WordPress.org

Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#44468 new enhancement

Introduce infrastructure for testing primitive capabilities granted via `user_has_cap`

Reported by: flixos90 Owned by:
Milestone: 5.0 Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch
Focuses: Cc:

Description

There are three ways of granting capabilities to a user:

  • Via the database, with capabilities being granted through a role. Those capabilities are referred to as "primitive capabilities".
  • Via the map_meta_cap filter, with capabilities being resolved to one or more primitive capabilities. Those capabilities are referred to as "meta capabilities".
  • Via the user_has_cap filter, with capabilities being granted as if they were in the database too. This has existed for a very long time, but has not been used in core until recently.

So what is this about?

New capabilities introduced to core should not be added to the database. However, many of the new capabilities are not meta capabilities, and it would be wrong to use map_meta_cap for them. Those capabilities should be dynamically granted, but essentially behave just like primitive capabilities.

There are numerous of those capabilities in core that historically use map_meta_cap() (for example customize, manage_privacy_options, ...), and we probably cannot change that. But for the future, we should ensure we stick to this separation and only use map_meta_cap() for actual meta capabilities, i.e. capabilities that receive additional arguments (like a post ID, a plugin slug, ...) and are then resolved.

Originally introduced as part of #41332 (but not being suitable for discussion in there), this ticket aims at providing a comprehensive testing infrastructure for those capabilities. While currently the only capability granted like that is install_languages, this infrastructure will encourage granting dynamic primitive capabilities the proper way.

cc @johnbillion

Attachments (1)

44468.diff (3.5 KB) - added by flixos90 4 weeks ago.

Download all attachments as: .zip

Change History (2)

@flixos90
4 weeks ago

#1 @flixos90
4 weeks ago

  • Keywords has-patch added

44468.diff adds the infrastructure for testing the so-called "dynamic primitive capabilities":

  • All those capabilities need to be added to the _getSingleSiteDynamicPrimitiveCaps() and _getMultiSiteDynamicPrimitiveCaps() methods, just how it is for the other two types of capabilities.
  • It is checked that each of the capabilities are correctly granted via user_has_cap.
  • It is also checked that each of the capabilities are actually granted via user_has_cap and not through another means (like the database).
Note: See TracTickets for help on using tickets.