Changeset 42343 for trunk/src/wp-includes/capabilities.php
- Timestamp:
- 11/30/2017 11:09:33 PM (3 years ago)
- File:
-
- 1 edited
-
trunk/src/wp-includes/capabilities.php (modified) (8 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/capabilities.php
r41885 r42343 32 32 33 33 switch ( $cap ) { 34 case 'remove_user': 35 // In multisite the user must be a super admin to remove themselves. 36 if ( isset( $args[0] ) && $user_id == $args[0] && ! is_super_admin( $user_id ) ) { 37 $caps[] = 'do_not_allow'; 38 } else { 39 $caps[] = 'remove_users'; 40 } 41 break; 42 case 'promote_user': 43 case 'add_users': 44 $caps[] = 'promote_users'; 45 break; 46 case 'edit_user': 47 case 'edit_users': 48 // Allow user to edit itself 49 if ( 'edit_user' == $cap && isset( $args[0] ) && $user_id == $args[0] ) 50 break; 51 52 // In multisite the user must have manage_network_users caps. If editing a super admin, the user must be a super admin. 53 if ( is_multisite() && ( ( ! is_super_admin( $user_id ) && 'edit_user' === $cap && is_super_admin( $args[0] ) ) || ! user_can( $user_id, 'manage_network_users' ) ) ) { 54 $caps[] = 'do_not_allow'; 55 } else { 56 $caps[] = 'edit_users'; // edit_user maps to edit_users. 57 } 58 break; 59 case 'delete_post': 60 case 'delete_page': 61 $post = get_post( $args[0] ); 62 if ( ! $post ) { 63 $caps[] = 'do_not_allow'; 64 break; 65 } 66 67 if ( 'revision' == $post->post_type ) { 68 $post = get_post( $post->post_parent ); 34 case 'remove_user': 35 // In multisite the user must be a super admin to remove themselves. 36 if ( isset( $args[0] ) && $user_id == $args[0] && ! is_super_admin( $user_id ) ) { 37 $caps[] = 'do_not_allow'; 38 } else { 39 $caps[] = 'remove_users'; 40 } 41 break; 42 case 'promote_user': 43 case 'add_users': 44 $caps[] = 'promote_users'; 45 break; 46 case 'edit_user': 47 case 'edit_users': 48 // Allow user to edit itself 49 if ( 'edit_user' == $cap && isset( $args[0] ) && $user_id == $args[0] ) { 50 break; 51 } 52 53 // In multisite the user must have manage_network_users caps. If editing a super admin, the user must be a super admin. 54 if ( is_multisite() && ( ( ! is_super_admin( $user_id ) && 'edit_user' === $cap && is_super_admin( $args[0] ) ) || ! user_can( $user_id, 'manage_network_users' ) ) ) { 55 $caps[] = 'do_not_allow'; 56 } else { 57 $caps[] = 'edit_users'; // edit_user maps to edit_users. 58 } 59 break; 60 case 'delete_post': 61 case 'delete_page': 62 $post = get_post( $args[0] ); 69 63 if ( ! $post ) { 70 64 $caps[] = 'do_not_allow'; 71 65 break; 72 66 } 73 } 74 75 if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) { 76 $caps[] = 'manage_options'; 77 break; 78 } 79 80 $post_type = get_post_type_object( $post->post_type ); 81 if ( ! $post_type ) { 82 /* translators: 1: post type, 2: capability name */ 83 _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); 84 $caps[] = 'edit_others_posts'; 85 break; 86 } 87 88 if ( ! $post_type->map_meta_cap ) { 89 $caps[] = $post_type->cap->$cap; 90 // Prior to 3.1 we would re-call map_meta_cap here. 91 if ( 'delete_post' == $cap ) 92 $cap = $post_type->cap->$cap; 93 break; 94 } 95 96 // If the post author is set and the user is the author... 97 if ( $post->post_author && $user_id == $post->post_author ) { 98 // If the post is published or scheduled... 99 if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { 100 $caps[] = $post_type->cap->delete_published_posts; 101 } elseif ( 'trash' == $post->post_status ) { 102 $status = get_post_meta( $post->ID, '_wp_trash_meta_status', true ); 103 if ( in_array( $status, array( 'publish', 'future' ), true ) ) { 67 68 if ( 'revision' == $post->post_type ) { 69 $post = get_post( $post->post_parent ); 70 if ( ! $post ) { 71 $caps[] = 'do_not_allow'; 72 break; 73 } 74 } 75 76 if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) { 77 $caps[] = 'manage_options'; 78 break; 79 } 80 81 $post_type = get_post_type_object( $post->post_type ); 82 if ( ! $post_type ) { 83 /* translators: 1: post type, 2: capability name */ 84 _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); 85 $caps[] = 'edit_others_posts'; 86 break; 87 } 88 89 if ( ! $post_type->map_meta_cap ) { 90 $caps[] = $post_type->cap->$cap; 91 // Prior to 3.1 we would re-call map_meta_cap here. 92 if ( 'delete_post' == $cap ) { 93 $cap = $post_type->cap->$cap; 94 } 95 break; 96 } 97 98 // If the post author is set and the user is the author... 99 if ( $post->post_author && $user_id == $post->post_author ) { 100 // If the post is published or scheduled... 101 if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { 104 102 $caps[] = $post_type->cap->delete_published_posts; 103 } elseif ( 'trash' == $post->post_status ) { 104 $status = get_post_meta( $post->ID, '_wp_trash_meta_status', true ); 105 if ( in_array( $status, array( 'publish', 'future' ), true ) ) { 106 $caps[] = $post_type->cap->delete_published_posts; 107 } else { 108 $caps[] = $post_type->cap->delete_posts; 109 } 105 110 } else { 111 // If the post is draft... 106 112 $caps[] = $post_type->cap->delete_posts; 107 113 } 108 114 } else { 109 // If the post is draft... 110 $caps[] = $post_type->cap->delete_posts; 111 } 112 } else { 113 // The user is trying to edit someone else's post. 114 $caps[] = $post_type->cap->delete_others_posts; 115 // The post is published or scheduled, extra cap required. 116 if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { 117 $caps[] = $post_type->cap->delete_published_posts; 118 } elseif ( 'private' == $post->post_status ) { 119 $caps[] = $post_type->cap->delete_private_posts; 120 } 121 } 122 break; 115 // The user is trying to edit someone else's post. 116 $caps[] = $post_type->cap->delete_others_posts; 117 // The post is published or scheduled, extra cap required. 118 if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { 119 $caps[] = $post_type->cap->delete_published_posts; 120 } elseif ( 'private' == $post->post_status ) { 121 $caps[] = $post_type->cap->delete_private_posts; 122 } 123 } 124 break; 123 125 // edit_post breaks down to edit_posts, edit_published_posts, or 124 126 // edit_others_posts 125 case 'edit_post': 126 case 'edit_page': 127 $post = get_post( $args[0] ); 128 if ( ! $post ) { 129 $caps[] = 'do_not_allow'; 130 break; 131 } 132 133 if ( 'revision' == $post->post_type ) { 134 $post = get_post( $post->post_parent ); 127 case 'edit_post': 128 case 'edit_page': 129 $post = get_post( $args[0] ); 135 130 if ( ! $post ) { 136 131 $caps[] = 'do_not_allow'; 137 132 break; 138 133 } 139 } 140 141 $post_type = get_post_type_object( $post->post_type ); 142 if ( ! $post_type ) { 143 /* translators: 1: post type, 2: capability name */ 144 _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); 145 $caps[] = 'edit_others_posts'; 146 break; 147 } 148 149 if ( ! $post_type->map_meta_cap ) { 150 $caps[] = $post_type->cap->$cap; 151 // Prior to 3.1 we would re-call map_meta_cap here. 152 if ( 'edit_post' == $cap ) 153 $cap = $post_type->cap->$cap; 154 break; 155 } 156 157 // If the post author is set and the user is the author... 158 if ( $post->post_author && $user_id == $post->post_author ) { 159 // If the post is published or scheduled... 160 if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { 161 $caps[] = $post_type->cap->edit_published_posts; 162 } elseif ( 'trash' == $post->post_status ) { 163 $status = get_post_meta( $post->ID, '_wp_trash_meta_status', true ); 164 if ( in_array( $status, array( 'publish', 'future' ), true ) ) { 134 135 if ( 'revision' == $post->post_type ) { 136 $post = get_post( $post->post_parent ); 137 if ( ! $post ) { 138 $caps[] = 'do_not_allow'; 139 break; 140 } 141 } 142 143 $post_type = get_post_type_object( $post->post_type ); 144 if ( ! $post_type ) { 145 /* translators: 1: post type, 2: capability name */ 146 _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); 147 $caps[] = 'edit_others_posts'; 148 break; 149 } 150 151 if ( ! $post_type->map_meta_cap ) { 152 $caps[] = $post_type->cap->$cap; 153 // Prior to 3.1 we would re-call map_meta_cap here. 154 if ( 'edit_post' == $cap ) { 155 $cap = $post_type->cap->$cap; 156 } 157 break; 158 } 159 160 // If the post author is set and the user is the author... 161 if ( $post->post_author && $user_id == $post->post_author ) { 162 // If the post is published or scheduled... 163 if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { 165 164 $caps[] = $post_type->cap->edit_published_posts; 165 } elseif ( 'trash' == $post->post_status ) { 166 $status = get_post_meta( $post->ID, '_wp_trash_meta_status', true ); 167 if ( in_array( $status, array( 'publish', 'future' ), true ) ) { 168 $caps[] = $post_type->cap->edit_published_posts; 169 } else { 170 $caps[] = $post_type->cap->edit_posts; 171 } 166 172 } else { 173 // If the post is draft... 167 174 $caps[] = $post_type->cap->edit_posts; 168 175 } 169 176 } else { 170 // If the post is draft... 171 $caps[] = $post_type->cap->edit_posts; 172 } 173 } else { 174 // The user is trying to edit someone else's post. 175 $caps[] = $post_type->cap->edit_others_posts; 176 // The post is published or scheduled, extra cap required. 177 if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { 178 $caps[] = $post_type->cap->edit_published_posts; 179 } elseif ( 'private' == $post->post_status ) { 180 $caps[] = $post_type->cap->edit_private_posts; 181 } 182 } 183 break; 184 case 'read_post': 185 case 'read_page': 186 $post = get_post( $args[0] ); 187 if ( ! $post ) { 188 $caps[] = 'do_not_allow'; 189 break; 190 } 191 192 if ( 'revision' == $post->post_type ) { 193 $post = get_post( $post->post_parent ); 177 // The user is trying to edit someone else's post. 178 $caps[] = $post_type->cap->edit_others_posts; 179 // The post is published or scheduled, extra cap required. 180 if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) { 181 $caps[] = $post_type->cap->edit_published_posts; 182 } elseif ( 'private' == $post->post_status ) { 183 $caps[] = $post_type->cap->edit_private_posts; 184 } 185 } 186 break; 187 case 'read_post': 188 case 'read_page': 189 $post = get_post( $args[0] ); 194 190 if ( ! $post ) { 195 191 $caps[] = 'do_not_allow'; 196 192 break; 197 193 } 198 } 199 200 $post_type = get_post_type_object( $post->post_type ); 201 if ( ! $post_type ) { 202 /* translators: 1: post type, 2: capability name */ 203 _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); 204 $caps[] = 'edit_others_posts'; 205 break; 206 } 207 208 if ( ! $post_type->map_meta_cap ) { 209 $caps[] = $post_type->cap->$cap; 210 // Prior to 3.1 we would re-call map_meta_cap here. 211 if ( 'read_post' == $cap ) 212 $cap = $post_type->cap->$cap; 213 break; 214 } 215 216 $status_obj = get_post_status_object( $post->post_status ); 217 if ( $status_obj->public ) { 218 $caps[] = $post_type->cap->read; 219 break; 220 } 221 222 if ( $post->post_author && $user_id == $post->post_author ) { 223 $caps[] = $post_type->cap->read; 224 } elseif ( $status_obj->private ) { 225 $caps[] = $post_type->cap->read_private_posts; 226 } else { 227 $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); 228 } 229 break; 230 case 'publish_post': 231 $post = get_post( $args[0] ); 232 if ( ! $post ) { 233 $caps[] = 'do_not_allow'; 234 break; 235 } 236 237 $post_type = get_post_type_object( $post->post_type ); 238 if ( ! $post_type ) { 239 /* translators: 1: post type, 2: capability name */ 240 _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); 241 $caps[] = 'edit_others_posts'; 242 break; 243 } 244 245 $caps[] = $post_type->cap->publish_posts; 246 break; 247 case 'edit_post_meta': 248 case 'delete_post_meta': 249 case 'add_post_meta': 250 case 'edit_comment_meta': 251 case 'delete_comment_meta': 252 case 'add_comment_meta': 253 case 'edit_term_meta': 254 case 'delete_term_meta': 255 case 'add_term_meta': 256 case 'edit_user_meta': 257 case 'delete_user_meta': 258 case 'add_user_meta': 259 list( $_, $object_type, $_ ) = explode( '_', $cap ); 260 $object_id = (int) $args[0]; 261 262 switch ( $object_type ) { 263 case 'post': 264 $post = get_post( $object_id ); 194 195 if ( 'revision' == $post->post_type ) { 196 $post = get_post( $post->post_parent ); 265 197 if ( ! $post ) { 198 $caps[] = 'do_not_allow'; 266 199 break; 267 200 } 268 269 $sub_type = get_post_type( $post ); 270 break; 271 272 case 'comment': 273 $comment = get_comment( $object_id ); 274 if ( ! $comment ) { 201 } 202 203 $post_type = get_post_type_object( $post->post_type ); 204 if ( ! $post_type ) { 205 /* translators: 1: post type, 2: capability name */ 206 _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); 207 $caps[] = 'edit_others_posts'; 208 break; 209 } 210 211 if ( ! $post_type->map_meta_cap ) { 212 $caps[] = $post_type->cap->$cap; 213 // Prior to 3.1 we would re-call map_meta_cap here. 214 if ( 'read_post' == $cap ) { 215 $cap = $post_type->cap->$cap; 216 } 217 break; 218 } 219 220 $status_obj = get_post_status_object( $post->post_status ); 221 if ( $status_obj->public ) { 222 $caps[] = $post_type->cap->read; 223 break; 224 } 225 226 if ( $post->post_author && $user_id == $post->post_author ) { 227 $caps[] = $post_type->cap->read; 228 } elseif ( $status_obj->private ) { 229 $caps[] = $post_type->cap->read_private_posts; 230 } else { 231 $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); 232 } 233 break; 234 case 'publish_post': 235 $post = get_post( $args[0] ); 236 if ( ! $post ) { 237 $caps[] = 'do_not_allow'; 238 break; 239 } 240 241 $post_type = get_post_type_object( $post->post_type ); 242 if ( ! $post_type ) { 243 /* translators: 1: post type, 2: capability name */ 244 _doing_it_wrong( __FUNCTION__, sprintf( __( 'The post type %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post of that type.' ), $post->post_type, $cap ), '4.4.0' ); 245 $caps[] = 'edit_others_posts'; 246 break; 247 } 248 249 $caps[] = $post_type->cap->publish_posts; 250 break; 251 case 'edit_post_meta': 252 case 'delete_post_meta': 253 case 'add_post_meta': 254 case 'edit_comment_meta': 255 case 'delete_comment_meta': 256 case 'add_comment_meta': 257 case 'edit_term_meta': 258 case 'delete_term_meta': 259 case 'add_term_meta': 260 case 'edit_user_meta': 261 case 'delete_user_meta': 262 case 'add_user_meta': 263 list( $_, $object_type, $_ ) = explode( '_', $cap ); 264 $object_id = (int) $args[0]; 265 266 switch ( $object_type ) { 267 case 'post': 268 $post = get_post( $object_id ); 269 if ( ! $post ) { 270 break; 271 } 272 273 $sub_type = get_post_type( $post ); 275 274 break; 276 } 277 278 $sub_type = empty( $comment->comment_type ) ? 'comment' : $comment->comment_type;279 break;280 281 case 'term':282 $term = get_term( $object_id ); 283 if ( ! $term instanceof WP_Term ) {275 276 case 'comment': 277 $comment = get_comment( $object_id ); 278 if ( ! $comment ) { 279 break; 280 } 281 282 $sub_type = empty( $comment->comment_type ) ? 'comment' : $comment->comment_type; 284 283 break; 285 } 286 287 $sub_type = $term->taxonomy;288 break;289 290 case 'user':291 $user = get_user_by( 'id', $object_id ); 292 if ( ! $user ) {284 285 case 'term': 286 $term = get_term( $object_id ); 287 if ( ! $term instanceof WP_Term ) { 288 break; 289 } 290 291 $sub_type = $term->taxonomy; 293 292 break; 294 } 295 296 $sub_type = 'user'; 297 break; 298 } 299 300 if ( empty( $sub_type ) ) { 301 $caps[] = 'do_not_allow'; 302 break; 303 } 304 305 $caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id ); 306 307 $meta_key = isset( $args[1] ) ? $args[1] : false; 308 309 $has_filter = has_filter( "auth_{$object_type}_meta_{$meta_key}" ) || has_filter( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}" ); 310 if ( $meta_key && $has_filter ) { 311 312 /** 313 * Filters whether the user is allowed to edit meta. 314 * 315 * Use the {@see auth_post_$object_type_meta_$meta_key} filter to modify capabilities for 316 * specific object types. Return true to have the mapped meta caps from edit_{$object_type} apply. 317 * 318 * The dynamic portion of the hook name, `$object_type` refers to the object type being filtered. 319 * The dynamic portion of the hook name, `$meta_key`, refers to the meta key passed to map_meta_cap(). 320 * 321 * @since 3.3.0 As 'auth_post_meta_{$meta_key}'. 322 * @since 4.6.0 323 * 324 * @param bool $allowed Whether the user can add the post meta. Default false. 325 * @param string $meta_key The meta key. 326 * @param int $post_id Post ID. 327 * @param int $user_id User ID. 328 * @param string $cap Capability name. 329 * @param array $caps User capabilities. 293 294 case 'user': 295 $user = get_user_by( 'id', $object_id ); 296 if ( ! $user ) { 297 break; 298 } 299 300 $sub_type = 'user'; 301 break; 302 } 303 304 if ( empty( $sub_type ) ) { 305 $caps[] = 'do_not_allow'; 306 break; 307 } 308 309 $caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id ); 310 311 $meta_key = isset( $args[1] ) ? $args[1] : false; 312 313 $has_filter = has_filter( "auth_{$object_type}_meta_{$meta_key}" ) || has_filter( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}" ); 314 if ( $meta_key && $has_filter ) { 315 316 /** 317 * Filters whether the user is allowed to edit meta. 318 * 319 * Use the {@see auth_post_$object_type_meta_$meta_key} filter to modify capabilities for 320 * specific object types. Return true to have the mapped meta caps from edit_{$object_type} apply. 321 * 322 * The dynamic portion of the hook name, `$object_type` refers to the object type being filtered. 323 * The dynamic portion of the hook name, `$meta_key`, refers to the meta key passed to map_meta_cap(). 324 * 325 * @since 3.3.0 As 'auth_post_meta_{$meta_key}'. 326 * @since 4.6.0 327 * 328 * @param bool $allowed Whether the user can add the post meta. Default false. 329 * @param string $meta_key The meta key. 330 * @param int $post_id Post ID. 331 * @param int $user_id User ID. 332 * @param string $cap Capability name. 333 * @param array $caps User capabilities. 334 */ 335 $allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}", false, $meta_key, $object_id, $user_id, $cap, $caps ); 336 337 /** 338 * Filters whether the user is allowed to add post meta to a post of a given type. 339 * 340 * Use the {@see auth_$object_type_$sub_type_meta_$meta_key} filter to modify capabilities for 341 * specific object types/subtypes. Return true to have the mapped meta caps from edit_{$object_type} apply. 342 * 343 * The dynamic portion of the hook name, `$object_type` refers to the object type being filtered. 344 * The dynamic portion of the hook name, `$sub_type` refers to the object subtype being filtered. 345 * The dynamic portion of the hook name, `$meta_key`, refers to the meta key passed to map_meta_cap(). 346 * 347 * @since 4.6.0 As 'auth_post_{$post_type}_meta_{$meta_key}'. 348 * @since 4.7.0 349 * 350 * @param bool $allowed Whether the user can add the post meta. Default false. 351 * @param string $meta_key The meta key. 352 * @param int $post_id Post ID. 353 * @param int $user_id User ID. 354 * @param string $cap Capability name. 355 * @param array $caps User capabilities. 356 */ 357 $allowed = apply_filters( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps ); 358 359 if ( ! $allowed ) { 360 $caps[] = $cap; 361 } 362 } elseif ( $meta_key && is_protected_meta( $meta_key, $object_type ) ) { 363 $caps[] = $cap; 364 } 365 break; 366 case 'edit_comment': 367 $comment = get_comment( $args[0] ); 368 if ( ! $comment ) { 369 $caps[] = 'do_not_allow'; 370 break; 371 } 372 373 $post = get_post( $comment->comment_post_ID ); 374 375 /* 376 * If the post doesn't exist, we have an orphaned comment. 377 * Fall back to the edit_posts capability, instead. 330 378 */ 331 $allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}", false, $meta_key, $object_id, $user_id, $cap, $caps ); 332 333 /** 334 * Filters whether the user is allowed to add post meta to a post of a given type. 335 * 336 * Use the {@see auth_$object_type_$sub_type_meta_$meta_key} filter to modify capabilities for 337 * specific object types/subtypes. Return true to have the mapped meta caps from edit_{$object_type} apply. 338 * 339 * The dynamic portion of the hook name, `$object_type` refers to the object type being filtered. 340 * The dynamic portion of the hook name, `$sub_type` refers to the object subtype being filtered. 341 * The dynamic portion of the hook name, `$meta_key`, refers to the meta key passed to map_meta_cap(). 342 * 343 * @since 4.6.0 As 'auth_post_{$post_type}_meta_{$meta_key}'. 344 * @since 4.7.0 345 * 346 * @param bool $allowed Whether the user can add the post meta. Default false. 347 * @param string $meta_key The meta key. 348 * @param int $post_id Post ID. 349 * @param int $user_id User ID. 350 * @param string $cap Capability name. 351 * @param array $caps User capabilities. 352 */ 353 $allowed = apply_filters( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps ); 354 355 if ( ! $allowed ) { 379 if ( $post ) { 380 $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); 381 } else { 382 $caps = map_meta_cap( 'edit_posts', $user_id ); 383 } 384 break; 385 case 'unfiltered_upload': 386 if ( defined( 'ALLOW_UNFILTERED_UPLOADS' ) && ALLOW_UNFILTERED_UPLOADS && ( ! is_multisite() || is_super_admin( $user_id ) ) ) { 356 387 $caps[] = $cap; 357 } 358 } elseif ( $meta_key && is_protected_meta( $meta_key, $object_type ) ) { 388 } else { 389 $caps[] = 'do_not_allow'; 390 } 391 break; 392 case 'edit_css': 393 case 'unfiltered_html': 394 // Disallow unfiltered_html for all users, even admins and super admins. 395 if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML ) { 396 $caps[] = 'do_not_allow'; 397 } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) { 398 $caps[] = 'do_not_allow'; 399 } else { 400 $caps[] = 'unfiltered_html'; 401 } 402 break; 403 case 'edit_files': 404 case 'edit_plugins': 405 case 'edit_themes': 406 // Disallow the file editors. 407 if ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT ) { 408 $caps[] = 'do_not_allow'; 409 } elseif ( ! wp_is_file_mod_allowed( 'capability_edit_themes' ) ) { 410 $caps[] = 'do_not_allow'; 411 } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) { 412 $caps[] = 'do_not_allow'; 413 } else { 414 $caps[] = $cap; 415 } 416 break; 417 case 'update_plugins': 418 case 'delete_plugins': 419 case 'install_plugins': 420 case 'upload_plugins': 421 case 'update_themes': 422 case 'delete_themes': 423 case 'install_themes': 424 case 'upload_themes': 425 case 'update_core': 426 // Disallow anything that creates, deletes, or updates core, plugin, or theme files. 427 // Files in uploads are excepted. 428 if ( ! wp_is_file_mod_allowed( 'capability_update_core' ) ) { 429 $caps[] = 'do_not_allow'; 430 } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) { 431 $caps[] = 'do_not_allow'; 432 } elseif ( 'upload_themes' === $cap ) { 433 $caps[] = 'install_themes'; 434 } elseif ( 'upload_plugins' === $cap ) { 435 $caps[] = 'install_plugins'; 436 } else { 437 $caps[] = $cap; 438 } 439 break; 440 case 'install_languages': 441 case 'update_languages': 442 if ( ! function_exists( 'request_filesystem_credentials' ) ) { 443 require_once( ABSPATH . 'wp-admin/includes/file.php' ); 444 } 445 446 if ( ! function_exists( 'wp_can_install_language_pack' ) ) { 447 require_once( ABSPATH . 'wp-admin/includes/translation-install.php' ); 448 } 449 450 if ( ! wp_can_install_language_pack() ) { 451 $caps[] = 'do_not_allow'; 452 } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) { 453 $caps[] = 'do_not_allow'; 454 } else { 455 $caps[] = 'install_languages'; 456 } 457 break; 458 case 'activate_plugins': 459 case 'deactivate_plugins': 460 case 'activate_plugin': 461 case 'deactivate_plugin': 462 $caps[] = 'activate_plugins'; 463 if ( is_multisite() ) { 464 // update_, install_, and delete_ are handled above with is_super_admin(). 465 $menu_perms = get_site_option( 'menu_items', array() ); 466 if ( empty( $menu_perms['plugins'] ) ) { 467 $caps[] = 'manage_network_plugins'; 468 } 469 } 470 break; 471 case 'delete_user': 472 case 'delete_users': 473 // If multisite only super admins can delete users. 474 if ( is_multisite() && ! is_super_admin( $user_id ) ) { 475 $caps[] = 'do_not_allow'; 476 } else { 477 $caps[] = 'delete_users'; // delete_user maps to delete_users. 478 } 479 break; 480 case 'create_users': 481 if ( ! is_multisite() ) { 482 $caps[] = $cap; 483 } elseif ( is_super_admin( $user_id ) || get_site_option( 'add_new_users' ) ) { 484 $caps[] = $cap; 485 } else { 486 $caps[] = 'do_not_allow'; 487 } 488 break; 489 case 'manage_links': 490 if ( get_option( 'link_manager_enabled' ) ) { 491 $caps[] = $cap; 492 } else { 493 $caps[] = 'do_not_allow'; 494 } 495 break; 496 case 'customize': 497 $caps[] = 'edit_theme_options'; 498 break; 499 case 'delete_site': 500 if ( is_multisite() ) { 501 $caps[] = 'manage_options'; 502 } else { 503 $caps[] = 'do_not_allow'; 504 } 505 break; 506 case 'edit_term': 507 case 'delete_term': 508 case 'assign_term': 509 $term_id = (int) $args[0]; 510 $term = get_term( $term_id ); 511 if ( ! $term || is_wp_error( $term ) ) { 512 $caps[] = 'do_not_allow'; 513 break; 514 } 515 516 $tax = get_taxonomy( $term->taxonomy ); 517 if ( ! $tax ) { 518 $caps[] = 'do_not_allow'; 519 break; 520 } 521 522 if ( 'delete_term' === $cap && ( $term->term_id == get_option( 'default_' . $term->taxonomy ) ) ) { 523 $caps[] = 'do_not_allow'; 524 break; 525 } 526 527 $taxo_cap = $cap . 's'; 528 529 $caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id ); 530 531 break; 532 case 'manage_post_tags': 533 case 'edit_categories': 534 case 'edit_post_tags': 535 case 'delete_categories': 536 case 'delete_post_tags': 537 $caps[] = 'manage_categories'; 538 break; 539 case 'assign_categories': 540 case 'assign_post_tags': 541 $caps[] = 'edit_posts'; 542 break; 543 case 'create_sites': 544 case 'delete_sites': 545 case 'manage_network': 546 case 'manage_sites': 547 case 'manage_network_users': 548 case 'manage_network_plugins': 549 case 'manage_network_themes': 550 case 'manage_network_options': 551 case 'upgrade_network': 359 552 $caps[] = $cap; 360 } 361 break; 362 case 'edit_comment': 363 $comment = get_comment( $args[0] ); 364 if ( ! $comment ) { 365 $caps[] = 'do_not_allow'; 366 break; 367 } 368 369 $post = get_post( $comment->comment_post_ID ); 370 371 /* 372 * If the post doesn't exist, we have an orphaned comment. 373 * Fall back to the edit_posts capability, instead. 374 */ 375 if ( $post ) { 376 $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); 377 } else { 378 $caps = map_meta_cap( 'edit_posts', $user_id ); 379 } 380 break; 381 case 'unfiltered_upload': 382 if ( defined('ALLOW_UNFILTERED_UPLOADS') && ALLOW_UNFILTERED_UPLOADS && ( !is_multisite() || is_super_admin( $user_id ) ) ) 553 break; 554 case 'setup_network': 555 if ( is_multisite() ) { 556 $caps[] = 'manage_network_options'; 557 } else { 558 $caps[] = 'manage_options'; 559 } 560 break; 561 default: 562 // Handle meta capabilities for custom post types. 563 global $post_type_meta_caps; 564 if ( isset( $post_type_meta_caps[ $cap ] ) ) { 565 $args = array_merge( array( $post_type_meta_caps[ $cap ], $user_id ), $args ); 566 return call_user_func_array( 'map_meta_cap', $args ); 567 } 568 569 // If no meta caps match, return the original cap. 383 570 $caps[] = $cap; 384 else385 $caps[] = 'do_not_allow';386 break;387 case 'edit_css' :388 case 'unfiltered_html' :389 // Disallow unfiltered_html for all users, even admins and super admins.390 if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML )391 $caps[] = 'do_not_allow';392 elseif ( is_multisite() && ! is_super_admin( $user_id ) )393 $caps[] = 'do_not_allow';394 else395 $caps[] = 'unfiltered_html';396 break;397 case 'edit_files':398 case 'edit_plugins':399 case 'edit_themes':400 // Disallow the file editors.401 if ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT )402 $caps[] = 'do_not_allow';403 elseif ( ! wp_is_file_mod_allowed( 'capability_edit_themes' ) )404 $caps[] = 'do_not_allow';405 elseif ( is_multisite() && ! is_super_admin( $user_id ) )406 $caps[] = 'do_not_allow';407 else408 $caps[] = $cap;409 break;410 case 'update_plugins':411 case 'delete_plugins':412 case 'install_plugins':413 case 'upload_plugins':414 case 'update_themes':415 case 'delete_themes':416 case 'install_themes':417 case 'upload_themes':418 case 'update_core':419 // Disallow anything that creates, deletes, or updates core, plugin, or theme files.420 // Files in uploads are excepted.421 if ( ! wp_is_file_mod_allowed( 'capability_update_core' ) ) {422 $caps[] = 'do_not_allow';423 } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {424 $caps[] = 'do_not_allow';425 } elseif ( 'upload_themes' === $cap ) {426 $caps[] = 'install_themes';427 } elseif ( 'upload_plugins' === $cap ) {428 $caps[] = 'install_plugins';429 } else {430 $caps[] = $cap;431 }432 break;433 case 'install_languages':434 case 'update_languages':435 if ( ! function_exists( 'request_filesystem_credentials' ) ) {436 require_once( ABSPATH . 'wp-admin/includes/file.php' );437 }438 439 if ( ! function_exists( 'wp_can_install_language_pack' ) ) {440 require_once( ABSPATH . 'wp-admin/includes/translation-install.php' );441 }442 443 if ( ! wp_can_install_language_pack() ) {444 $caps[] = 'do_not_allow';445 } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {446 $caps[] = 'do_not_allow';447 } else {448 $caps[] = 'install_languages';449 }450 break;451 case 'activate_plugins':452 case 'deactivate_plugins':453 case 'activate_plugin':454 case 'deactivate_plugin':455 $caps[] = 'activate_plugins';456 if ( is_multisite() ) {457 // update_, install_, and delete_ are handled above with is_super_admin().458 $menu_perms = get_site_option( 'menu_items', array() );459 if ( empty( $menu_perms['plugins'] ) )460 $caps[] = 'manage_network_plugins';461 }462 break;463 case 'delete_user':464 case 'delete_users':465 // If multisite only super admins can delete users.466 if ( is_multisite() && ! is_super_admin( $user_id ) )467 $caps[] = 'do_not_allow';468 else469 $caps[] = 'delete_users'; // delete_user maps to delete_users.470 break;471 case 'create_users':472 if ( !is_multisite() )473 $caps[] = $cap;474 elseif ( is_super_admin( $user_id ) || get_site_option( 'add_new_users' ) )475 $caps[] = $cap;476 else477 $caps[] = 'do_not_allow';478 break;479 case 'manage_links' :480 if ( get_option( 'link_manager_enabled' ) )481 $caps[] = $cap;482 else483 $caps[] = 'do_not_allow';484 break;485 case 'customize' :486 $caps[] = 'edit_theme_options';487 break;488 case 'delete_site':489 if ( is_multisite() ) {490 $caps[] = 'manage_options';491 } else {492 $caps[] = 'do_not_allow';493 }494 break;495 case 'edit_term':496 case 'delete_term':497 case 'assign_term':498 $term_id = (int) $args[0];499 $term = get_term( $term_id );500 if ( ! $term || is_wp_error( $term ) ) {501 $caps[] = 'do_not_allow';502 break;503 }504 505 $tax = get_taxonomy( $term->taxonomy );506 if ( ! $tax ) {507 $caps[] = 'do_not_allow';508 break;509 }510 511 if ( 'delete_term' === $cap && ( $term->term_id == get_option( 'default_' . $term->taxonomy ) ) ) {512 $caps[] = 'do_not_allow';513 break;514 }515 516 $taxo_cap = $cap . 's';517 518 $caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id );519 520 break;521 case 'manage_post_tags':522 case 'edit_categories':523 case 'edit_post_tags':524 case 'delete_categories':525 case 'delete_post_tags':526 $caps[] = 'manage_categories';527 break;528 case 'assign_categories':529 case 'assign_post_tags':530 $caps[] = 'edit_posts';531 break;532 case 'create_sites':533 case 'delete_sites':534 case 'manage_network':535 case 'manage_sites':536 case 'manage_network_users':537 case 'manage_network_plugins':538 case 'manage_network_themes':539 case 'manage_network_options':540 case 'upgrade_network':541 $caps[] = $cap;542 break;543 case 'setup_network':544 if ( is_multisite() ) {545 $caps[] = 'manage_network_options';546 } else {547 $caps[] = 'manage_options';548 }549 break;550 default:551 // Handle meta capabilities for custom post types.552 global $post_type_meta_caps;553 if ( isset( $post_type_meta_caps[ $cap ] ) ) {554 $args = array_merge( array( $post_type_meta_caps[ $cap ], $user_id ), $args );555 return call_user_func_array( 'map_meta_cap', $args );556 }557 558 // If no meta caps match, return the original cap.559 $caps[] = $cap;560 571 } 561 572 … … 598 609 $current_user = wp_get_current_user(); 599 610 600 if ( empty( $current_user ) ) 611 if ( empty( $current_user ) ) { 601 612 return false; 613 } 602 614 603 615 $args = array_slice( func_get_args(), 1 ); … … 650 662 */ 651 663 function author_can( $post, $capability ) { 652 if ( ! $post = get_post($post) )664 if ( ! $post = get_post( $post ) ) { 653 665 return false; 666 } 654 667 655 668 $author = get_userdata( $post->post_author ); 656 669 657 if ( ! $author ) 670 if ( ! $author ) { 658 671 return false; 672 } 659 673 660 674 $args = array_slice( func_get_args(), 2 ); … … 674 688 */ 675 689 function user_can( $user, $capability ) { 676 if ( ! is_object( $user ) ) 690 if ( ! is_object( $user ) ) { 677 691 $user = get_userdata( $user ); 678 679 if ( ! $user || ! $user->exists() ) 692 } 693 694 if ( ! $user || ! $user->exists() ) { 680 695 return false; 696 } 681 697 682 698 $args = array_slice( func_get_args(), 2 ); … … 756 772 global $super_admins; 757 773 758 if ( isset( $super_admins) )774 if ( isset( $super_admins ) ) { 759 775 return $super_admins; 760 else 761 return get_site_option( 'site_admins', array('admin') ); 776 } else { 777 return get_site_option( 'site_admins', array( 'admin' ) ); 778 } 762 779 } 763 780 … … 771 788 */ 772 789 function is_super_admin( $user_id = false ) { 773 if ( ! $user_id || $user_id == get_current_user_id() ) 790 if ( ! $user_id || $user_id == get_current_user_id() ) { 774 791 $user = wp_get_current_user(); 775 else792 } else { 776 793 $user = get_userdata( $user_id ); 777 778 if ( ! $user || ! $user->exists() ) 794 } 795 796 if ( ! $user || ! $user->exists() ) { 779 797 return false; 798 } 780 799 781 800 if ( is_multisite() ) { 782 801 $super_admins = get_super_admins(); 783 if ( is_array( $super_admins ) && in_array( $user->user_login, $super_admins ) ) 802 if ( is_array( $super_admins ) && in_array( $user->user_login, $super_admins ) ) { 784 803 return true; 804 } 785 805 } else { 786 if ( $user->has_cap( 'delete_users') )806 if ( $user->has_cap( 'delete_users' ) ) { 787 807 return true; 808 } 788 809 } 789 810 … … 823 844 if ( $user && ! in_array( $user->user_login, $super_admins ) ) { 824 845 $super_admins[] = $user->user_login; 825 update_site_option( 'site_admins' 846 update_site_option( 'site_admins', $super_admins ); 826 847 827 848 /** … … 870 891 if ( $user && 0 !== strcasecmp( $user->user_email, get_site_option( 'admin_email' ) ) ) { 871 892 if ( false !== ( $key = array_search( $user->user_login, $super_admins ) ) ) { 872 unset( $super_admins[ $key] );893 unset( $super_admins[ $key ] ); 873 894 update_site_option( 'site_admins', $super_admins ); 874 895
Note: See TracChangeset
for help on using the changeset viewer.