Changeset 39179 for trunk/src/wp-includes/capabilities.php

Timestamp:

11/09/2016 03:41:07 AM (7 years ago)

Author:

rmccue

Message:

Roles/Capabilities: Add meta-caps for comment, term, and user meta.

Additionally, use these meta-caps in the REST API endpoints.

Previously, register_meta()'s auth_callback had no effect for non-post meta. This introduces {add,edit,delete}_{comment,term,user}_meta meta-caps to match the existing post meta capabilities. These are currently only used in the REST API.

Props tharsheblows, boonebgorges.
Fixes #38303, fixes #38412.

File:

• trunk/src/wp-includes/capabilities.php (modified) (1 diff)

trunk/src/wp-includes/capabilities.php

@@ -243 +243 @@
     case 'delete_post_meta':
     case 'add_post_meta':
-        $post = get_post( $args[0] );
-        if ( ! $post ) {
-            $caps[] = 'do_not_allow';
-            break;
-        }
-
-        $post_type = get_post_type( $post );
-
-        $caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
-
-        $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false;
-
-        if ( $meta_key && ( has_filter( "auth_post_meta_{$meta_key}" ) || has_filter( "auth_post_{$post_type}_meta_{$meta_key}" ) ) ) {
-            /**
-             * Filters whether the user is allowed to add post meta to a post.
-             *
-             * The dynamic portion of the hook name, `$meta_key`, refers to the
-             * meta key passed to map_meta_cap().
-             *
-             * @since 3.3.0
-             *
-             * @param bool   $allowed  Whether the user can add the post meta. Default false.
-             * @param string $meta_key The meta key.
-             * @param int    $post_id  Post ID.
-             * @param int    $user_id  User ID.
-             * @param string $cap      Capability name.
-             * @param array  $caps     User capabilities.
-             */
-            $allowed = apply_filters( "auth_post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps );
-
-            /**
-             * Filters whether the user is allowed to add post meta to a post of a given type.
-             *
-             * The dynamic portions of the hook name, `$meta_key` and `$post_type`,
-             * refer to the meta key passed to map_meta_cap() and the post type, respectively.
-             *
-             * @since 4.6.0
-             *
-             * @param bool   $allowed  Whether the user can add the post meta. Default false.
-             * @param string $meta_key The meta key.
-             * @param int    $post_id  Post ID.
-             * @param int    $user_id  User ID.
-             * @param string $cap      Capability name.
-             * @param array  $caps     User capabilities.
-             */
-            $allowed = apply_filters( "auth_post_{$post_type}_meta_{$meta_key}", $allowed, $meta_key, $post->ID, $user_id, $cap, $caps );
-
-            if ( ! $allowed )
+    case 'edit_comment_meta':
+    case 'delete_comment_meta':
+    case 'add_comment_meta':
+    case 'edit_term_meta':
+    case 'delete_term_meta':
+    case 'add_term_meta':
+    case 'edit_user_meta':
+    case 'delete_user_meta':
+    case 'add_user_meta':
+        list( $_, $object_type, $_ ) = explode( '_', $cap );
+        $object_id = (int) $args[0];
+
+        switch ( $object_type ) {
+            case 'post':
+                $post = get_post( $object_id );
+                if ( ! $post ) {
+                    break;
+                }
+
+                $sub_type = get_post_type( $post );
+                break;
+
+            case 'comment':
+                $comment = get_comment( $object_id );
+                if ( ! $comment ) {
+                    break;
+                }
+
+                $sub_type = empty( $comment->comment_type ) ? 'comment' : $comment->comment_type;
+                break;
+
+            case 'term':
+                $term = get_term( $object_id );
+                if ( ! $term ) {
+                    break;
+                }
+
+                $sub_type = $term->taxonomy;
+                break;
+
+            case 'user':
+                $user = get_user_by( 'id', $object_id );
+                if ( ! $user ) {
+                    break;
+                }
+
+                $sub_type = 'user';
+                break;
+        }
+
+        if ( empty( $sub_type ) ) {
+            $caps[] = 'do_not_allow';
+            break;
+        }
+
+        $caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id );
+
+        $meta_key = isset( $args[1] ) ? $args[1] : false;
+
+        $has_filter = has_filter( "auth_{$object_type}_meta_{$meta_key}" ) || has_filter( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}" );
+        if ( $meta_key && $has_filter ) {
+            /** This filter is documented in wp-includes/meta.php */
+            $allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}", false, $meta_key, $object_id, $user_id, $cap, $caps );
+
+            /** This filter is documented in wp-includes/meta.php */
+            $allowed = apply_filters( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps );
+
+            if ( ! $allowed ) {
                 $caps[] = $cap;
-        } elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) {
+            }
+        } elseif ( $meta_key && is_protected_meta( $meta_key, $object_type ) ) {
             $caps[] = $cap;
         }