#35614 closed enhancement (fixed)
Cannot check capabilities on single taxonomy terms
Reported by: | johnjamesjacoby | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 4.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Taxonomy | Keywords: | has-dev-note |
Focuses: | Cc: |
Description
Unlike Users and Posts, Taxonomy Terms do not have single capability checks.
Users and Posts have single capabilities that are accompanied by an ID, like:
edit_user
edit_post
Taxonomy terms however, are only ever checked via their plural version, like:
manage_categories
In register_taxonomy()
, the default caps are mapped like:
$default_caps = array( 'manage_terms' => 'manage_categories', 'edit_terms' => 'manage_categories', 'delete_terms' => 'manage_categories', 'assign_terms' => 'edit_posts', );
But there is no single equivalent, like:
manage_term
edit_term
delete_term
assign_term
This means it's not currently possible (even with filters) to target specific terms in a taxonomy and prevent them from being edited, deleted, or assigned.
Attachments (5)
Change History (29)
#1
@
9 years ago
- Milestone changed from Awaiting Review to Future Release
+1 to the idea of more fine-grained caps for taxonomy terms, for more flexible development. I don't know that there's a need in core for this at the moment, since Terms don't have the same sorts of properties that dictate caps for Posts (think: authorship, post_status
, revisions). But this is partly a chicken/egg problem - we don't have these things because we don't have the infrastructure.
There are a couple of directions we could move here, using post caps as a boilerplate. First, post caps are on a per-post basis - this is what you're referencing here. Second, post caps are, by default, named after the current post type, and we could do the same thing with taxonomies. It might make sense to do both of these at the same time, as it would be easier to port from the post_type system.
Here's the beginning of what a patch would have to have:
- As noted above, default mappings for singular caps in
register_taxonomy()
. - Singular cap mapping in
map_meta_cap()
, accompanied by unit tests. - Convert existing
current_user_can()
checks to singular checks, as appropriate.
#3
@
9 years ago
+1
If this is to become the omnibus taxonomy caps ticket, I'd also love to see list_<taxonomy>
and create_<taxonomy>
. Although I realize there are potential UX changes with these generic caps.
#4
@
8 years ago
- Keywords needs-unit-tests added; 2nd-opinion removed
- Milestone changed from Future Release to 4.7
- Owner set to johnbillion
- Status changed from new to assigned
#6
@
8 years ago
- Keywords has-patch needs-testing added; needs-patch removed
35614.patch is a first pass at this. Needs a bunch of tests and a bunch of testing.
#10
@
8 years ago
@johnbillion Thanks for your efforts here. I'll be digging in and testing this week.
#11
@
8 years ago
- Keywords has-unit-tests added; needs-unit-tests removed
35614.2.patch is an updated patch with additional tests.
#12
follow-up:
↓ 13
@
8 years ago
@johnjamesjacoby It would be great if you could test this by attempting to implement your edit/delete locking functionality with the patch applied. I've been testing using various filters on the map_meta_cap
filter (my use-case is preventing edits to a term that's marked as pending approval by an administrator).
#13
in reply to:
↑ 12
@
8 years ago
- Keywords commit added; needs-testing removed
Replying to johnbillion:
@johnjamesjacoby It would be great if you could test this by attempting to implement your edit/delete locking functionality with the patch applied. I've been testing using various filters on the
map_meta_cap
filter (my use-case is preventing edits to a term that's marked as pending approval by an administrator).
@johnbillion Patch still applies cleanly, and looks good to my eyes.
I especially like moving the default-term-check to map_meta_cap()
-- great work.
Tests are passing, and I walked through vanilla WordPress functionality & everything works the same as before.
Recommend to commit when ready.
@
8 years ago
Same as .2, but removes accidental whitespace change, and removes a $tax
variable assignment that's no longer used
#20
follow-up:
↓ 21
@
8 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
As implemented in 4.7 RC, these meta capability checks accept a term_id with no taxonomy specified. This is an issue for legacy installations that have term_id != term_taxonomy_id. Taxonomy determination is now slated to fall to WP_Term::get_instance(), which will try to disambiguate but may return WP_Error.
An obvious option would to require the additional taxonomy argument following term_id. This would cause a fourth item in the $args array passed into the 'map_meta_cap' filter - a break with tradition, but not a problem for API-compliant plugins in my view.
#21
in reply to:
↑ 20
@
8 years ago
- Resolution set to fixed
- Status changed from reopened to closed
Replying to kevinB:
As implemented in 4.7 RC, these meta capability checks accept a term_id with no taxonomy specified. This is an issue for legacy installations that have term_id != term_taxonomy_id. Taxonomy determination is now slated to fall to WP_Term::get_instance(), which will try to disambiguate but may return WP_Error.
An obvious option would to require the additional taxonomy argument following term_id. This would cause a fourth item in the $args array passed into the 'map_meta_cap' filter - a break with tradition, but not a problem for API-compliant plugins in my view.
I'm punting this to 4.7.1 after chatting with @nacin, I've created #39038 for that.
For most sites, terms are likely to be split, and this should be a reasonably rare case to be hit.
In the event that a term isn't split, this will prevent it from being edited or deleted at present, not an unreasonable situation here for now.
#24
@
4 years ago
- Keywords has-dev-note added
This was detailed in the following dev note: https://make.wordpress.org/core/2016/10/28/fine-grained-capabilities-for-taxonomy-terms-in-4-7/
My use-case is a plugin to "lock" terms from being edited or deleted by users with Editor access or less. The UI and metadata integration is finished and easy, but the functionality doesn't appear to be possible.