diff --git src/wp-admin/edit-tags.php src/wp-admin/edit-tags.php index 76e7204..b048103 100644 --- src/wp-admin/edit-tags.php +++ src/wp-admin/edit-tags.php @@ -108,7 +108,7 @@ $tag_ID = (int) $_REQUEST['tag_ID']; check_admin_referer( 'delete-tag_' . $tag_ID ); - if ( ! current_user_can( $tax->cap->delete_terms ) ) { + if ( ! current_user_can( 'delete_term', $tag_ID ) ) { wp_die( '

' . __( 'Cheatin’ uh?' ) . '

' . '

' . __( 'Sorry, you are not allowed to delete this item.' ) . '

', @@ -168,7 +168,7 @@ $tag_ID = (int) $_POST['tag_ID']; check_admin_referer( 'update-tag_' . $tag_ID ); - if ( ! current_user_can( $tax->cap->edit_terms ) ) { + if ( ! current_user_can( 'edit_term', $tag_ID ) ) { wp_die( '

' . __( 'Cheatin’ uh?' ) . '

' . '

' . __( 'Sorry, you are not allowed to edit this item.' ) . '

', @@ -313,14 +313,6 @@ } require_once( ABSPATH . 'wp-admin/admin-header.php' ); - -if ( ! current_user_can( $tax->cap->edit_terms ) ) { - wp_die( - '

' . __( 'Cheatin’ uh?' ) . '

' . - '

' . __( 'Sorry, you are not allowed to edit this item.' ) . '

', - 403 - ); -} /** Also used by the Edit Tag form */ require_once( ABSPATH . 'wp-admin/includes/edit-tag-messages.php' ); diff --git src/wp-admin/includes/ajax-actions.php src/wp-admin/includes/ajax-actions.php index 561c37b..6e43384 100644 --- src/wp-admin/includes/ajax-actions.php +++ src/wp-admin/includes/ajax-actions.php @@ -594,12 +594,11 @@ $tag_id = (int) $_POST['tag_ID']; check_ajax_referer( "delete-tag_$tag_id" ); - $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag'; - $tax = get_taxonomy($taxonomy); - - if ( !current_user_can( $tax->cap->delete_terms ) ) + if ( ! current_user_can( 'delete_term', $tag_id ) ) { wp_die( -1 ); + } + $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag'; $tag = get_term( $tag_id, $taxonomy ); if ( !$tag || is_wp_error( $tag ) ) wp_die( 1 ); @@ -796,8 +795,10 @@ if ( empty( $action ) ) $action = 'add-link-category'; check_ajax_referer( $action ); - if ( !current_user_can( 'manage_categories' ) ) + $tax = get_taxonomy( 'link_category' ); + if ( ! current_user_can( $tax->cap->manage_terms ) ) { wp_die( -1 ); + } $names = explode(',', wp_unslash( $_POST['newcat'] ) ); $x = new WP_Ajax_Response(); foreach ( $names as $cat_name ) { @@ -1703,13 +1704,15 @@ if ( ! $tax ) wp_die( 0 ); - if ( ! current_user_can( $tax->cap->edit_terms ) ) + if ( ! isset( $_POST['tax_ID'] ) || ! ( $id = (int) $_POST['tax_ID'] ) ) { wp_die( -1 ); + } + + if ( ! current_user_can( 'edit_term', $id ) ) { + wp_die( -1 ); + } $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) ); - - if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) ) - wp_die( -1 ); $tag = get_term( $id, $taxonomy ); $_POST['description'] = $tag->description; diff --git src/wp-admin/includes/class-wp-terms-list-table.php src/wp-admin/includes/class-wp-terms-list-table.php index 6e9f9c6..aa3ac38 100644 --- src/wp-admin/includes/class-wp-terms-list-table.php +++ src/wp-admin/includes/class-wp-terms-list-table.php @@ -151,7 +151,10 @@ */ protected function get_bulk_actions() { $actions = array(); - $actions['delete'] = __( 'Delete' ); + + if ( current_user_can( get_taxonomy( $this->screen->taxonomy )->cap->delete_terms ) ) { + $actions['delete'] = __( 'Delete' ); + } return $actions; } @@ -332,11 +335,10 @@ * @return string */ public function column_cb( $tag ) { - $default_term = get_option( 'default_' . $this->screen->taxonomy ); - - if ( current_user_can( get_taxonomy( $this->screen->taxonomy )->cap->delete_terms ) && $tag->term_id != $default_term ) + if ( current_user_can( 'delete_term', $tag->term_id ) ) { return '' . ''; + } return ' '; } @@ -423,8 +425,6 @@ $taxonomy = $this->screen->taxonomy; $tax = get_taxonomy( $taxonomy ); - $default_term = get_option( 'default_' . $taxonomy ); - $uri = wp_doing_ajax() ? wp_get_referer() : $_SERVER['REQUEST_URI']; $edit_link = add_query_arg( @@ -434,7 +434,7 @@ ); $actions = array(); - if ( current_user_can( $tax->cap->edit_terms ) ) { + if ( current_user_can( 'edit_term', $tag->term_id ) ) { $actions['edit'] = sprintf( '%s', esc_url( $edit_link ), @@ -449,7 +449,7 @@ __( 'Quick Edit' ) ); } - if ( current_user_can( $tax->cap->delete_terms ) && $tag->term_id != $default_term ) { + if ( current_user_can( 'delete_term', $tag->term_id ) ) { $actions['delete'] = sprintf( '%s', wp_nonce_url( "edit-tags.php?action=delete&taxonomy=$taxonomy&tag_ID=$tag->term_id", 'delete-tag_' . $tag->term_id ), diff --git src/wp-admin/includes/meta-boxes.php src/wp-admin/includes/meta-boxes.php index 2d12faf..8a79c22 100644 --- src/wp-admin/includes/meta-boxes.php +++ src/wp-admin/includes/meta-boxes.php @@ -434,6 +434,8 @@

labels->separate_items_with_commas; ?>

+ +

labels->no_terms; ?>

diff --git src/wp-admin/term.php src/wp-admin/term.php index dc3f1d5..2018ac0 100644 --- src/wp-admin/term.php +++ src/wp-admin/term.php @@ -31,11 +31,11 @@ $title = $tax->labels->edit_item; if ( ! in_array( $taxonomy, get_taxonomies( array( 'show_ui' => true ) ) ) || - ! current_user_can( $tax->cap->manage_terms ) + ! current_user_can( 'edit_term', $tag->term_id ) ) { wp_die( '

' . __( 'Cheatin’ uh?' ) . '

' . - '

' . __( 'Sorry, you are not allowed to manage this item.' ) . '

', + '

' . __( 'Sorry, you are not allowed to edit this item.' ) . '

', 403 ); } diff --git src/wp-includes/admin-bar.php src/wp-includes/admin-bar.php index 4c4765d..a1bef0d 100644 --- src/wp-includes/admin-bar.php +++ src/wp-includes/admin-bar.php @@ -618,7 +618,7 @@ ) ); } elseif ( ! empty( $current_object->taxonomy ) && ( $tax = get_taxonomy( $current_object->taxonomy ) ) - && current_user_can( $tax->cap->edit_terms ) + && current_user_can( 'edit_term', $current_object->term_id ) && $edit_term_link = get_edit_term_link( $current_object->term_id, $current_object->taxonomy ) ) { $wp_admin_bar->add_menu( array( diff --git src/wp-includes/capabilities.php src/wp-includes/capabilities.php index da54229..67a107b 100644 --- src/wp-includes/capabilities.php +++ src/wp-includes/capabilities.php @@ -402,6 +402,44 @@ case 'delete_site': $caps[] = 'manage_options'; break; + case 'edit_term': + case 'delete_term': + case 'assign_term': + $term_id = $args[0]; + $term = get_term( $term_id ); + if ( ! $term || is_wp_error( $term ) ) { + $caps[] = 'do_not_allow'; + break; + } + + $tax = get_taxonomy( $term->taxonomy ); + if ( ! $tax ) { + $caps[] = 'do_not_allow'; + break; + } + + if ( 'delete_term' === $cap && ( $term->term_id == get_option( 'default_' . $term->taxonomy ) ) ) { + $caps[] = 'do_not_allow'; + break; + } + + $taxo_cap = $cap . 's'; + + $caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id ); + + break; + case 'manage_categories': + case 'manage_post_tags': + case 'edit_categories': + case 'edit_post_tags': + case 'delete_categories': + case 'delete_post_tags': + $caps[] = 'manage_categories'; + break; + case 'assign_categories': + case 'assign_post_tags': + $caps[] = 'edit_posts'; + break; default: // Handle meta capabilities for custom post types. global $post_type_meta_caps; diff --git src/wp-includes/class-wp-xmlrpc-server.php src/wp-includes/class-wp-xmlrpc-server.php index b08347f..528c74b 100644 --- src/wp-includes/class-wp-xmlrpc-server.php +++ src/wp-includes/class-wp-xmlrpc-server.php @@ -1886,8 +1886,9 @@ $taxonomy = get_taxonomy( $content_struct['taxonomy'] ); - if ( ! current_user_can( $taxonomy->cap->manage_terms ) ) + if ( ! current_user_can( $taxonomy->cap->edit_terms ) ) { return new IXR_Error( 401, __( 'Sorry, you are not allowed to create terms in this taxonomy.' ) ); + } $taxonomy = (array) $taxonomy; @@ -1973,9 +1974,6 @@ $taxonomy = get_taxonomy( $content_struct['taxonomy'] ); - if ( ! current_user_can( $taxonomy->cap->edit_terms ) ) - return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ) ); - $taxonomy = (array) $taxonomy; // hold the data of the term @@ -1988,6 +1986,10 @@ if ( ! $term ) return new IXR_Error( 404, __( 'Invalid term ID.' ) ); + + if ( ! current_user_can( 'edit_term', $term_id ) ) { + return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this term.' ) ); + } if ( isset( $content_struct['name'] ) ) { $term_data['name'] = trim( $content_struct['name'] ); @@ -2068,10 +2070,6 @@ return new IXR_Error( 403, __( 'Invalid taxonomy.' ) ); $taxonomy = get_taxonomy( $taxonomy ); - - if ( ! current_user_can( $taxonomy->cap->delete_terms ) ) - return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete terms in this taxonomy.' ) ); - $term = get_term( $term_id, $taxonomy->name ); if ( is_wp_error( $term ) ) @@ -2079,6 +2077,10 @@ if ( ! $term ) return new IXR_Error( 404, __( 'Invalid term ID.' ) ); + + if ( ! current_user_can( 'delete_term', $term_id ) ) { + return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this term.' ) ); + } $result = wp_delete_term( $term_id, $taxonomy->name ); @@ -2140,9 +2142,6 @@ $taxonomy = get_taxonomy( $taxonomy ); - if ( ! current_user_can( $taxonomy->cap->assign_terms ) ) - return new IXR_Error( 401, __( 'Sorry, you are not allowed to assign terms in this taxonomy.' ) ); - $term = get_term( $term_id , $taxonomy->name, ARRAY_A ); if ( is_wp_error( $term ) ) @@ -2151,6 +2150,10 @@ if ( ! $term ) return new IXR_Error( 404, __( 'Invalid term ID.' ) ); + if ( ! current_user_can( 'assign_term', $term_id ) ) { + return new IXR_Error( 401, __( 'Sorry, you are not allowed to assign this term.' ) ); + } + return $this->_prepare_term( $term ); } diff --git src/wp-includes/link-template.php src/wp-includes/link-template.php index 292c98c..c1ec8b3 100644 --- src/wp-includes/link-template.php +++ src/wp-includes/link-template.php @@ -930,7 +930,7 @@ } $tax = get_taxonomy( $term->taxonomy ); - if ( ! $tax || ! current_user_can( $tax->cap->edit_terms ) ) { + if ( ! $tax || ! current_user_can( 'edit_term', $term->term_id ) ) { return; } @@ -984,7 +984,7 @@ return; $tax = get_taxonomy( $term->taxonomy ); - if ( ! current_user_can( $tax->cap->edit_terms ) ) { + if ( ! current_user_can( 'edit_term', $term->term_id ) ) { return; } diff --git src/wp-includes/taxonomy.php src/wp-includes/taxonomy.php index 80e1f84..9266b95 100644 --- src/wp-includes/taxonomy.php +++ src/wp-includes/taxonomy.php @@ -61,6 +61,12 @@ 'show_ui' => true, 'show_admin_column' => true, '_builtin' => true, + 'capabilities' => array( + 'manage_terms' => 'manage_categories', + 'edit_terms' => 'edit_categories', + 'delete_terms' => 'delete_categories', + 'assign_terms' => 'assign_categories', + ), ) ); register_taxonomy( 'post_tag', 'post', array( @@ -71,6 +77,12 @@ 'show_ui' => true, 'show_admin_column' => true, '_builtin' => true, + 'capabilities' => array( + 'manage_terms' => 'manage_post_tags', + 'edit_terms' => 'edit_post_tags', + 'delete_terms' => 'delete_post_tags', + 'assign_terms' => 'assign_post_tags', + ), ) ); register_taxonomy( 'nav_menu', 'nav_menu_item', array( diff --git tests/phpunit/tests/user/capabilities.php tests/phpunit/tests/user/capabilities.php index 48de889..83d12a2 100644 --- tests/phpunit/tests/user/capabilities.php +++ tests/phpunit/tests/user/capabilities.php @@ -231,6 +231,15 @@ 'customize' => array( 'administrator' ), 'delete_site' => array( 'administrator' ), 'add_users' => array( 'administrator' ), + + 'edit_categories' => array( 'administrator', 'editor' ), + 'delete_categories' => array( 'administrator', 'editor' ), + 'manage_post_tags' => array( 'administrator', 'editor' ), + 'edit_post_tags' => array( 'administrator', 'editor' ), + 'delete_post_tags' => array( 'administrator', 'editor' ), + + 'assign_categories' => array( 'administrator', 'editor', 'author', 'contributor' ), + 'assign_post_tags' => array( 'administrator', 'editor', 'author', 'contributor' ), ); } @@ -238,9 +247,19 @@ return array( 'upload_plugins' => array(), 'upload_themes' => array(), + 'customize' => array( 'administrator' ), 'delete_site' => array( 'administrator' ), 'add_users' => array( 'administrator' ), + + 'edit_categories' => array( 'administrator', 'editor' ), + 'delete_categories' => array( 'administrator', 'editor' ), + 'manage_post_tags' => array( 'administrator', 'editor' ), + 'edit_post_tags' => array( 'administrator', 'editor' ), + 'delete_post_tags' => array( 'administrator', 'editor' ), + + 'assign_categories' => array( 'administrator', 'editor', 'author', 'contributor' ), + 'assign_post_tags' => array( 'administrator', 'editor', 'author', 'contributor' ), ); } @@ -972,6 +991,63 @@ } } + /** + * @dataProvider dataTaxonomies + * + * @ticket 35614 + */ + public function test_default_taxonomy_term_cannot_be_deleted( $taxonomy ) { + if ( ! taxonomy_exists( $taxonomy ) ) { + register_taxonomy( $taxonomy, 'post' ); + } + + $tax = get_taxonomy( $taxonomy ); + $user = self::$users['administrator']; + $term = self::factory()->term->create_and_get( array( + 'taxonomy' => $taxonomy, + ) ); + + update_option( "default_{$taxonomy}", $term->term_id ); + + $this->assertTrue( user_can( $user->ID, $tax->cap->delete_terms ) ); + $this->assertFalse( user_can( $user->ID, 'delete_term', $term->term_id ) ); + } + + /** + * @dataProvider dataTaxonomies + * + * @ticket 35614 + */ + public function test_taxonomy_caps_map_correctly_to_their_meta_cap( $taxonomy ) { + if ( ! taxonomy_exists( $taxonomy ) ) { + register_taxonomy( $taxonomy, 'post' ); + } + + $tax = get_taxonomy( $taxonomy ); + $term = self::factory()->term->create_and_get( array( + 'taxonomy' => $taxonomy, + ) ); + + foreach ( self::$users as $role => $user ) { + $this->assertSame( + user_can( $user->ID, 'edit_term', $term->term_id ), + user_can( $user->ID, $tax->cap->edit_terms ), + "Role: {$role}" + ); + $this->assertSame( + user_can( $user->ID, 'delete_term', $term->term_id ), + user_can( $user->ID, $tax->cap->delete_terms ), + "Role: {$role}" + ); + $this->assertSame( + user_can( $user->ID, 'assign_term', $term->term_id ), + user_can( $user->ID, $tax->cap->assign_terms ), + "Role: {$role}" + ); + } + + } + public function dataTaxonomies() { return array( array( diff --git tests/phpunit/tests/xmlrpc/wp/deleteTerm.php tests/phpunit/tests/xmlrpc/wp/deleteTerm.php index 6f738b1..1132095 100644 --- tests/phpunit/tests/xmlrpc/wp/deleteTerm.php +++ tests/phpunit/tests/xmlrpc/wp/deleteTerm.php @@ -43,7 +43,7 @@ $result = $this->myxmlrpcserver->wp_deleteTerm( array( 1, 'subscriber', 'subscriber', 'category', $this->term['term_id'] ) ); $this->assertInstanceOf( 'IXR_Error', $result ); $this->assertEquals( 401, $result->code ); - $this->assertEquals( __( 'Sorry, you are not allowed to delete terms in this taxonomy.' ), $result->message ); + $this->assertEquals( __( 'Sorry, you are not allowed to delete this term.' ), $result->message ); } function test_empty_term() { diff --git tests/phpunit/tests/xmlrpc/wp/editTerm.php tests/phpunit/tests/xmlrpc/wp/editTerm.php index af8bd0b..db14a68 100644 --- tests/phpunit/tests/xmlrpc/wp/editTerm.php +++ tests/phpunit/tests/xmlrpc/wp/editTerm.php @@ -49,7 +49,7 @@ $result = $this->myxmlrpcserver->wp_editTerm( array( 1, 'subscriber', 'subscriber', $this->parent_term['term_id'], array( 'taxonomy' => 'category' ) ) ); $this->assertInstanceOf( 'IXR_Error', $result ); $this->assertEquals( 401, $result->code ); - $this->assertEquals( __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ), $result->message ); + $this->assertEquals( __( 'Sorry, you are not allowed to edit this term.' ), $result->message ); } function test_term_not_exists() { diff --git tests/phpunit/tests/xmlrpc/wp/getTerm.php tests/phpunit/tests/xmlrpc/wp/getTerm.php index 3e7257b..627a88d 100644 --- tests/phpunit/tests/xmlrpc/wp/getTerm.php +++ tests/phpunit/tests/xmlrpc/wp/getTerm.php @@ -43,7 +43,7 @@ $result = $this->myxmlrpcserver->wp_getTerm( array( 1, 'subscriber', 'subscriber', 'category', $this->term['term_id'] ) ); $this->assertInstanceOf( 'IXR_Error', $result ); $this->assertEquals( 401, $result->code ); - $this->assertEquals( __( 'Sorry, you are not allowed to assign terms in this taxonomy.' ), $result->message ); + $this->assertEquals( __( 'Sorry, you are not allowed to assign this term.' ), $result->message ); }