From 3a449ea5439b547cf3f9119cbfe9503cadeaeedb Mon Sep 17 00:00:00 2001 From: Ryan McCue Date: Wed, 9 Nov 2016 03:42:30 +0000 Subject: [PATCH] Roles/Capabilities: Add meta-caps for comment, term, and user meta. Additionally, use these meta-caps in the REST API endpoints. Previously, register_meta()'s auth_callback had no effect for non-post meta. This introduces `{add,edit,delete}_{comment,term,user}_meta` meta-caps to match the existing post meta capabilities. These are currently only used in the REST API. Props tharsheblows, boonebgorges. Fixes #38303, fixes #38412. Built from https://develop.svn.wordpress.org/trunk@39179 git-svn-id: http://core.svn.wordpress.org/trunk@39119 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/capabilities.php | 103 +++++++++++------- .../class-wp-rest-comments-controller.php | 2 +- .../fields/class-wp-rest-meta-fields.php | 19 ++-- wp-includes/version.php | 2 +- 4 files changed, 74 insertions(+), 52 deletions(-) diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php index 35b0b5f762..b5bb5b3567 100644 --- a/wp-includes/capabilities.php +++ b/wp-includes/capabilities.php @@ -242,56 +242,77 @@ function map_meta_cap( $cap, $user_id ) { case 'edit_post_meta': case 'delete_post_meta': case 'add_post_meta': - $post = get_post( $args[0] ); - if ( ! $post ) { + case 'edit_comment_meta': + case 'delete_comment_meta': + case 'add_comment_meta': + case 'edit_term_meta': + case 'delete_term_meta': + case 'add_term_meta': + case 'edit_user_meta': + case 'delete_user_meta': + case 'add_user_meta': + list( $_, $object_type, $_ ) = explode( '_', $cap ); + $object_id = (int) $args[0]; + + switch ( $object_type ) { + case 'post': + $post = get_post( $object_id ); + if ( ! $post ) { + break; + } + + $sub_type = get_post_type( $post ); + break; + + case 'comment': + $comment = get_comment( $object_id ); + if ( ! $comment ) { + break; + } + + $sub_type = empty( $comment->comment_type ) ? 'comment' : $comment->comment_type; + break; + + case 'term': + $term = get_term( $object_id ); + if ( ! $term ) { + break; + } + + $sub_type = $term->taxonomy; + break; + + case 'user': + $user = get_user_by( 'id', $object_id ); + if ( ! $user ) { + break; + } + + $sub_type = 'user'; + break; + } + + if ( empty( $sub_type ) ) { $caps[] = 'do_not_allow'; break; } - $post_type = get_post_type( $post ); + $caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id ); - $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); + $meta_key = isset( $args[1] ) ? $args[1] : false; - $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; + $has_filter = has_filter( "auth_{$object_type}_meta_{$meta_key}" ) || has_filter( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}" ); + if ( $meta_key && $has_filter ) { + /** This filter is documented in wp-includes/meta.php */ + $allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}", false, $meta_key, $object_id, $user_id, $cap, $caps ); - if ( $meta_key && ( has_filter( "auth_post_meta_{$meta_key}" ) || has_filter( "auth_post_{$post_type}_meta_{$meta_key}" ) ) ) { - /** - * Filters whether the user is allowed to add post meta to a post. - * - * The dynamic portion of the hook name, `$meta_key`, refers to the - * meta key passed to map_meta_cap(). - * - * @since 3.3.0 - * - * @param bool $allowed Whether the user can add the post meta. Default false. - * @param string $meta_key The meta key. - * @param int $post_id Post ID. - * @param int $user_id User ID. - * @param string $cap Capability name. - * @param array $caps User capabilities. - */ - $allowed = apply_filters( "auth_post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps ); + /** This filter is documented in wp-includes/meta.php */ + $allowed = apply_filters( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps ); - /** - * Filters whether the user is allowed to add post meta to a post of a given type. - * - * The dynamic portions of the hook name, `$meta_key` and `$post_type`, - * refer to the meta key passed to map_meta_cap() and the post type, respectively. - * - * @since 4.6.0 - * - * @param bool $allowed Whether the user can add the post meta. Default false. - * @param string $meta_key The meta key. - * @param int $post_id Post ID. - * @param int $user_id User ID. - * @param string $cap Capability name. - * @param array $caps User capabilities. - */ - $allowed = apply_filters( "auth_post_{$post_type}_meta_{$meta_key}", $allowed, $meta_key, $post->ID, $user_id, $cap, $caps ); - - if ( ! $allowed ) + if ( ! $allowed ) { $caps[] = $cap; - } elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) { + } + } elseif ( $meta_key && is_protected_meta( $meta_key, $object_type ) ) { $caps[] = $cap; } break; diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index 2b7057c495..365c4f61ff 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -631,7 +631,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { if ( ! $change ) { return new WP_Error( 'rest_comment_failed_edit', __( 'Updating comment status failed.' ), array( 'status' => 500 ) ); } - } else { + } elseif ( ! empty( $prepared_args ) ) { if ( is_wp_error( $prepared_args ) ) { return $prepared_args; } diff --git a/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php b/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php index 2c765caeaa..e48a307a51 100644 --- a/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php +++ b/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php @@ -122,7 +122,6 @@ abstract class WP_REST_Meta_Fields { */ public function update_value( $request, $object_id ) { $fields = $this->get_registered_fields(); - foreach ( $fields as $name => $args ) { if ( ! array_key_exists( $name, $request ) ) { continue; @@ -159,7 +158,8 @@ abstract class WP_REST_Meta_Fields { * @return bool|WP_Error True if meta field is deleted, WP_Error otherwise. */ protected function delete_meta_value( $object_id, $name ) { - if ( ! current_user_can( 'delete_post_meta', $object_id, $name ) ) { + $meta_type = $this->get_meta_type(); + if ( ! current_user_can( "delete_{$meta_type}_meta", $object_id, $name ) ) { return new WP_Error( 'rest_cannot_delete', sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ), @@ -167,7 +167,7 @@ abstract class WP_REST_Meta_Fields { ); } - if ( ! delete_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ) ) ) { + if ( ! delete_metadata( $meta_type, $object_id, wp_slash( $name ) ) ) { return new WP_Error( 'rest_meta_database_error', __( 'Could not delete meta value from database.' ), @@ -192,7 +192,8 @@ abstract class WP_REST_Meta_Fields { * @return bool|WP_Error True if meta fields are updated, WP_Error otherwise. */ protected function update_multi_meta_value( $object_id, $name, $values ) { - if ( ! current_user_can( 'edit_post_meta', $object_id, $name ) ) { + $meta_type = $this->get_meta_type(); + if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $name ) ) { return new WP_Error( 'rest_cannot_update', sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ), @@ -200,7 +201,7 @@ abstract class WP_REST_Meta_Fields { ); } - $current = get_metadata( $this->get_meta_type(), $object_id, $name, false ); + $current = get_metadata( $meta_type, $object_id, $name, false ); $to_remove = $current; $to_add = $values; @@ -227,7 +228,7 @@ abstract class WP_REST_Meta_Fields { $to_remove = array_unique( $to_remove ); foreach ( $to_remove as $value ) { - if ( ! delete_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ), wp_slash( $value ) ) ) { + if ( ! delete_metadata( $meta_type, $object_id, wp_slash( $name ), wp_slash( $value ) ) ) { return new WP_Error( 'rest_meta_database_error', __( 'Could not update meta value in database.' ), @@ -237,7 +238,7 @@ abstract class WP_REST_Meta_Fields { } foreach ( $to_add as $value ) { - if ( ! add_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ), wp_slash( $value ) ) ) { + if ( ! add_metadata( $meta_type, $object_id, wp_slash( $name ), wp_slash( $value ) ) ) { return new WP_Error( 'rest_meta_database_error', __( 'Could not update meta value in database.' ), @@ -261,7 +262,8 @@ abstract class WP_REST_Meta_Fields { * @return bool|WP_Error True if the meta field was updated, WP_Error otherwise. */ protected function update_meta_value( $object_id, $name, $value ) { - if ( ! current_user_can( 'edit_post_meta', $object_id, $name ) ) { + $meta_type = $this->get_meta_type(); + if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $name ) ) { return new WP_Error( 'rest_cannot_update', sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ), @@ -269,7 +271,6 @@ abstract class WP_REST_Meta_Fields { ); } - $meta_type = $this->get_meta_type(); $meta_key = wp_slash( $name ); $meta_value = wp_slash( $value ); diff --git a/wp-includes/version.php b/wp-includes/version.php index c1ddb9a0b0..b765002f40 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta2-39178'; +$wp_version = '4.7-beta2-39179'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.