Allow customizing capabilities for custom post types. Always check caps against those in the post type object instead of contructing them manually. see #9674

git-svn-id: http://svn.automattic.com/wordpress/trunk@12927 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2010-02-02 17:37:03 +00:00
parent 998704b8d7
commit 5922f7e2c4
6 changed files with 64 additions and 49 deletions

View File

@ -85,7 +85,6 @@ if ( 0 == $post_ID ) {
}
$post_type_object = get_post_type_object($post_type);
$post_type_cap = $post_type_object->capability_type;
// All meta boxes should be defined and added before the first do_meta_boxes() call (or potentially during the do_meta_boxes action).
require_once('includes/meta-boxes.php');
@ -128,7 +127,7 @@ if ( post_type_supports($post_type, 'comments') )
if ( ('publish' == $post->post_status || 'private' == $post->post_status) && post_type_supports($post_type, 'comments') )
add_meta_box('commentsdiv', __('Comments'), 'post_comment_meta_box', $post_type, 'normal', 'core');
if ( !( 'pending' == $post->post_status && !current_user_can( 'publish_posts' ) ) )
if ( !( 'pending' == $post->post_status && !current_user_can( $post_type_object->publish_cap ) ) )
add_meta_box('slugdiv', __('Slug'), 'post_slug_meta_box', $post_type, 'normal', 'core');
$authors = get_editable_user_ids( $current_user->id ); // TODO: ROLE SYSTEM
@ -192,7 +191,7 @@ $side_meta_boxes = do_meta_boxes($post_type, 'side', $post);
<div class="inside">
<?php
$sample_permalink_html = get_sample_permalink_html($post->ID);
if ( !( 'pending' == $post->post_status && !current_user_can( 'publish_' . $post_type_cap . 's' ) ) ) { ?>
if ( !( 'pending' == $post->post_status && !current_user_can( $post_type_object->publish_cap ) ) ) { ?>
<div id="edit-slug-box">
<?php
if ( ! empty($post->ID) && ! empty($sample_permalink_html) ) :

View File

@ -27,7 +27,6 @@ else
$_GET['post_type'] = $post_type;
$post_type_object = get_post_type_object($post_type);
$post_type_cap = $post_type_object->capability_type;
if ( 'post' != $post_type ) {
$parent_file = "edit.php?post_type=$post_type";
@ -72,7 +71,7 @@ if ( isset($_GET['doaction']) || isset($_GET['doaction2']) || isset($_GET['delet
case 'trash':
$trashed = 0;
foreach( (array) $post_ids as $post_id ) {
if ( !current_user_can('delete_' . $post_type_cap, $post_id) )
if ( !current_user_can($post_type_object->delete_cap, $post_id) )
wp_die( __('You are not allowed to move this item to the trash.') );
if ( !wp_trash_post($post_id) )
@ -85,7 +84,7 @@ if ( isset($_GET['doaction']) || isset($_GET['doaction2']) || isset($_GET['delet
case 'untrash':
$untrashed = 0;
foreach( (array) $post_ids as $post_id ) {
if ( !current_user_can('delete_' . $post_type_cap, $post_id) )
if ( !current_user_can($post_type_object->delete_cap, $post_id) )
wp_die( __('You are not allowed to restore this item from the trash.') );
if ( !wp_untrash_post($post_id) )
@ -100,7 +99,7 @@ if ( isset($_GET['doaction']) || isset($_GET['doaction2']) || isset($_GET['delet
foreach( (array) $post_ids as $post_id ) {
$post_del = & get_post($post_id);
if ( !current_user_can('delete_' . $post_type_cap, $post_id) )
if ( !current_user_can($post_type_object->delete_cap, $post_id) )
wp_die( __('You are not allowed to delete this item.') );
if ( $post_del->post_type == 'attachment' ) {
@ -141,7 +140,7 @@ $title = sprintf(__('Edit %s'), $post_type_object->label);
wp_enqueue_script('inline-edit-post');
$user_posts = false;
if ( !current_user_can('edit_others_' . $post_type_cap . 's') ) {
if ( !current_user_can($post_type_object->edit_others_cap) ) {
$user_posts_count = $wpdb->get_var( $wpdb->prepare("SELECT COUNT(1) FROM $wpdb->posts WHERE post_type = '%s' AND post_status != 'trash' AND post_author = %d", $post_type, $current_user->ID) );
$user_posts = true;
if ( $user_posts_count && empty($_GET['post_status']) && empty($_GET['all_posts']) && empty($_GET['author']) )
@ -341,7 +340,7 @@ if ( is_object_in_taxonomy($post_type, 'category') ) {
<input type="submit" id="post-query-submit" value="<?php esc_attr_e('Filter'); ?>" class="button-secondary" />
<?php }
if ( $is_trash && current_user_can('edit_others_' . $post_type_cap .'s') ) { ?>
if ( $is_trash && current_user_can($post_type_object->edit_others_cap) ) { ?>
<input type="submit" name="delete_all" id="delete_all" value="<?php esc_attr_e('Empty Trash'); ?>" class="button-secondary apply" />
<?php } ?>
</div>
@ -388,7 +387,7 @@ if ( $page_links )
<?php } ?>
</select>
<input type="submit" value="<?php esc_attr_e('Apply'); ?>" name="doaction2" id="doaction2" class="button-secondary action" />
<?php if ( $is_trash && current_user_can('edit_others_' . $post_type_cap . 's') ) { ?>
<?php if ( $is_trash && current_user_can($post_type_object->edit_others_cap) ) { ?>
<input type="submit" name="delete_all2" id="delete_all2" value="<?php esc_attr_e('Empty Trash'); ?>" class="button-secondary apply" />
<?php } ?>
<br class="clear" />

View File

@ -1128,7 +1128,7 @@ function inline_edit_row( $screen ) {
$col_count = count($columns) - count($hidden);
$m = ( isset($mode) && 'excerpt' == $mode ) ? 'excerpt' : 'list';
// @todo use capability_type
$can_publish = current_user_can("publish_{$screen->post_type}s");
$can_publish = current_user_can($post_type_object->publish_cap);
$core_columns = array( 'cb' => true, 'date' => true, 'title' => true, 'categories' => true, 'tags' => true, 'comments' => true, 'author' => true );
?>
@ -1335,7 +1335,7 @@ function inline_edit_row( $screen ) {
</select>
</label>
<?php if ( 'post' == $screen->post_type && $can_publish && current_user_can( 'edit_others_posts' ) ) : ?>
<?php if ( 'post' == $screen->post_type && $can_publish && current_user_can( $post_type_object->edit_others_cap ) ) : ?>
<?php if ( $bulk ) : ?>
@ -1357,7 +1357,7 @@ function inline_edit_row( $screen ) {
<?php endif; // $bulk ?>
<?php endif; // !$is_page && $can_publish && current_user_can( 'edit_others_posts' ) ?>
<?php endif; // !$is_page && $can_publish && current_user_can( 'edit_others_cap' ) ?>
</div>
@ -1404,8 +1404,8 @@ function inline_edit_row( $screen ) {
* @param unknown_type $post
*/
function get_inline_data($post) {
if ( ! current_user_can('edit_' . $post->post_type, $post->ID) )
$post_type_object = get_post_type_object($post->post_type);
if ( ! current_user_can($post_type_object->edit_cap, $post->ID) )
return;
$title = esc_attr($post->post_title);
@ -1426,17 +1426,23 @@ function get_inline_data($post) {
<div class="ss">' . mysql2date( 's', $post->post_date, false ) . '</div>
<div class="post_password">' . esc_html( $post->post_password ) . '</div>';
if ( $post_type_object->hierarchical )
echo '<div class="post_parent">' . $post->post_parent . '</div>';
if ( $post->post_type == 'page' )
echo '
<div class="post_parent">' . $post->post_parent . '</div>
<div class="page_template">' . esc_html( get_post_meta( $post->ID, '_wp_page_template', true ) ) . '</div>
<div class="menu_order">' . $post->menu_order . '</div>';
echo '<div class="page_template">' . esc_html( get_post_meta( $post->ID, '_wp_page_template', true ) ) . '</div>';
if ( $post_type_object->hierarchical )
echo '<div class="menu_order">' . $post->menu_order . '</div>';
if ( is_object_in_taxonomy($post->post_type, 'post_tag') )
echo '<div class="tags_input">' . esc_html( str_replace( ',', ', ', get_tags_to_edit($post->ID) ) ) . '</div>';
if ( is_object_in_taxonomy($post->post_type, 'post_tag') )
echo '<div class="post_category">' . implode( ',', wp_get_post_categories( $post->ID ) ) . '</div>';
if ( $post->post_type == 'post' )
echo '
<div class="tags_input">' . esc_html( str_replace( ',', ', ', get_tags_to_edit($post->ID) ) ) . '</div>
<div class="post_category">' . implode( ',', wp_get_post_categories( $post->ID ) ) . '</div>
<div class="sticky">' . (is_sticky($post->ID) ? 'sticky' : '') . '</div>';
echo '<div class="sticky">' . (is_sticky($post->ID) ? 'sticky' : '') . '</div>';
echo '</div>';
}
@ -1495,6 +1501,7 @@ function _post_row($a_post, $pending_comments, $mode) {
$post_owner = ( $current_user->ID == $post->post_author ? 'self' : 'other' );
$edit_link = get_edit_post_link( $post->ID );
$title = _draft_or_post_title();
$post_type_object = get_post_type_object($post->post_type);
?>
<tr id='post-<?php echo $post->ID; ?>' class='<?php echo trim( $rowclass . ' author-' . $post_owner . ' status-' . $post->post_status ); ?> iedit' valign="top">
<?php
@ -1513,7 +1520,7 @@ function _post_row($a_post, $pending_comments, $mode) {
case 'cb':
?>
<th scope="row" class="check-column"><?php if ( current_user_can( 'edit_post', $post->ID ) ) { ?><input type="checkbox" name="post[]" value="<?php the_ID(); ?>" /><?php } ?></th>
<th scope="row" class="check-column"><?php if ( current_user_can( $post_type_object->edit_cap, $post->ID ) ) { ?><input type="checkbox" name="post[]" value="<?php the_ID(); ?>" /><?php } ?></th>
<?php
break;
@ -1556,17 +1563,17 @@ function _post_row($a_post, $pending_comments, $mode) {
case 'title':
$attributes = 'class="post-title column-title"' . $style;
?>
<td <?php echo $attributes ?>><strong><?php if ( current_user_can('edit_post', $post->ID) && $post->post_status != 'trash' ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $title ?></a><?php } else { echo $title; }; _post_states($post); ?></strong>
<td <?php echo $attributes ?>><strong><?php if ( current_user_can($post_type_object->edit_cap, $post->ID) && $post->post_status != 'trash' ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $title ?></a><?php } else { echo $title; }; _post_states($post); ?></strong>
<?php
if ( 'excerpt' == $mode )
the_excerpt();
$actions = array();
if ( current_user_can('edit_post', $post->ID) && 'trash' != $post->post_status ) {
if ( current_user_can($post_type_object->edit_cap, $post->ID) && 'trash' != $post->post_status ) {
$actions['edit'] = '<a href="' . get_edit_post_link($post->ID, true) . '" title="' . esc_attr(__('Edit this post')) . '">' . __('Edit') . '</a>';
$actions['inline hide-if-no-js'] = '<a href="#" class="editinline" title="' . esc_attr(__('Edit this post inline')) . '">' . __('Quick&nbsp;Edit') . '</a>';
}
if ( current_user_can('delete_post', $post->ID) ) {
if ( current_user_can($post_type_object->delete_cap, $post->ID) ) {
if ( 'trash' == $post->post_status )
$actions['untrash'] = "<a title='" . esc_attr(__('Restore this post from the Trash')) . "' href='" . wp_nonce_url("post.php?action=untrash&amp;post=$post->ID", 'untrash-post_' . $post->ID) . "'>" . __('Restore') . "</a>";
elseif ( EMPTY_TRASH_DAYS )
@ -1575,7 +1582,7 @@ function _post_row($a_post, $pending_comments, $mode) {
$actions['delete'] = "<a class='submitdelete' title='" . esc_attr(__('Delete this post permanently')) . "' href='" . wp_nonce_url("post.php?action=delete&amp;post=$post->ID", 'delete-post_' . $post->ID) . "'>" . __('Delete Permanently') . "</a>";
}
if ( in_array($post->post_status, array('pending', 'draft')) ) {
if ( current_user_can('edit_post', $post->ID) )
if ( current_user_can($post_type_object->edit_cap, $post->ID) )
$actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . esc_attr(sprintf(__('Preview &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
} elseif ( 'trash' != $post->post_status ) {
$actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . esc_attr(sprintf(__('View &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('View') . '</a>';
@ -1658,13 +1665,13 @@ function _post_row($a_post, $pending_comments, $mode) {
case 'control_edit':
?>
<td><?php if ( current_user_can('edit_post', $post->ID) ) { echo "<a href='$edit_link' class='edit'>" . __('Edit') . "</a>"; } ?></td>
<td><?php if ( current_user_can($post_type_object->edit_cap, $post->ID) ) { echo "<a href='$edit_link' class='edit'>" . __('Edit') . "</a>"; } ?></td>
<?php
break;
case 'control_delete':
?>
<td><?php if ( current_user_can('delete_post', $post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&amp;post=$id", 'delete-post_' . $post->ID) . "' class='delete'>" . __('Delete') . "</a>"; } ?></td>
<td><?php if ( current_user_can($post_type_object->delete_cap, $post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&amp;post=$id", 'delete-post_' . $post->ID) . "' class='delete'>" . __('Delete') . "</a>"; } ?></td>
<?php
break;
@ -1725,11 +1732,12 @@ function display_page_row( $page, $level = 0 ) {
$hidden = get_hidden_columns( $current_screen );
$title = _draft_or_post_title();
$post_type = $page->post_type;
$post_type_object = get_post_type_object($post_type);
?>
<tr id="page-<?php echo $id; ?>" class="<?php echo $rowclass; ?> iedit">
<?php
foreach ($posts_columns as $column_name=>$column_display_name) {
foreach ( $posts_columns as $column_name => $column_display_name ) {
$class = "class=\"$column_name column-$column_name\"";
$style = '';
@ -1780,14 +1788,14 @@ foreach ($posts_columns as $column_name=>$column_display_name) {
$attributes = 'class="post-title page-title column-title"' . $style;
$edit_link = get_edit_post_link( $page->ID );
?>
<td <?php echo $attributes ?>><strong><?php if ( current_user_can('edit_page', $page->ID) && $post->post_status != 'trash' ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . esc_html($parent_name) : ''; ?></strong>
<td <?php echo $attributes ?>><strong><?php if ( current_user_can($post_type_object->edit_cap, $page->ID) && $post->post_status != 'trash' ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . esc_html($parent_name) : ''; ?></strong>
<?php
$actions = array();
if ( current_user_can('edit_page', $page->ID) && $post->post_status != 'trash' ) {
if ( current_user_can($post_type_object->edit_cap, $page->ID) && $post->post_status != 'trash' ) {
$actions['edit'] = '<a href="' . $edit_link . '" title="' . esc_attr(__('Edit this page')) . '">' . __('Edit') . '</a>';
$actions['inline'] = '<a href="#" class="editinline">' . __('Quick&nbsp;Edit') . '</a>';
}
if ( current_user_can('delete_page', $page->ID) ) {
if ( current_user_can($post_type_object->delete_cap, $page->ID) ) {
if ( $post->post_status == 'trash' )
$actions['untrash'] = "<a title='" . esc_attr(__('Remove this page from the Trash')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&amp;action=untrash&amp;post=$page->ID", 'untrash-page_' . $page->ID) . "'>" . __('Restore') . "</a>";
elseif ( EMPTY_TRASH_DAYS )
@ -1796,7 +1804,7 @@ foreach ($posts_columns as $column_name=>$column_display_name) {
$actions['delete'] = "<a class='submitdelete' title='" . esc_attr(__('Delete this page permanently')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&amp;action=delete&amp;post=$page->ID", 'delete-page_' . $page->ID) . "'>" . __('Delete Permanently') . "</a>";
}
if ( in_array($post->post_status, array('pending', 'draft')) ) {
if ( current_user_can('edit_page', $page->ID) )
if ( current_user_can($post_type_object->edit_cap, $page->ID) )
$actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . esc_attr(sprintf(__('Preview &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
} elseif ( $post->post_status != 'trash' ) {
$actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . esc_attr(sprintf(__('View &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('View') . '</a>';
@ -2214,7 +2222,8 @@ function _wp_comment_row( $comment_id, $mode, $comment_status, $checkbox = true,
$comment = get_comment( $comment_id );
$post = get_post($comment->comment_post_ID);
$the_comment_status = wp_get_comment_status($comment->comment_ID);
$user_can = current_user_can('edit_post', $post->ID);
$post_type_object = get_post_type_object($post->post_type);
$user_can = current_user_can($post_type_object->edit_cap, $post->ID);
$author_url = get_comment_author_url();
if ( 'http://' == $author_url )

View File

@ -49,7 +49,7 @@ When you&#8217;re promoted, just reload this page and you&#8217;ll be able to bl
}
// Show post form.
if ( current_user_can('edit_' . $post_type_object->capability_type . 's') ) {
if ( current_user_can($post_type_object->edit_type_cap) ) {
$post = get_default_post_to_edit( $post_type );
include('edit-form-advanced.php');
}

View File

@ -25,7 +25,6 @@ else
$post_ID = $post_id;
$post = null;
$post_type_object = null;
$post_type_cap = null;
$post_type = null;
if ( $post_id ) {
$post = get_post($post_id);
@ -35,7 +34,6 @@ if ( $post_id ) {
$post_type = $post->post_type;
$current_screen->post_type = $post->post_type;
$current_screen->id = $current_screen->post_type;
$post_type_cap = $post_type_object->capability_type;
}
}
} elseif ( isset($_POST['post_type']) ) {
@ -44,7 +42,6 @@ if ( $post_id ) {
$post_type = $post_type_object->name;
$current_screen->post_type = $post_type;
$current_screen->id = $current_screen->post_type;
$post_type_cap = $post_type_object->capability_type;
}
}
@ -233,7 +230,7 @@ case 'trash':
$post = & get_post($post_id);
if ( !current_user_can('delete_' . $post_type_cap, $post_id) )
if ( !current_user_can($post_type_object->delete_cap, $post_id) )
wp_die( __('You are not allowed to move this item to the trash.') );
if ( ! wp_trash_post($post_id) )
@ -246,7 +243,7 @@ case 'trash':
case 'untrash':
check_admin_referer('untrash-' . $post_type . '_' . $post_id);
if ( !current_user_can('delete_' . $post_type_cap, $post_id) )
if ( !current_user_can($post_type_object->delete_cap, $post_id) )
wp_die( __('You are not allowed to move this item out of the trash.') );
if ( ! wp_untrash_post($post_id) )
@ -259,7 +256,7 @@ case 'untrash':
case 'delete':
check_admin_referer('delete-' . $post_type . '_' . $post_id);
if ( !current_user_can('delete_' . $post_type_cap, $post_id) )
if ( !current_user_can($post_type_object->delete_cap, $post_id) )
wp_die( __('You are not allowed to delete this item.') );
$force = !EMPTY_TRASH_DAYS;

View File

@ -700,6 +700,12 @@ function get_post_types( $args = array(), $output = 'names' ) {
* publicly_queryable - Whether post_type queries can be performed from the front page. Defaults to whatever public is set as.
* inherit_type - The post type from which to inherit the edit link and capability type. Defaults to none.
* capability_type - The post type to use for checking read, edit, and delete capabilities. Defaults to "post".
* edit_cap - The capability that controls editing a particular object of this post type. Defaults to "edit_$capability_type" (edit_post).
* edit_type_cap - The capability that controls editing objects of this post type as a class. Defaults to "edit_ . $capability_type . s" (edit_posts).
* edit_others_cap - The capability that controls editing objects of this post type that are owned by other users. Defaults to "edit_others_ . $capability_type . s" (edit_others_posts).
* edit_others_cap - The capability that controls publishing objects of this post type. Defaults to "publish_ . $capability_type . s" (publish_posts).
* read_cap - The capability that controls reading a particular object of this post type. Defaults to "read_$capability_type" (read_post).
* delete_cap - The capability that controls deleting a particular object of this post type. Defaults to "delete_$capability_type" (delete_post).
* hierarchical - Whether the post type is hierarchical. Defaults to false.
* supports - An alias for calling add_post_type_support() directly. See add_post_type_support() for Documentation. Defaults to none.
*
@ -736,15 +742,20 @@ function register_post_type($post_type, $args = array()) {
if ( false === $args->label )
$args->label = $post_type;
if ( empty($args->capability_type) ) {
$args->edit_cap = '';
$args->read_cap = '';
$args->delete_cap = '';
} else {
if ( empty($args->capability_type) )
$args->capability_type = 'post';
if ( empty($args->edit_cap) )
$args->edit_cap = 'edit_' . $args->capability_type;
if ( empty($args->edit_type_cap) )
$args->edit_type_cap = 'edit_' . $args->capability_type . 's';
if ( empty($args->edit_others_cap) )
$args->edit_others_cap = 'edit_others_' . $args->capability_type . 's';
if ( empty($args->publish_cap) )
$args->publish_cap = 'publish_' . $args->capability_type . 's';
if ( empty($args->read_cap) )
$args->read_cap = 'read_' . $args->capability_type;
if ( empty($args->delete_cap) )
$args->delete_cap = 'delete_' . $args->capability_type;
}
if ( !$args->_builtin && $args->public )
$args->_show = true;