WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#36379 closed defect (bug) (fixed)

Saving post can remove its hierarchical terms if user cannot 'assign_terms'

Reported by: dlh Owned by: boonebgorges
Milestone: 4.5.3 Priority: normal
Severity: normal Version:
Component: Taxonomy Keywords: fixed-major
Focuses: administration Cc:
PR Number:

Description

If a user lacks the assign_terms capability for a hierarchical taxonomy, and the user visits the edit-post screen or uses Quick Edit, the default UI still displays the checklist of terms for that taxonomy but with each input disabled.

However, disabled checkboxes are not submitted with forms. If terms in the taxonomy are selected for the post and the user saves it, 0 is submitted instead of those terms, and the relationships are lost.

To replicate:

  1. Create a post as an administrator, assign it categories, and save.
  1. Remove your ability to assign terms:
add_filter( 'register_taxonomy_args', function ( $args ) {
	$args['capabilities']['assign_terms'] = 'do_not_allow';
	return $args;
} );
  1. Go to the edit-post screen for your post. The category checklist appears with your saved terms still checked, but the inputs are disabled.
  1. Save the post. Now, only the default category is assigned.

The attached patch is the start of one potential solution: Outputting hidden fields in Walker_Category_Checklist::start_el() to match disabled, checked ones. Something similar would have to happen for Quick Edit.

But there are other approaches, and I might be misdiagnosing the issue, so I thought I would wait for more discussion before attempting to patch further.

Attachments (1)

36379.diff (1.3 KB) - added by dlh 4 years ago.

Download all attachments as: .zip

Change History (18)

@dlh
4 years ago

#1 @boonebgorges
4 years ago

  • Component changed from Administration to Taxonomy
  • Keywords 4.6-early needs-patch added
  • Milestone changed from Awaiting Review to Future Release

Oof, good find, @dlh.

A more appropriate approach, I think, is to do an 'assign_terms' cap check before saving term data on the post. (The hidden input field trick can be bypassed by manipulating the DOM.)

#2 @johnbillion
4 years ago

I think the solution here is to not output the hidden post_category[] (or tax_input[$tax]) input, which is in place so saving of the terms is triggered when no checkboxes are selected.

Refs (there may be more):

#3 @dlh
4 years ago

Thanks @boonebgorges and @johnbillion.

As I understand them, your suggestions aren't mutually exclusive. Adding the capability check seems like it would be worth considering independently of this particular ticket, even.

Unless one of you or someone else has a preference about it, I can work on patches for both approaches.

#4 @boonebgorges
4 years ago

@dlh Sure, please go ahead with two different patches. Thanks!

#5 @boonebgorges
3 years ago

  • Keywords 4.6-early needs-patch removed
  • Milestone changed from Future Release to 4.6
  • Owner set to boonebgorges
  • Status changed from new to assigned

#6 @boonebgorges
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 37691:

Taxonomy: More specific cap check when processing category data on post save.

Props dlh.
Fixes #36379.

#7 @boonebgorges
3 years ago

  • Keywords fixed-major added
  • Milestone changed from 4.6 to 4.5.3
  • Resolution fixed deleted
  • Status changed from closed to reopened

#8 @boonebgorges
3 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 37759:

Taxonomy: More specific cap check when processing category data on post save.

Ports [37691] to the 4.5 branch.

Props dlh.
Fixes #36379.
Please enter the commit message for your changes. Lines starting

#9 @boonebgorges
3 years ago

In 37767:

Taxonomy: More specific cap check when processing category data on post save.

Ports [37691] to the 4.4 branch.

Props dlh.
Fixes #36379.

#10 @boonebgorges
3 years ago

In 37771:

Taxonomy: More specific cap check when processing category data on post save.

Ports [37691] to the 4.3 branch.

Props dlh.
Fixes #36379.

#11 @boonebgorges
3 years ago

In 37776:

Taxonomy: More specific cap check when processing category data on post save.

Ports [37691] to the 4.2 branch.

Props dlh.
Fixes #36379.

#12 @boonebgorges
3 years ago

In 37781:

Taxonomy: More specific cap check when processing category data on post save.

Ports [37691] to the 4.1 branch.

Props dlh.
Fixes #36379.

#13 @boonebgorges
3 years ago

In 37782:

Taxonomy: More specific cap check when processing category data on post save.

Ports [37691] to the 4.0 branch.

Props dlh.
Fixes #36379.

#14 @boonebgorges
3 years ago

In 37784:

Taxonomy: More specific cap check when processing category data on post save.

Ports [37691] to the 3.9 branch.

Props dlh.
Fixes #36379.

#15 @boonebgorges
3 years ago

In 37787:

Taxonomy: More specific cap check when processing category data on post save.

Ports [37691] to the 3.8 branch.

Props dlh.
Fixes #36379.

#16 @boonebgorges
3 years ago

In 37788:

Taxonomy: More specific cap check when processing category data on post save.

Ports [37691] to the 3.7 branch.

Props dlh.
Fixes #36379.

This ticket was mentioned in Slack in #core by kenshino. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.