Roles/Capabilities: Add meta-caps for comment, term, and user meta.

Additionally, use these meta-caps in the REST API endpoints.

Previously, register_meta()'s auth_callback had no effect for non-post meta. This introduces `{add,edit,delete}_{comment,term,user}_meta` meta-caps to match the existing post meta capabilities. These are currently only used in the REST API.

Props tharsheblows, boonebgorges.
Fixes #38303, fixes #38412.

Built from https://develop.svn.wordpress.org/trunk@39179


git-svn-id: http://core.svn.wordpress.org/trunk@39119 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Ryan McCue 2016-11-09 03:42:30 +00:00
parent 054d2c2565
commit 3a449ea543
4 changed files with 74 additions and 52 deletions

View File

@ -242,56 +242,77 @@ function map_meta_cap( $cap, $user_id ) {
case 'edit_post_meta':
case 'delete_post_meta':
case 'add_post_meta':
$post = get_post( $args[0] );
case 'edit_comment_meta':
case 'delete_comment_meta':
case 'add_comment_meta':
case 'edit_term_meta':
case 'delete_term_meta':
case 'add_term_meta':
case 'edit_user_meta':
case 'delete_user_meta':
case 'add_user_meta':
list( $_, $object_type, $_ ) = explode( '_', $cap );
$object_id = (int) $args[0];
switch ( $object_type ) {
case 'post':
$post = get_post( $object_id );
if ( ! $post ) {
break;
}
$sub_type = get_post_type( $post );
break;
case 'comment':
$comment = get_comment( $object_id );
if ( ! $comment ) {
break;
}
$sub_type = empty( $comment->comment_type ) ? 'comment' : $comment->comment_type;
break;
case 'term':
$term = get_term( $object_id );
if ( ! $term ) {
break;
}
$sub_type = $term->taxonomy;
break;
case 'user':
$user = get_user_by( 'id', $object_id );
if ( ! $user ) {
break;
}
$sub_type = 'user';
break;
}
if ( empty( $sub_type ) ) {
$caps[] = 'do_not_allow';
break;
}
$post_type = get_post_type( $post );
$caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
$caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id );
$meta_key = isset( $args[1] ) ? $args[1] : false;
if ( $meta_key && ( has_filter( "auth_post_meta_{$meta_key}" ) || has_filter( "auth_post_{$post_type}_meta_{$meta_key}" ) ) ) {
/**
* Filters whether the user is allowed to add post meta to a post.
*
* The dynamic portion of the hook name, `$meta_key`, refers to the
* meta key passed to map_meta_cap().
*
* @since 3.3.0
*
* @param bool $allowed Whether the user can add the post meta. Default false.
* @param string $meta_key The meta key.
* @param int $post_id Post ID.
* @param int $user_id User ID.
* @param string $cap Capability name.
* @param array $caps User capabilities.
*/
$allowed = apply_filters( "auth_post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps );
$has_filter = has_filter( "auth_{$object_type}_meta_{$meta_key}" ) || has_filter( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}" );
if ( $meta_key && $has_filter ) {
/** This filter is documented in wp-includes/meta.php */
$allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}", false, $meta_key, $object_id, $user_id, $cap, $caps );
/**
* Filters whether the user is allowed to add post meta to a post of a given type.
*
* The dynamic portions of the hook name, `$meta_key` and `$post_type`,
* refer to the meta key passed to map_meta_cap() and the post type, respectively.
*
* @since 4.6.0
*
* @param bool $allowed Whether the user can add the post meta. Default false.
* @param string $meta_key The meta key.
* @param int $post_id Post ID.
* @param int $user_id User ID.
* @param string $cap Capability name.
* @param array $caps User capabilities.
*/
$allowed = apply_filters( "auth_post_{$post_type}_meta_{$meta_key}", $allowed, $meta_key, $post->ID, $user_id, $cap, $caps );
/** This filter is documented in wp-includes/meta.php */
$allowed = apply_filters( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps );
if ( ! $allowed )
if ( ! $allowed ) {
$caps[] = $cap;
} elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) {
}
} elseif ( $meta_key && is_protected_meta( $meta_key, $object_type ) ) {
$caps[] = $cap;
}
break;

View File

@ -631,7 +631,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
if ( ! $change ) {
return new WP_Error( 'rest_comment_failed_edit', __( 'Updating comment status failed.' ), array( 'status' => 500 ) );
}
} else {
} elseif ( ! empty( $prepared_args ) ) {
if ( is_wp_error( $prepared_args ) ) {
return $prepared_args;
}

View File

@ -122,7 +122,6 @@ abstract class WP_REST_Meta_Fields {
*/
public function update_value( $request, $object_id ) {
$fields = $this->get_registered_fields();
foreach ( $fields as $name => $args ) {
if ( ! array_key_exists( $name, $request ) ) {
continue;
@ -159,7 +158,8 @@ abstract class WP_REST_Meta_Fields {
* @return bool|WP_Error True if meta field is deleted, WP_Error otherwise.
*/
protected function delete_meta_value( $object_id, $name ) {
if ( ! current_user_can( 'delete_post_meta', $object_id, $name ) ) {
$meta_type = $this->get_meta_type();
if ( ! current_user_can( "delete_{$meta_type}_meta", $object_id, $name ) ) {
return new WP_Error(
'rest_cannot_delete',
sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
@ -167,7 +167,7 @@ abstract class WP_REST_Meta_Fields {
);
}
if ( ! delete_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ) ) ) {
if ( ! delete_metadata( $meta_type, $object_id, wp_slash( $name ) ) ) {
return new WP_Error(
'rest_meta_database_error',
__( 'Could not delete meta value from database.' ),
@ -192,7 +192,8 @@ abstract class WP_REST_Meta_Fields {
* @return bool|WP_Error True if meta fields are updated, WP_Error otherwise.
*/
protected function update_multi_meta_value( $object_id, $name, $values ) {
if ( ! current_user_can( 'edit_post_meta', $object_id, $name ) ) {
$meta_type = $this->get_meta_type();
if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $name ) ) {
return new WP_Error(
'rest_cannot_update',
sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
@ -200,7 +201,7 @@ abstract class WP_REST_Meta_Fields {
);
}
$current = get_metadata( $this->get_meta_type(), $object_id, $name, false );
$current = get_metadata( $meta_type, $object_id, $name, false );
$to_remove = $current;
$to_add = $values;
@ -227,7 +228,7 @@ abstract class WP_REST_Meta_Fields {
$to_remove = array_unique( $to_remove );
foreach ( $to_remove as $value ) {
if ( ! delete_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
if ( ! delete_metadata( $meta_type, $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
return new WP_Error(
'rest_meta_database_error',
__( 'Could not update meta value in database.' ),
@ -237,7 +238,7 @@ abstract class WP_REST_Meta_Fields {
}
foreach ( $to_add as $value ) {
if ( ! add_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
if ( ! add_metadata( $meta_type, $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
return new WP_Error(
'rest_meta_database_error',
__( 'Could not update meta value in database.' ),
@ -261,7 +262,8 @@ abstract class WP_REST_Meta_Fields {
* @return bool|WP_Error True if the meta field was updated, WP_Error otherwise.
*/
protected function update_meta_value( $object_id, $name, $value ) {
if ( ! current_user_can( 'edit_post_meta', $object_id, $name ) ) {
$meta_type = $this->get_meta_type();
if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $name ) ) {
return new WP_Error(
'rest_cannot_update',
sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
@ -269,7 +271,6 @@ abstract class WP_REST_Meta_Fields {
);
}
$meta_type = $this->get_meta_type();
$meta_key = wp_slash( $name );
$meta_value = wp_slash( $value );

View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.7-beta2-39178';
$wp_version = '4.7-beta2-39179';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.