_admin_column' => true,
         '_builtin' => true,
+        'capabilities' => array(
+            'manage_terms' => 'manage_categories',
+            'edit_terms'   => 'edit_categories',
+            'delete_terms' => 'delete_categories',
+            'assign_terms' => 'assign_categories',
+        ),
     ) );
 
@@ -72 +78 @@
         'show_admin_column' => true,
         '_builtin' => true,
+        'capabilities' => array(
+            'manage_terms' => 'manage_post_tags',
+            'edit_terms'   => 'edit_post_tags',
+            'delete_terms' => 'delete_post_tags',
+            'assign_terms' => 'assign_post_tags',
+        ),
     ) );
 

trunk/tests/phpunit/tests/user/capabilities.php

@@ -224 +224 @@
             'delete_site'            => array( 'administrator' ),
             'add_users'              => array( 'administrator' ),
+
+            'edit_categories'        => array( 'administrator', 'editor' ),
+            'delete_categories'      => array( 'administrator', 'editor' ),
+            'manage_post_tags'       => array( 'administrator', 'editor' ),
+            'edit_post_tags'         => array( 'administrator', 'editor' ),
+            'delete_post_tags'       => array( 'administrator', 'editor' ),
+
+            'assign_categories'      => array( 'administrator', 'editor', 'author', 'contributor' ),
+            'assign_post_tags'       => array( 'administrator', 'editor', 'author', 'contributor' ),
         );
     }
@@ -243 +252 @@
             'delete_site'            => array( 'administrator' ),
             'add_users'              => array( 'administrator' ),
+
+            'edit_categories'        => array( 'administrator', 'editor' ),
+            'delete_categories'      => array( 'administrator', 'editor' ),
+            'manage_post_tags'       => array( 'administrator', 'editor' ),
+            'edit_post_tags'         => array( 'administrator', 'editor' ),
+            'delete_post_tags'       => array( 'administrator', 'editor' ),
+
+            'assign_categories'      => array( 'administrator', 'editor', 'author', 'contributor' ),
+            'assign_post_tags'       => array( 'administrator', 'editor', 'author', 'contributor' ),
         );
     }
@@ -400 +418 @@
             $expected['add_post_meta'],
             $expected['edit_comment'],
+            $expected['edit_term'],
+            $expected['delete_term'],
+            $expected['assign_term'],
             $expected['delete_user']
         );
@@ -1077 +1098 @@
             ), $caps, "Meta cap: {$meta_cap}" );
         }
+    }
+
+    /**
+     * @dataProvider dataTaxonomies
+     *
+     * @ticket 35614
+     */
+    public function test_default_taxonomy_term_cannot_be_deleted( $taxonomy ) {
+        if ( ! taxonomy_exists( $taxonomy ) ) {
+            register_taxonomy( $taxonomy, 'post' );
+        }
+
+        $tax  = get_taxonomy( $taxonomy );
+        $user = self::$users['administrator'];
+        $term = self::factory()->term->create_and_get( array(
+            'taxonomy' => $taxonomy,
+        ) );
+
+        update_option( "default_{$taxonomy}", $term->term_id );
+
+        $this->assertTrue( user_can( $user->ID, $tax->cap->delete_terms ) );
+        $this->assertFalse( user_can( $user->ID, 'delete_term', $term->term_id ) );
+    }
+
+    /**
+     * @dataProvider dataTaxonomies
+     *
+     * @ticket 35614
+     */
+    public function test_taxonomy_caps_map_correctly_to_their_meta_cap( $taxonomy ) {
+        if ( ! taxonomy_exists( $taxonomy ) ) {
+            register_taxonomy( $taxonomy, 'post' );
+        }
+
+        $tax  = get_taxonomy( $taxonomy );
+        $term = self::factory()->term->create_and_get( array(
+            'taxonomy' => $taxonomy,
+        ) );
+
+        foreach ( self::$users as $role => $user ) {
+            $this->assertSame(
+                user_can( $user->ID, 'edit_term', $term->term_id ),
+                user_can( $user->ID, $tax->cap->edit_terms ),
+                "Role: {$role}"
+            );
+            $this->assertSame(
+                user_can( $user->ID, 'delete_term', $term->term_id ),
+                user_can( $user->ID, $tax->cap->delete_terms ),
+                "Role: {$role}"
+            );
+            $this->assertSame(
+                user_can( $user->ID, 'assign_term', $term->term_id ),
+                user_can( $user->ID, $tax->cap->assign_terms ),
+                "Role: {$role}"
+            );
+        }
+
     }
 

trunk/tests/phpunit/tests/xmlrpc/wp/deleteTerm.php

@@ -44 +44 @@
         $this->assertInstanceOf( 'IXR_Error', $result );
         $this->assertEquals( 401, $result->code );
-        $this->assertEquals( __( 'Sorry, you are not allowed to delete terms in this taxonomy.' ), $result->message );
+        $this->assertEquals( __( 'Sorry, you are not allowed to delete this term.' ), $result->message );
     }
 

trunk/tests/phpunit/tests/xmlrpc/wp/editTerm.php

@@ -50 +50 @@
         $this->assertInstanceOf( 'IXR_Error', $result );
         $this->assertEquals( 401, $result->code );
-        $this->assertEquals( __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ), $result->message );
+        $this->assertEquals( __( 'Sorry, you are not allowed to edit this term.' ), $result->message );
     }
 

trunk/tests/phpunit/tests/xmlrpc/wp/getTerm.php

@@ -44 +44 @@
         $this->assertInstanceOf( 'IXR_Error', $result );
         $this->assertEquals( 401, $result->code );
-        $this->assertEquals( __( 'Sorry, you are not allowed to assign terms in this taxonomy.' ), $result->message );
+        $this->assertEquals( __( 'Sorry, you are not allowed to assign this term.' ), $result->message );
     }