Make WordPress Core


Ignore:
Timestamp:
11/09/2016 03:41:07 AM (7 years ago)
Author:
rmccue
Message:

Roles/Capabilities: Add meta-caps for comment, term, and user meta.

Additionally, use these meta-caps in the REST API endpoints.

Previously, register_meta()'s auth_callback had no effect for non-post meta. This introduces {add,edit,delete}_{comment,term,user}_meta meta-caps to match the existing post meta capabilities. These are currently only used in the REST API.

Props tharsheblows, boonebgorges.
Fixes #38303, fixes #38412.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/user/capabilities.php

    r39178 r39179  
    432432            $expected['add_post_meta'],
    433433            $expected['edit_comment'],
     434            $expected['edit_comment_meta'],
     435            $expected['delete_comment_meta'],
     436            $expected['add_comment_meta'],
    434437            $expected['edit_term'],
    435438            $expected['delete_term'],
    436439            $expected['assign_term'],
    437             $expected['delete_user']
     440            $expected['edit_term_meta'],
     441            $expected['delete_term_meta'],
     442            $expected['add_term_meta'],
     443            $expected['delete_user'],
     444            $expected['edit_user_meta'],
     445            $expected['delete_user_meta'],
     446            $expected['add_user_meta']
    438447        );
    439448
     
    16641673        $wp_roles->reinit();
    16651674    }
     1675
     1676    /**
     1677     * @ticket 38412
     1678     */
     1679    public function test_no_one_can_edit_user_meta_for_non_existent_term() {
     1680        wp_set_current_user( self::$super_admin->ID );
     1681        $this->assertFalse( current_user_can( 'edit_user_meta', 999999 ) );
     1682    }
     1683
     1684    /**
     1685     * @ticket 38412
     1686     */
     1687    public function test_user_can_edit_user_meta() {
     1688        wp_set_current_user( self::$users['administrator']->ID );
     1689        if ( is_multisite() ) {
     1690            grant_super_admin( self::$users['administrator']->ID );
     1691        }
     1692        $this->assertTrue( current_user_can( 'edit_user_meta', self::$users['subscriber']->ID, 'foo' ) );
     1693    }
     1694
     1695    /**
     1696     * @ticket 38412
     1697     */
     1698    public function test_user_cannot_edit_user_meta() {
     1699        wp_set_current_user( self::$users['editor']->ID );
     1700        $this->assertFalse( current_user_can( 'edit_user_meta', self::$users['subscriber']->ID, 'foo' ) );
     1701    }
     1702
     1703    /**
     1704     * @ticket 38412
     1705     */
     1706    public function test_no_one_can_delete_user_meta_for_non_existent_term() {
     1707        wp_set_current_user( self::$super_admin->ID );
     1708        $this->assertFalse( current_user_can( 'delete_user_meta', 999999, 'foo' ) );
     1709    }
     1710
     1711    /**
     1712     * @ticket 38412
     1713     */
     1714    public function test_user_can_delete_user_meta() {
     1715        wp_set_current_user( self::$users['administrator']->ID );
     1716        if ( is_multisite() ) {
     1717            grant_super_admin( self::$users['administrator']->ID );
     1718        }
     1719        $this->assertTrue( current_user_can( 'delete_user_meta', self::$users['subscriber']->ID, 'foo' ) );
     1720    }
     1721
     1722    /**
     1723     * @ticket 38412
     1724     */
     1725    public function test_user_cannot_delete_user_meta() {
     1726        wp_set_current_user( self::$users['editor']->ID );
     1727        $this->assertFalse( current_user_can( 'delete_user_meta', self::$users['subscriber']->ID, 'foo' ) );
     1728    }
     1729
     1730    /**
     1731     * @ticket 38412
     1732     */
     1733    public function test_no_one_can_add_user_meta_for_non_existent_term() {
     1734        wp_set_current_user( self::$super_admin->ID );
     1735        $this->assertFalse( current_user_can( 'add_user_meta', 999999, 'foo' ) );
     1736    }
     1737
     1738    /**
     1739     * @ticket 38412
     1740     */
     1741    public function test_user_can_add_user_meta() {
     1742        wp_set_current_user( self::$users['administrator']->ID );
     1743        if ( is_multisite() ) {
     1744            grant_super_admin( self::$users['administrator']->ID );
     1745        }
     1746        $this->assertTrue( current_user_can( 'add_user_meta', self::$users['subscriber']->ID, 'foo' ) );
     1747    }
     1748
     1749    /**
     1750     * @ticket 38412
     1751     */
     1752    public function test_user_cannot_add_user_meta() {
     1753        wp_set_current_user( self::$users['editor']->ID );
     1754        $this->assertFalse( current_user_can( 'add_user_meta', self::$users['subscriber']->ID, 'foo' ) );
     1755    }
    16661756}
Note: See TracChangeset for help on using the changeset viewer.