WordPress.org

Make WordPress Core

Opened 15 months ago

Closed 9 months ago

#23226 closed defect (bug) (fixed)

Always use meta caps directly instead of going through the post_type_object->caps array

Reported by: markjaquith Owned by: nacin
Milestone: 3.6 Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch needs-testing
Focuses: Cc:

Description

When using post-related meta caps in core, we should use their meta cap name instead of manually digging into the post object looking for the cap.

e.g.

Do this:

if ( ! current_user_can( 'edit_post', $post_id ) ) {
  // ...
}

Instead of this:

$post_type = get_post_type_object( get_post_type( $post_id ) );
if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) ) {
  // ...
}

Our meta caps resolve custom caps for the meta caps (if someone has been foolish enough to use them), and we should be consistent about doing it that way so people know that's the right way to do it.

Attachments (2)

23226.diff (12.0 KB) - added by markjaquith 15 months ago.
23226.2.diff (11.8 KB) - added by kovshenin 14 months ago.

Download all attachments as: .zip

Change History (10)

comment:1 nacin15 months ago

I've been meaning to do this for a while as a first step to cleaning up meta capabilities for post types. +1.

comment:2 follow-up: scribu15 months ago

To clarify: that's the correct way, even if register_post_type() has 'map_meta_cap' => false, right?

comment:3 in reply to: ↑ 2 markjaquith15 months ago

Replying to scribu:

To clarify: that's the correct way, even if register_post_type() has 'map_meta_cap' => false, right?

Right. Our post-related meta caps all have this block of code:

if ( ! $post_type->map_meta_cap ) {
	$caps[] = $post_type->cap->$cap;

So it essentially does that digging for us.

markjaquith15 months ago

comment:4 markjaquith15 months ago

  • Keywords has-patch needs-testing added
  • Owner set to markjaquith
  • Status changed from new to accepted

First swing. Passes existing unit tests. Where possible, I removed the associated get_post_type_object() call — that is, if it was only being used in the cap check. I could probably use a double-check where that happened.

comment:5 markjaquith15 months ago

  • Owner changed from markjaquith to nacin
  • Status changed from accepted to assigned

Assigning to nacin for review, as map_meta_cap is near and dear to him.

comment:6 alex-ye15 months ago

  • Cc nashwan.doaqan@… added

kovshenin14 months ago

comment:7 kovshenin14 months ago

Found a couple more in query.php, fixed in 23226.2.diff

comment:8 nacin9 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 24593:

Use meta caps edit_post, read_post, and delete_post directly, rather than consulting the post type object. map_meta_cap() handles that for us. props markjaquith, kovshenin. fixes #23226.

Note: See TracTickets for help on using tickets.