Make WordPress Core

Opened 12 years ago

Closed 11 years ago

Last modified 4 years ago

#23226 closed defect (bug) (fixed)

Always use meta caps directly instead of going through the post_type_object->caps array

Reported by: markjaquith's profile markjaquith Owned by: nacin's profile nacin
Milestone: 3.6 Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch needs-testing
Focuses: Cc:


When using post-related meta caps in core, we should use their meta cap name instead of manually digging into the post object looking for the cap.


Do this:

if ( ! current_user_can( 'edit_post', $post_id ) ) {
  // ...

Instead of this:

$post_type = get_post_type_object( get_post_type( $post_id ) );
if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) ) {
  // ...

Our meta caps resolve custom caps for the meta caps (if someone has been foolish enough to use them), and we should be consistent about doing it that way so people know that's the right way to do it.

Attachments (2)

23226.diff (12.0 KB) - added by markjaquith 12 years ago.
23226.2.diff (11.8 KB) - added by kovshenin 11 years ago.

Download all attachments as: .zip

Change History (11)

#1 @nacin
12 years ago

I've been meaning to do this for a while as a first step to cleaning up meta capabilities for post types. +1.

#2 follow-up: @scribu
12 years ago

To clarify: that's the correct way, even if register_post_type() has 'map_meta_cap' => false, right?

#3 in reply to: ↑ 2 @markjaquith
12 years ago

Replying to scribu:

To clarify: that's the correct way, even if register_post_type() has 'map_meta_cap' => false, right?

Right. Our post-related meta caps all have this block of code:

if ( ! $post_type->map_meta_cap ) {
	$caps[] = $post_type->cap->$cap;

So it essentially does that digging for us.

12 years ago

#4 @markjaquith
12 years ago

  • Keywords has-patch needs-testing added
  • Owner set to markjaquith
  • Status changed from new to accepted

First swing. Passes existing unit tests. Where possible, I removed the associated get_post_type_object() call — that is, if it was only being used in the cap check. I could probably use a double-check where that happened.

#5 @markjaquith
12 years ago

  • Owner changed from markjaquith to nacin
  • Status changed from accepted to assigned

Assigning to nacin for review, as map_meta_cap is near and dear to him.

#6 @alex-ye
11 years ago

  • Cc nashwan.doaqan@… added

11 years ago

#7 @kovshenin
11 years ago

Found a couple more in query.php, fixed in 23226.2.diff

#8 @nacin
11 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 24593:

Use meta caps edit_post, read_post, and delete_post directly, rather than consulting the post type object. map_meta_cap() handles that for us. props markjaquith, kovshenin. fixes #23226.

#9 @ocean90
4 years ago

In 47850:

Role/Capability: Use meta caps edit_post, read_post, and delete_post directly.

Rather than consulting the post type object, let map_meta_cap() handle that for us.

Props peterwilsoncc, ocean90.
Fixes #50128.
See #23226.

Note: See TracTickets for help on using tickets.