Non-Editors can create (non-hierarchical) terms even though they can't manage_terms
|Reported by:||westonruter||Owned by:|
When a taxonomy is registered, the $default_caps are:
'manage_terms' => 'manage_categories', 'edit_terms' => 'manage_categories', 'delete_terms' => 'manage_categories', 'assign_terms' => 'edit_posts',
This should mean that Authors and Contributors should not be able to create new terms because they (normally) do not have the manage_categories capability. For hierarchical taxonomies (like categories), the UI for creating new terms is removed from the metabox. However, for non-hierarchical taxonomies (like tags), the UI does not change based on whether the they can manage_categories or not: they can still enter arbitrary terms and add them, and when saving the post, the new terms get created. This seems wrong.
There should be current_user_can( $taxonomy->caps->manage_terms ) checks done when saving a post, and the UI should be updated to prevent new terms from seeming to be accepted. The ajax-tag-search could be used to determine if the entered tag exists, and only allow it to be added if it does.