Taxonomy: Introduce more fine grained capabilities for managing taxonomy terms.

This introduces the singular `edit_term`, `delete_term`, and `assign_term` meta capabilities for terms, and switches the base capability name for tags from `manage_categories` to `manage_post_tags` and the corresponding `edit_post_tags`, `delete_post_tags`, and `assign_post_tags`.

All of these capabilities ultimately map to `manage_categories` so by default there is no change in the behaviour of the capabilities for categories, tags, or custom taxonomies. The `map_meta_cap` filter and the `capabilities` argument when registering a taxonomy now allow for control over editing, deleting, and assigning individual terms, as well as a separation of capabilities for tags from those of categories.

Fixes #35614
Props johnjamesjacoby for feedback

Built from https://develop.svn.wordpress.org/trunk@38698


git-svn-id: http://core.svn.wordpress.org/trunk@38641 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
John Blackbourn 2016-09-30 22:40:28 +00:00
parent 16674f715f
commit b84023ea33
11 changed files with 93 additions and 44 deletions

View File

@ -108,7 +108,7 @@ case 'delete':
$tag_ID = (int) $_REQUEST['tag_ID']; $tag_ID = (int) $_REQUEST['tag_ID'];
check_admin_referer( 'delete-tag_' . $tag_ID ); check_admin_referer( 'delete-tag_' . $tag_ID );
if ( ! current_user_can( $tax->cap->delete_terms ) ) { if ( ! current_user_can( 'delete_term', $tag_ID ) ) {
wp_die( wp_die(
'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' . '<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
'<p>' . __( 'Sorry, you are not allowed to delete this item.' ) . '</p>', '<p>' . __( 'Sorry, you are not allowed to delete this item.' ) . '</p>',
@ -168,7 +168,7 @@ case 'editedtag':
$tag_ID = (int) $_POST['tag_ID']; $tag_ID = (int) $_POST['tag_ID'];
check_admin_referer( 'update-tag_' . $tag_ID ); check_admin_referer( 'update-tag_' . $tag_ID );
if ( ! current_user_can( $tax->cap->edit_terms ) ) { if ( ! current_user_can( 'edit_term', $tag_ID ) ) {
wp_die( wp_die(
'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' . '<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
'<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>', '<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>',
@ -314,14 +314,6 @@ if ( 'category' == $taxonomy || 'link_category' == $taxonomy || 'post_tag' == $t
require_once( ABSPATH . 'wp-admin/admin-header.php' ); require_once( ABSPATH . 'wp-admin/admin-header.php' );
if ( ! current_user_can( $tax->cap->edit_terms ) ) {
wp_die(
'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
'<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>',
403
);
}
/** Also used by the Edit Tag form */ /** Also used by the Edit Tag form */
require_once( ABSPATH . 'wp-admin/includes/edit-tag-messages.php' ); require_once( ABSPATH . 'wp-admin/includes/edit-tag-messages.php' );

View File

@ -594,12 +594,11 @@ function wp_ajax_delete_tag() {
$tag_id = (int) $_POST['tag_ID']; $tag_id = (int) $_POST['tag_ID'];
check_ajax_referer( "delete-tag_$tag_id" ); check_ajax_referer( "delete-tag_$tag_id" );
$taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag'; if ( ! current_user_can( 'delete_term', $tag_id ) ) {
$tax = get_taxonomy($taxonomy);
if ( !current_user_can( $tax->cap->delete_terms ) )
wp_die( -1 ); wp_die( -1 );
}
$taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
$tag = get_term( $tag_id, $taxonomy ); $tag = get_term( $tag_id, $taxonomy );
if ( !$tag || is_wp_error( $tag ) ) if ( !$tag || is_wp_error( $tag ) )
wp_die( 1 ); wp_die( 1 );
@ -796,8 +795,10 @@ function wp_ajax_add_link_category( $action ) {
if ( empty( $action ) ) if ( empty( $action ) )
$action = 'add-link-category'; $action = 'add-link-category';
check_ajax_referer( $action ); check_ajax_referer( $action );
if ( !current_user_can( 'manage_categories' ) ) $tax = get_taxonomy( 'link_category' );
if ( ! current_user_can( $tax->cap->manage_terms ) ) {
wp_die( -1 ); wp_die( -1 );
}
$names = explode(',', wp_unslash( $_POST['newcat'] ) ); $names = explode(',', wp_unslash( $_POST['newcat'] ) );
$x = new WP_Ajax_Response(); $x = new WP_Ajax_Response();
foreach ( $names as $cat_name ) { foreach ( $names as $cat_name ) {
@ -1703,14 +1704,16 @@ function wp_ajax_inline_save_tax() {
if ( ! $tax ) if ( ! $tax )
wp_die( 0 ); wp_die( 0 );
if ( ! current_user_can( $tax->cap->edit_terms ) ) if ( ! isset( $_POST['tax_ID'] ) || ! ( $id = (int) $_POST['tax_ID'] ) ) {
wp_die( -1 ); wp_die( -1 );
}
if ( ! current_user_can( 'edit_term', $id ) ) {
wp_die( -1 );
}
$wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) ); $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) );
if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) )
wp_die( -1 );
$tag = get_term( $id, $taxonomy ); $tag = get_term( $id, $taxonomy );
$_POST['description'] = $tag->description; $_POST['description'] = $tag->description;

View File

@ -151,7 +151,10 @@ class WP_Terms_List_Table extends WP_List_Table {
*/ */
protected function get_bulk_actions() { protected function get_bulk_actions() {
$actions = array(); $actions = array();
if ( current_user_can( get_taxonomy( $this->screen->taxonomy )->cap->delete_terms ) ) {
$actions['delete'] = __( 'Delete' ); $actions['delete'] = __( 'Delete' );
}
return $actions; return $actions;
} }
@ -332,11 +335,10 @@ class WP_Terms_List_Table extends WP_List_Table {
* @return string * @return string
*/ */
public function column_cb( $tag ) { public function column_cb( $tag ) {
$default_term = get_option( 'default_' . $this->screen->taxonomy ); if ( current_user_can( 'delete_term', $tag->term_id ) ) {
if ( current_user_can( get_taxonomy( $this->screen->taxonomy )->cap->delete_terms ) && $tag->term_id != $default_term )
return '<label class="screen-reader-text" for="cb-select-' . $tag->term_id . '">' . sprintf( __( 'Select %s' ), $tag->name ) . '</label>' return '<label class="screen-reader-text" for="cb-select-' . $tag->term_id . '">' . sprintf( __( 'Select %s' ), $tag->name ) . '</label>'
. '<input type="checkbox" name="delete_tags[]" value="' . $tag->term_id . '" id="cb-select-' . $tag->term_id . '" />'; . '<input type="checkbox" name="delete_tags[]" value="' . $tag->term_id . '" id="cb-select-' . $tag->term_id . '" />';
}
return '&nbsp;'; return '&nbsp;';
} }
@ -423,8 +425,6 @@ class WP_Terms_List_Table extends WP_List_Table {
$taxonomy = $this->screen->taxonomy; $taxonomy = $this->screen->taxonomy;
$tax = get_taxonomy( $taxonomy ); $tax = get_taxonomy( $taxonomy );
$default_term = get_option( 'default_' . $taxonomy );
$uri = wp_doing_ajax() ? wp_get_referer() : $_SERVER['REQUEST_URI']; $uri = wp_doing_ajax() ? wp_get_referer() : $_SERVER['REQUEST_URI'];
$edit_link = add_query_arg( $edit_link = add_query_arg(
@ -434,7 +434,7 @@ class WP_Terms_List_Table extends WP_List_Table {
); );
$actions = array(); $actions = array();
if ( current_user_can( $tax->cap->edit_terms ) ) { if ( current_user_can( 'edit_term', $tag->term_id ) ) {
$actions['edit'] = sprintf( $actions['edit'] = sprintf(
'<a href="%s" aria-label="%s">%s</a>', '<a href="%s" aria-label="%s">%s</a>',
esc_url( $edit_link ), esc_url( $edit_link ),
@ -449,7 +449,7 @@ class WP_Terms_List_Table extends WP_List_Table {
__( 'Quick&nbsp;Edit' ) __( 'Quick&nbsp;Edit' )
); );
} }
if ( current_user_can( $tax->cap->delete_terms ) && $tag->term_id != $default_term ) { if ( current_user_can( 'delete_term', $tag->term_id ) ) {
$actions['delete'] = sprintf( $actions['delete'] = sprintf(
'<a href="%s" class="delete-tag aria-button-if-js" aria-label="%s">%s</a>', '<a href="%s" class="delete-tag aria-button-if-js" aria-label="%s">%s</a>',
wp_nonce_url( "edit-tags.php?action=delete&amp;taxonomy=$taxonomy&amp;tag_ID=$tag->term_id", 'delete-tag_' . $tag->term_id ), wp_nonce_url( "edit-tags.php?action=delete&amp;taxonomy=$taxonomy&amp;tag_ID=$tag->term_id", 'delete-tag_' . $tag->term_id ),

View File

@ -434,6 +434,8 @@ function post_tags_meta_box( $post, $box ) {
<input type="button" class="button tagadd" value="<?php esc_attr_e('Add'); ?>" /></p> <input type="button" class="button tagadd" value="<?php esc_attr_e('Add'); ?>" /></p>
</div> </div>
<p class="howto" id="new-tag-<?php echo $tax_name; ?>-desc"><?php echo $taxonomy->labels->separate_items_with_commas; ?></p> <p class="howto" id="new-tag-<?php echo $tax_name; ?>-desc"><?php echo $taxonomy->labels->separate_items_with_commas; ?></p>
<?php elseif ( empty( $terms_to_edit ) ): ?>
<p><?php echo $taxonomy->labels->no_terms; ?></p>
<?php endif; ?> <?php endif; ?>
</div> </div>
<div class="tagchecklist"></div> <div class="tagchecklist"></div>

View File

@ -31,11 +31,11 @@ $taxonomy = $tax->name;
$title = $tax->labels->edit_item; $title = $tax->labels->edit_item;
if ( ! in_array( $taxonomy, get_taxonomies( array( 'show_ui' => true ) ) ) || if ( ! in_array( $taxonomy, get_taxonomies( array( 'show_ui' => true ) ) ) ||
! current_user_can( $tax->cap->manage_terms ) ! current_user_can( 'edit_term', $tag->term_id )
) { ) {
wp_die( wp_die(
'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' . '<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
'<p>' . __( 'Sorry, you are not allowed to manage this item.' ) . '</p>', '<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>',
403 403
); );
} }

View File

@ -635,7 +635,7 @@ function wp_admin_bar_edit_menu( $wp_admin_bar ) {
) ); ) );
} elseif ( ! empty( $current_object->taxonomy ) } elseif ( ! empty( $current_object->taxonomy )
&& ( $tax = get_taxonomy( $current_object->taxonomy ) ) && ( $tax = get_taxonomy( $current_object->taxonomy ) )
&& current_user_can( $tax->cap->edit_terms ) && current_user_can( 'edit_term', $current_object->term_id )
&& $edit_term_link = get_edit_term_link( $current_object->term_id, $current_object->taxonomy ) ) && $edit_term_link = get_edit_term_link( $current_object->term_id, $current_object->taxonomy ) )
{ {
$wp_admin_bar->add_menu( array( $wp_admin_bar->add_menu( array(

View File

@ -402,6 +402,43 @@ function map_meta_cap( $cap, $user_id ) {
case 'delete_site': case 'delete_site':
$caps[] = 'manage_options'; $caps[] = 'manage_options';
break; break;
case 'edit_term':
case 'delete_term':
case 'assign_term':
$term_id = $args[0];
$term = get_term( $term_id );
if ( ! $term || is_wp_error( $term ) ) {
$caps[] = 'do_not_allow';
break;
}
$tax = get_taxonomy( $term->taxonomy );
if ( ! $tax ) {
$caps[] = 'do_not_allow';
break;
}
if ( 'delete_term' === $cap && ( $term->term_id == get_option( 'default_' . $term->taxonomy ) ) ) {
$caps[] = 'do_not_allow';
break;
}
$taxo_cap = $cap . 's';
$caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id );
break;
case 'manage_post_tags':
case 'edit_categories':
case 'edit_post_tags':
case 'delete_categories':
case 'delete_post_tags':
$caps[] = 'manage_categories';
break;
case 'assign_categories':
case 'assign_post_tags':
$caps[] = 'edit_posts';
break;
case 'create_sites': case 'create_sites':
case 'delete_sites': case 'delete_sites':
case 'manage_network': case 'manage_network':

View File

@ -1886,8 +1886,9 @@ class wp_xmlrpc_server extends IXR_Server {
$taxonomy = get_taxonomy( $content_struct['taxonomy'] ); $taxonomy = get_taxonomy( $content_struct['taxonomy'] );
if ( ! current_user_can( $taxonomy->cap->manage_terms ) ) if ( ! current_user_can( $taxonomy->cap->edit_terms ) ) {
return new IXR_Error( 401, __( 'Sorry, you are not allowed to create terms in this taxonomy.' ) ); return new IXR_Error( 401, __( 'Sorry, you are not allowed to create terms in this taxonomy.' ) );
}
$taxonomy = (array) $taxonomy; $taxonomy = (array) $taxonomy;
@ -1973,9 +1974,6 @@ class wp_xmlrpc_server extends IXR_Server {
$taxonomy = get_taxonomy( $content_struct['taxonomy'] ); $taxonomy = get_taxonomy( $content_struct['taxonomy'] );
if ( ! current_user_can( $taxonomy->cap->edit_terms ) )
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ) );
$taxonomy = (array) $taxonomy; $taxonomy = (array) $taxonomy;
// hold the data of the term // hold the data of the term
@ -1989,6 +1987,10 @@ class wp_xmlrpc_server extends IXR_Server {
if ( ! $term ) if ( ! $term )
return new IXR_Error( 404, __( 'Invalid term ID.' ) ); return new IXR_Error( 404, __( 'Invalid term ID.' ) );
if ( ! current_user_can( 'edit_term', $term_id ) ) {
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this term.' ) );
}
if ( isset( $content_struct['name'] ) ) { if ( isset( $content_struct['name'] ) ) {
$term_data['name'] = trim( $content_struct['name'] ); $term_data['name'] = trim( $content_struct['name'] );
@ -2068,10 +2070,6 @@ class wp_xmlrpc_server extends IXR_Server {
return new IXR_Error( 403, __( 'Invalid taxonomy.' ) ); return new IXR_Error( 403, __( 'Invalid taxonomy.' ) );
$taxonomy = get_taxonomy( $taxonomy ); $taxonomy = get_taxonomy( $taxonomy );
if ( ! current_user_can( $taxonomy->cap->delete_terms ) )
return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete terms in this taxonomy.' ) );
$term = get_term( $term_id, $taxonomy->name ); $term = get_term( $term_id, $taxonomy->name );
if ( is_wp_error( $term ) ) if ( is_wp_error( $term ) )
@ -2080,6 +2078,10 @@ class wp_xmlrpc_server extends IXR_Server {
if ( ! $term ) if ( ! $term )
return new IXR_Error( 404, __( 'Invalid term ID.' ) ); return new IXR_Error( 404, __( 'Invalid term ID.' ) );
if ( ! current_user_can( 'delete_term', $term_id ) ) {
return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this term.' ) );
}
$result = wp_delete_term( $term_id, $taxonomy->name ); $result = wp_delete_term( $term_id, $taxonomy->name );
if ( is_wp_error( $result ) ) if ( is_wp_error( $result ) )
@ -2140,9 +2142,6 @@ class wp_xmlrpc_server extends IXR_Server {
$taxonomy = get_taxonomy( $taxonomy ); $taxonomy = get_taxonomy( $taxonomy );
if ( ! current_user_can( $taxonomy->cap->assign_terms ) )
return new IXR_Error( 401, __( 'Sorry, you are not allowed to assign terms in this taxonomy.' ) );
$term = get_term( $term_id , $taxonomy->name, ARRAY_A ); $term = get_term( $term_id , $taxonomy->name, ARRAY_A );
if ( is_wp_error( $term ) ) if ( is_wp_error( $term ) )
@ -2151,6 +2150,10 @@ class wp_xmlrpc_server extends IXR_Server {
if ( ! $term ) if ( ! $term )
return new IXR_Error( 404, __( 'Invalid term ID.' ) ); return new IXR_Error( 404, __( 'Invalid term ID.' ) );
if ( ! current_user_can( 'assign_term', $term_id ) ) {
return new IXR_Error( 401, __( 'Sorry, you are not allowed to assign this term.' ) );
}
return $this->_prepare_term( $term ); return $this->_prepare_term( $term );
} }

View File

@ -930,7 +930,7 @@ function get_edit_term_link( $term_id, $taxonomy = '', $object_type = '' ) {
} }
$tax = get_taxonomy( $term->taxonomy ); $tax = get_taxonomy( $term->taxonomy );
if ( ! $tax || ! current_user_can( $tax->cap->edit_terms ) ) { if ( ! $tax || ! current_user_can( 'edit_term', $term->term_id ) ) {
return; return;
} }
@ -984,7 +984,7 @@ function edit_term_link( $link = '', $before = '', $after = '', $term = null, $e
return; return;
$tax = get_taxonomy( $term->taxonomy ); $tax = get_taxonomy( $term->taxonomy );
if ( ! current_user_can( $tax->cap->edit_terms ) ) { if ( ! current_user_can( 'edit_term', $term->term_id ) ) {
return; return;
} }

View File

@ -61,6 +61,12 @@ function create_initial_taxonomies() {
'show_ui' => true, 'show_ui' => true,
'show_admin_column' => true, 'show_admin_column' => true,
'_builtin' => true, '_builtin' => true,
'capabilities' => array(
'manage_terms' => 'manage_categories',
'edit_terms' => 'edit_categories',
'delete_terms' => 'delete_categories',
'assign_terms' => 'assign_categories',
),
) ); ) );
register_taxonomy( 'post_tag', 'post', array( register_taxonomy( 'post_tag', 'post', array(
@ -71,6 +77,12 @@ function create_initial_taxonomies() {
'show_ui' => true, 'show_ui' => true,
'show_admin_column' => true, 'show_admin_column' => true,
'_builtin' => true, '_builtin' => true,
'capabilities' => array(
'manage_terms' => 'manage_post_tags',
'edit_terms' => 'edit_post_tags',
'delete_terms' => 'delete_post_tags',
'assign_terms' => 'assign_post_tags',
),
) ); ) );
register_taxonomy( 'nav_menu', 'nav_menu_item', array( register_taxonomy( 'nav_menu', 'nav_menu_item', array(

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.7-alpha-38697'; $wp_version = '4.7-alpha-38698';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.