Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#49741 closed defect (bug) (invalid)

WP_REST_Terms_Controller::create_item_permissions_check did not work as expected

Reported by: jihaisse's profile jihaisse Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9.8
Component: REST API Keywords:
Focuses: rest-api Cc:

Description

Hello

I’ve created few taxonomies with CPTUI and I wanted to specify capabilities for them, so I did it like this :

<?php
function notes_customize_taxonomy($args, $taxonomy_slug)
{
    // These would already be used as default value, but providing as an example.
    // $taxonomy_slug parameter would be the slug of the taxonomy currently being registered.
    $args['capabilities'] = array(
        'manage_terms' => "manage_categories",
        'edit_terms' => "manage_categories",
        'delete_terms' => "manage_categories",
        'assign_terms' => "edit_posts",
    );

    return $args;
}
add_filter('cptui_pre_register_taxonomy', 'notes_customize_taxonomy', 10, 2);

So I imagined that if a user have the permission “edit_posts” he can assign a term to a post, but not create a new one on that taxonomy.

But, in the create_item_permissions_check method, it’s not like this :

<?php

if ( ( is_taxonomy_hierarchical( $this->taxonomy )
            && ! current_user_can( $taxonomy_obj->cap->edit_terms ) )
        || ( ! is_taxonomy_hierarchical( $this->taxonomy )
            && ! current_user_can( $taxonomy_obj->cap->assign_terms ) ) )

The capablility tested is different if the taxonomy is hierarchical or not.
Why ?

Is this realy what is wanted ?

I think this is really confusing. It didn't allow us to have a user who can only assign terms without creating new ones.

Change History (1)

#1 @TimothyBlynJacobs
5 years ago

  • Component changed from General to REST API
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version changed from trunk to 4.9.8

Hi @jihaisse!

Thanks for opening a ticket and welcome to trac! This is in fact the intentional behavior, and was adjusted this way to match the Classic Editor. You can read the details in #44096.

In this case, if you wanted that behavior, I think the best plan of action would be to subclass the WP_REST_Terms_Controller for your taxonomy, and specify it as the rest_controller_class when registering your taxonomy.

Note: See TracTickets for help on using tickets.