Post Type Capabilities Broken

[michael.ecklund]

It appears that specifying capabilities to a specific Post Type has little to no effect. When customizing the capabilities for a specific Post Type during registration it throws PHP errors and as far as I can tell, doesn't appear to be working at all.

I've got a Post Type which contains private posts only. I don't want posts to be: Created, Deleted, or Published. I thought this would be a simple task. Apparently not.

When registering a Post Type ... I've specified the following:

<?php

$args['public']              = false;
$args['publicly_queryable']  = false;
$args['show_ui']             = true;
$args['show_in_menu']        = false;
$args['query_var']           = false;
$args['rewrite']             = false;
$args['has_archive']         = false;
$args['hierarchical']        = false;
$args['exclude_from_search'] = true;

$args['map_meta_cap']    = true;
$args['capability_type'] = 'post';

I've tried this:

<?php

$args['capabilities']                           = array();
$args['capabilities']['edit_post']              = 'edit_post';
$args['capabilities']['read_post']              = 'do_not_allow';
$args['capabilities']['delete_post']            = 'do_not_allow';
$args['capabilities']['edit_posts']             = 'edit_posts';
$args['capabilities']['edit_others_posts']      = 'edit_others_posts';
$args['capabilities']['publish_posts']          = 'do_not_allow';
$args['capabilities']['read_private_posts']     = 'do_not_allow';
$args['capabilities']['read']                   = 'do_not_allow';
$args['capabilities']['delete_posts']           = 'do_not_allow';
$args['capabilities']['delete_private_posts']   = 'do_not_allow';
$args['capabilities']['delete_published_posts'] = 'do_not_allow';
$args['capabilities']['delete_others_posts']    = 'do_not_allow';
$args['capabilities']['edit_private_posts']     = 'edit_private_posts';
$args['capabilities']['edit_published_posts']   = 'do_not_allow';
$args['capabilities']['create_posts']           = 'do_not_allow';

I've also tried this:

<?php

$args['capabilities']                           = array();
$args['capabilities']['read_post']              = 'do_not_allow';
$args['capabilities']['delete_post']            = 'do_not_allow';
$args['capabilities']['publish_posts']          = 'do_not_allow';
$args['capabilities']['read']                   = 'do_not_allow';
$args['capabilities']['delete_posts']           = 'do_not_allow';
$args['capabilities']['delete_private_posts']   = 'do_not_allow';
$args['capabilities']['delete_published_posts'] = 'do_not_allow';
$args['capabilities']['delete_others_posts']    = 'do_not_allow';
$args['capabilities']['edit_published_posts']   = 'do_not_allow';
$args['capabilities']['create_posts']           = 'do_not_allow';

I've also tried this:

<?php

$args['capabilities']                           = array();
$args['capabilities']['delete_post']            = 'do_not_allow';
$args['capabilities']['publish_posts']          = 'do_not_allow';
$args['capabilities']['delete_posts']           = 'do_not_allow';
$args['capabilities']['delete_private_posts']   = 'do_not_allow';
$args['capabilities']['delete_published_posts'] = 'do_not_allow';
$args['capabilities']['delete_others_posts']    = 'do_not_allow';
$args['capabilities']['edit_published_posts']   = 'do_not_allow';
$args['capabilities']['create_posts']           = 'do_not_allow';

I've played with these one by one and it seems no matter what I specify here, nothing seems to take effect properly.

PHP errors everywhere on edit.php and post.php

[michael.ecklund]

I could be overlooking something much more complex, but couldn't it be solved with something like:

if ( ! isset( $args[0] ) ) {
    $args[0] = null;
}

[johnbillion]

Thanks for the ticket, @michael.ecklund.

I narrowed down the problem to the existence of three meta capabilities in your capabilities array:

$args['capabilities']['edit_post']   = 'edit_post';
$args['capabilities']['read_post']   = 'do_not_allow';
$args['capabilities']['delete_post'] = 'do_not_allow';

These are singular form meta capabilities, which shouldn't be defined in your capabilities array. They map to the edit_posts, read_posts, and delete_posts primitive capabilities respectively. If you remove these from your capabilities array, the functionality you're attempting to create appears to work as expected.

Let me know if this works for you.

[michael.ecklund]

Replying to johnbillion:

That doesn't seem to have resolved the problem. Still seeing PHP Notices everywhere.

The Codex must be incorrect then. The Codex demonstrates using those capabilities.

​https://codex.wordpress.org/Function_Reference/register_post_type#Arguments

Thanks for the ticket, @michael.ecklund.

I narrowed down the problem to the existence of three meta capabilities in your capabilities array:

$args['capabilities']['edit_post']   = 'edit_post';
$args['capabilities']['read_post']   = 'do_not_allow';
$args['capabilities']['delete_post'] = 'do_not_allow';

These are singular form meta capabilities, which shouldn't be defined in your capabilities array. They map to the edit_posts, read_posts, and delete_posts primitive capabilities respectively. If you remove these from your capabilities array, the functionality you're attempting to create appears to work as expected.

Let me know if this works for you.

[lukecavanagh]

What happens if you use these for the custom capabilities of the registered post type.

​https://codex.wordpress.org/Function_Reference/get_post_type_capabilities#Parameters

$capabilities = array(
		'edit_post'             => 'edit_post',
		'edit_posts'            => 'edit_posts',
		'edit_others_posts'     => 'edit_others_posts',
                'edit_private_posts'    => 'edit_private_posts'
	);

[michael.ecklund]

I'm not a core developer, so I'm unaware of the impact of this change. However, the following change does eliminate the PHP Notices.

./wp-includes/capabilities.php Line: 56

Change From:

$post = get_post( $args[0] );

Change To:

if ( isset( $args[0] ) ) {
    $post = get_post( $args[0] );
} else {
    $post = null;
}

[lukecavanagh]

Basic patch

[johnbillion]

@lukecavanagh Your patch simply treats the symptom instead of the cause of the problem. Raising a notice here is desired behaviour when a meta capability such as edit_post is checked without passing a contextual parameter (the post ID).

@michael.ecklund Would you be so kind as to post the complete code you're using please? There may be something else in the capabilities array that I missed.