Make WordPress Core

Changeset 47850


Ignore:
Timestamp:
05/23/2020 03:22:53 PM (5 years ago)
Author:
ocean90
Message:

Role/Capability: Use meta caps edit_post, read_post, and delete_post directly.

Rather than consulting the post type object, let map_meta_cap() handle that for us.

Props peterwilsoncc, ocean90.
Fixes #50128.
See #23226.

Location:
trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-nav-menus.php

    r47808 r47850  
    13571357                continue;
    13581358            }
    1359             if ( ! current_user_can( $post_type_obj->cap->publish_posts ) || ! current_user_can( $post_type_obj->cap->edit_post, $post_id ) ) {
     1359            if ( ! current_user_can( $post_type_obj->cap->publish_posts ) || ! current_user_can( 'edit_post', $post_id ) ) {
    13601360                continue;
    13611361            }
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

    r47391 r47850  
    110110
    111111        // Attaching media to a post requires ability to edit said post.
    112         if ( ! empty( $request['post'] ) ) {
    113             $parent           = get_post( (int) $request['post'] );
    114             $post_parent_type = get_post_type_object( $parent->post_type );
    115 
    116             if ( ! current_user_can( $post_parent_type->cap->edit_post, $request['post'] ) ) {
    117                 return new WP_Error(
    118                     'rest_cannot_edit',
    119                     __( 'Sorry, you are not allowed to upload media to this post.' ),
    120                     array( 'status' => rest_authorization_required_code() )
    121                 );
    122             }
     112        if ( ! empty( $request['post'] ) && ! current_user_can( 'edit_post', (int) $request['post'] ) ) {
     113            return new WP_Error(
     114                'rest_cannot_edit',
     115                __( 'Sorry, you are not allowed to upload media to this post.' ),
     116                array( 'status' => rest_authorization_required_code() )
     117            );
    123118        }
    124119
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php

    r47397 r47850  
    161161        }
    162162
    163         $parent_post_type_obj = get_post_type_object( $parent->post_type );
    164 
    165         if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) {
     163        if ( ! current_user_can( 'edit_post', $parent->ID ) ) {
    166164            return new WP_Error(
    167165                'rest_cannot_read',
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-blocks-controller.php

    r46823 r47850  
    2929     */
    3030    public function check_read_permission( $post ) {
    31         // Ensure that the user is logged in and has the read_blocks capability.
    32         $post_type = get_post_type_object( $post->post_type );
    33         if ( ! current_user_can( $post_type->cap->read_post, $post->ID ) ) {
     31        // By default the read_post capability is mapped to edit_posts.
     32        if ( ! current_user_can( 'read_post', $post->ID ) ) {
    3433            return false;
    3534        }
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r47597 r47850  
    17751775
    17761776        if ( post_password_required( $post ) ) {
    1777             $result = current_user_can( $post_type->cap->edit_post, $post->ID );
     1777            $result = current_user_can( 'edit_post', $post->ID );
    17781778        } else {
    17791779            $result = $posts_controller->check_read_permission( $post );
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r47265 r47850  
    14801480
    14811481        // Is the post readable?
    1482         if ( 'publish' === $post->post_status || current_user_can( $post_type->cap->read_post, $post->ID ) ) {
     1482        if ( 'publish' === $post->post_status || current_user_can( 'read_post', $post->ID ) ) {
    14831483            return true;
    14841484        }
     
    15231523        }
    15241524
    1525         return current_user_can( $post_type->cap->edit_post, $post->ID );
     1525        return current_user_can( 'edit_post', $post->ID );
    15261526    }
    15271527
     
    15591559        }
    15601560
    1561         return current_user_can( $post_type->cap->delete_post, $post->ID );
     1561        return current_user_can( 'delete_post', $post->ID );
    15621562    }
    15631563
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php

    r47547 r47850  
    170170        }
    171171
    172         $parent_post_type_obj = get_post_type_object( $parent->post_type );
    173 
    174         if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) {
     172        if ( ! current_user_can( 'edit_post', $parent->ID ) ) {
    175173            return new WP_Error(
    176174                'rest_cannot_read',
     
    410408        $parent_post_type = get_post_type_object( $parent->post_type );
    411409
    412         if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) {
     410        if ( ! current_user_can( 'delete_post', $parent->ID ) ) {
    413411            return new WP_Error(
    414412                'rest_cannot_delete',
     
    428426        }
    429427
    430         $post_type = get_post_type_object( 'revision' );
    431 
    432         if ( ! current_user_can( $post_type->cap->delete_post, $revision->ID ) ) {
     428        if ( ! current_user_can( 'delete_post', $revision->ID ) ) {
    433429            return new WP_Error(
    434430                'rest_cannot_delete',
  • trunk/tests/phpunit/tests/rest-api.php

    r47849 r47850  
    13241324    /**
    13251325     * @dataProvider rest_ensure_response_data_provider
    1326      * @group test1
    13271326     *
    13281327     * @param mixed $response      The response passed to rest_ensure_response().
Note: See TracChangeset for help on using the changeset viewer.