From 21264a31e0849e6ff793a06a17de877dd88ea454 Mon Sep 17 00:00:00 2001 From: Dominik Schilling Date: Thu, 26 Jan 2017 13:58:44 +0000 Subject: [PATCH] Press This: Do not show Categories & Tags UI for users who cannot assign terms to posts anyways. Built from https://develop.svn.wordpress.org/trunk@39968 git-svn-id: http://core.svn.wordpress.org/trunk@39905 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/class-wp-press-this.php | 96 ++++++++++++++++------- wp-includes/version.php | 2 +- 2 files changed, 68 insertions(+), 30 deletions(-) diff --git a/wp-admin/includes/class-wp-press-this.php b/wp-admin/includes/class-wp-press-this.php index 71ce5153d3..9527ef5853 100644 --- a/wp-admin/includes/class-wp-press-this.php +++ b/wp-admin/includes/class-wp-press-this.php @@ -119,10 +119,28 @@ class WP_Press_This { 'post_type' => 'post', 'post_status' => 'draft', 'post_format' => ( ! empty( $_POST['post_format'] ) ) ? sanitize_text_field( $_POST['post_format'] ) : '', - 'tax_input' => ( ! empty( $_POST['tax_input'] ) ) ? $_POST['tax_input'] : array(), - 'post_category' => ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array(), ); + // Only accept categories if the user actually can assign + $category_tax = get_taxonomy( 'category' ); + if ( current_user_can( $category_tax->cap->assign_terms ) ) { + $post_data['post_category'] = ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array(); + } + + // Only accept taxonomies if the user can actually assign + if ( ! empty( $_POST['tax_input'] ) ) { + $tax_input = $_POST['tax_input']; + foreach ( $tax_input as $tax => $_ti ) { + $tax_object = get_taxonomy( $tax ); + if ( ! $tax_object || ! current_user_can( $tax_object->cap->assign_terms ) ) { + unset( $tax_input[ $tax ] ); + } + } + + $post_data['tax_input'] = $tax_input; + } + + // Toggle status to pending if user cannot actually publish if ( ! empty( $_POST['post_status'] ) && 'publish' === $_POST['post_status'] ) { if ( current_user_can( 'publish_posts' ) ) { $post_data['post_status'] = 'publish'; @@ -453,7 +471,7 @@ class WP_Press_This { * @since 4.2.0 * * @param string $src Embed source URL. - * @return string If not from a supported provider, an empty string. Otherwise, a reformattd embed URL. + * @return string If not from a supported provider, an empty string. Otherwise, a reformatted embed URL. */ private function _limit_embed( $src ) { $src = $this->_limit_url( $src ); @@ -853,6 +871,12 @@ class WP_Press_This { public function categories_html( $post ) { $taxonomy = get_taxonomy( 'category' ); + // Bail if user cannot assign terms + if ( ! current_user_can( $taxonomy->cap->assign_terms ) ) { + return; + } + + // Only show "add" if user can edit terms if ( current_user_can( $taxonomy->cap->edit_terms ) ) { ?> - + + + - + + + @@ -1447,23 +1481,27 @@ class WP_Press_This { - + + + - + + + diff --git a/wp-includes/version.php b/wp-includes/version.php index 7cea374b4a..3e9d941481 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.8-alpha-39967'; +$wp_version = '4.8-alpha-39968'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.