Roles/Capabilities: Add meta-caps for comment, term, and user meta.
Additionally, use these meta-caps in the REST API endpoints. Previously, register_meta()'s auth_callback had no effect for non-post meta. This introduces `{add,edit,delete}_{comment,term,user}_meta` meta-caps to match the existing post meta capabilities. These are currently only used in the REST API. Props tharsheblows, boonebgorges. Fixes #38303, fixes #38412. Built from https://develop.svn.wordpress.org/trunk@39179 git-svn-id: http://core.svn.wordpress.org/trunk@39119 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
054d2c2565
commit
3a449ea543
|
@ -242,56 +242,77 @@ function map_meta_cap( $cap, $user_id ) {
|
||||||
case 'edit_post_meta':
|
case 'edit_post_meta':
|
||||||
case 'delete_post_meta':
|
case 'delete_post_meta':
|
||||||
case 'add_post_meta':
|
case 'add_post_meta':
|
||||||
$post = get_post( $args[0] );
|
case 'edit_comment_meta':
|
||||||
|
case 'delete_comment_meta':
|
||||||
|
case 'add_comment_meta':
|
||||||
|
case 'edit_term_meta':
|
||||||
|
case 'delete_term_meta':
|
||||||
|
case 'add_term_meta':
|
||||||
|
case 'edit_user_meta':
|
||||||
|
case 'delete_user_meta':
|
||||||
|
case 'add_user_meta':
|
||||||
|
list( $_, $object_type, $_ ) = explode( '_', $cap );
|
||||||
|
$object_id = (int) $args[0];
|
||||||
|
|
||||||
|
switch ( $object_type ) {
|
||||||
|
case 'post':
|
||||||
|
$post = get_post( $object_id );
|
||||||
if ( ! $post ) {
|
if ( ! $post ) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
$sub_type = get_post_type( $post );
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'comment':
|
||||||
|
$comment = get_comment( $object_id );
|
||||||
|
if ( ! $comment ) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
$sub_type = empty( $comment->comment_type ) ? 'comment' : $comment->comment_type;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'term':
|
||||||
|
$term = get_term( $object_id );
|
||||||
|
if ( ! $term ) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
$sub_type = $term->taxonomy;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'user':
|
||||||
|
$user = get_user_by( 'id', $object_id );
|
||||||
|
if ( ! $user ) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
$sub_type = 'user';
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( empty( $sub_type ) ) {
|
||||||
$caps[] = 'do_not_allow';
|
$caps[] = 'do_not_allow';
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
$post_type = get_post_type( $post );
|
$caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id );
|
||||||
|
|
||||||
$caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
|
|
||||||
|
|
||||||
$meta_key = isset( $args[1] ) ? $args[1] : false;
|
$meta_key = isset( $args[1] ) ? $args[1] : false;
|
||||||
|
|
||||||
if ( $meta_key && ( has_filter( "auth_post_meta_{$meta_key}" ) || has_filter( "auth_post_{$post_type}_meta_{$meta_key}" ) ) ) {
|
$has_filter = has_filter( "auth_{$object_type}_meta_{$meta_key}" ) || has_filter( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}" );
|
||||||
/**
|
if ( $meta_key && $has_filter ) {
|
||||||
* Filters whether the user is allowed to add post meta to a post.
|
/** This filter is documented in wp-includes/meta.php */
|
||||||
*
|
$allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}", false, $meta_key, $object_id, $user_id, $cap, $caps );
|
||||||
* The dynamic portion of the hook name, `$meta_key`, refers to the
|
|
||||||
* meta key passed to map_meta_cap().
|
|
||||||
*
|
|
||||||
* @since 3.3.0
|
|
||||||
*
|
|
||||||
* @param bool $allowed Whether the user can add the post meta. Default false.
|
|
||||||
* @param string $meta_key The meta key.
|
|
||||||
* @param int $post_id Post ID.
|
|
||||||
* @param int $user_id User ID.
|
|
||||||
* @param string $cap Capability name.
|
|
||||||
* @param array $caps User capabilities.
|
|
||||||
*/
|
|
||||||
$allowed = apply_filters( "auth_post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps );
|
|
||||||
|
|
||||||
/**
|
/** This filter is documented in wp-includes/meta.php */
|
||||||
* Filters whether the user is allowed to add post meta to a post of a given type.
|
$allowed = apply_filters( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps );
|
||||||
*
|
|
||||||
* The dynamic portions of the hook name, `$meta_key` and `$post_type`,
|
|
||||||
* refer to the meta key passed to map_meta_cap() and the post type, respectively.
|
|
||||||
*
|
|
||||||
* @since 4.6.0
|
|
||||||
*
|
|
||||||
* @param bool $allowed Whether the user can add the post meta. Default false.
|
|
||||||
* @param string $meta_key The meta key.
|
|
||||||
* @param int $post_id Post ID.
|
|
||||||
* @param int $user_id User ID.
|
|
||||||
* @param string $cap Capability name.
|
|
||||||
* @param array $caps User capabilities.
|
|
||||||
*/
|
|
||||||
$allowed = apply_filters( "auth_post_{$post_type}_meta_{$meta_key}", $allowed, $meta_key, $post->ID, $user_id, $cap, $caps );
|
|
||||||
|
|
||||||
if ( ! $allowed )
|
if ( ! $allowed ) {
|
||||||
$caps[] = $cap;
|
$caps[] = $cap;
|
||||||
} elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) {
|
}
|
||||||
|
} elseif ( $meta_key && is_protected_meta( $meta_key, $object_type ) ) {
|
||||||
$caps[] = $cap;
|
$caps[] = $cap;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -631,7 +631,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
|
||||||
if ( ! $change ) {
|
if ( ! $change ) {
|
||||||
return new WP_Error( 'rest_comment_failed_edit', __( 'Updating comment status failed.' ), array( 'status' => 500 ) );
|
return new WP_Error( 'rest_comment_failed_edit', __( 'Updating comment status failed.' ), array( 'status' => 500 ) );
|
||||||
}
|
}
|
||||||
} else {
|
} elseif ( ! empty( $prepared_args ) ) {
|
||||||
if ( is_wp_error( $prepared_args ) ) {
|
if ( is_wp_error( $prepared_args ) ) {
|
||||||
return $prepared_args;
|
return $prepared_args;
|
||||||
}
|
}
|
||||||
|
|
|
@ -122,7 +122,6 @@ abstract class WP_REST_Meta_Fields {
|
||||||
*/
|
*/
|
||||||
public function update_value( $request, $object_id ) {
|
public function update_value( $request, $object_id ) {
|
||||||
$fields = $this->get_registered_fields();
|
$fields = $this->get_registered_fields();
|
||||||
|
|
||||||
foreach ( $fields as $name => $args ) {
|
foreach ( $fields as $name => $args ) {
|
||||||
if ( ! array_key_exists( $name, $request ) ) {
|
if ( ! array_key_exists( $name, $request ) ) {
|
||||||
continue;
|
continue;
|
||||||
|
@ -159,7 +158,8 @@ abstract class WP_REST_Meta_Fields {
|
||||||
* @return bool|WP_Error True if meta field is deleted, WP_Error otherwise.
|
* @return bool|WP_Error True if meta field is deleted, WP_Error otherwise.
|
||||||
*/
|
*/
|
||||||
protected function delete_meta_value( $object_id, $name ) {
|
protected function delete_meta_value( $object_id, $name ) {
|
||||||
if ( ! current_user_can( 'delete_post_meta', $object_id, $name ) ) {
|
$meta_type = $this->get_meta_type();
|
||||||
|
if ( ! current_user_can( "delete_{$meta_type}_meta", $object_id, $name ) ) {
|
||||||
return new WP_Error(
|
return new WP_Error(
|
||||||
'rest_cannot_delete',
|
'rest_cannot_delete',
|
||||||
sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
|
sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
|
||||||
|
@ -167,7 +167,7 @@ abstract class WP_REST_Meta_Fields {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ! delete_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ) ) ) {
|
if ( ! delete_metadata( $meta_type, $object_id, wp_slash( $name ) ) ) {
|
||||||
return new WP_Error(
|
return new WP_Error(
|
||||||
'rest_meta_database_error',
|
'rest_meta_database_error',
|
||||||
__( 'Could not delete meta value from database.' ),
|
__( 'Could not delete meta value from database.' ),
|
||||||
|
@ -192,7 +192,8 @@ abstract class WP_REST_Meta_Fields {
|
||||||
* @return bool|WP_Error True if meta fields are updated, WP_Error otherwise.
|
* @return bool|WP_Error True if meta fields are updated, WP_Error otherwise.
|
||||||
*/
|
*/
|
||||||
protected function update_multi_meta_value( $object_id, $name, $values ) {
|
protected function update_multi_meta_value( $object_id, $name, $values ) {
|
||||||
if ( ! current_user_can( 'edit_post_meta', $object_id, $name ) ) {
|
$meta_type = $this->get_meta_type();
|
||||||
|
if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $name ) ) {
|
||||||
return new WP_Error(
|
return new WP_Error(
|
||||||
'rest_cannot_update',
|
'rest_cannot_update',
|
||||||
sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
|
sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
|
||||||
|
@ -200,7 +201,7 @@ abstract class WP_REST_Meta_Fields {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
$current = get_metadata( $this->get_meta_type(), $object_id, $name, false );
|
$current = get_metadata( $meta_type, $object_id, $name, false );
|
||||||
|
|
||||||
$to_remove = $current;
|
$to_remove = $current;
|
||||||
$to_add = $values;
|
$to_add = $values;
|
||||||
|
@ -227,7 +228,7 @@ abstract class WP_REST_Meta_Fields {
|
||||||
$to_remove = array_unique( $to_remove );
|
$to_remove = array_unique( $to_remove );
|
||||||
|
|
||||||
foreach ( $to_remove as $value ) {
|
foreach ( $to_remove as $value ) {
|
||||||
if ( ! delete_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
|
if ( ! delete_metadata( $meta_type, $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
|
||||||
return new WP_Error(
|
return new WP_Error(
|
||||||
'rest_meta_database_error',
|
'rest_meta_database_error',
|
||||||
__( 'Could not update meta value in database.' ),
|
__( 'Could not update meta value in database.' ),
|
||||||
|
@ -237,7 +238,7 @@ abstract class WP_REST_Meta_Fields {
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach ( $to_add as $value ) {
|
foreach ( $to_add as $value ) {
|
||||||
if ( ! add_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
|
if ( ! add_metadata( $meta_type, $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
|
||||||
return new WP_Error(
|
return new WP_Error(
|
||||||
'rest_meta_database_error',
|
'rest_meta_database_error',
|
||||||
__( 'Could not update meta value in database.' ),
|
__( 'Could not update meta value in database.' ),
|
||||||
|
@ -261,7 +262,8 @@ abstract class WP_REST_Meta_Fields {
|
||||||
* @return bool|WP_Error True if the meta field was updated, WP_Error otherwise.
|
* @return bool|WP_Error True if the meta field was updated, WP_Error otherwise.
|
||||||
*/
|
*/
|
||||||
protected function update_meta_value( $object_id, $name, $value ) {
|
protected function update_meta_value( $object_id, $name, $value ) {
|
||||||
if ( ! current_user_can( 'edit_post_meta', $object_id, $name ) ) {
|
$meta_type = $this->get_meta_type();
|
||||||
|
if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $name ) ) {
|
||||||
return new WP_Error(
|
return new WP_Error(
|
||||||
'rest_cannot_update',
|
'rest_cannot_update',
|
||||||
sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
|
sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
|
||||||
|
@ -269,7 +271,6 @@ abstract class WP_REST_Meta_Fields {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
$meta_type = $this->get_meta_type();
|
|
||||||
$meta_key = wp_slash( $name );
|
$meta_key = wp_slash( $name );
|
||||||
$meta_value = wp_slash( $value );
|
$meta_value = wp_slash( $value );
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '4.7-beta2-39178';
|
$wp_version = '4.7-beta2-39179';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
Loading…
Reference in New Issue