Taxonomy: Introduce more fine grained capabilities for managing taxonomy terms.

This introduces the singular `edit_term`, `delete_term`, and `assign_term` meta capabilities for terms, and switches the base capability name for tags from `manage_categories` to `manage_post_tags` and the corresponding `edit_post_tags`, `delete_post_tags`, and `assign_post_tags`. All of these capabilities ultimately map to `manage_categories` so by default there is no change in the behaviour of the capabilities for categories, tags, or custom taxonomies. The `map_meta_cap` filter and the `capabilities` argument when registering a taxonomy now allow for control over editing, deleting, and assigning individual terms, as well as a separation of capabilities for tags from those of categories. Fixes #35614 Props johnjamesjacoby for feedback Built from https://develop.svn.wordpress.org/trunk@38698 git-svn-id: http://core.svn.wordpress.org/trunk@38641 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-30 22:40:28 +00:00 · 2016-09-30 22:40:28 +00:00 · b84023ea33
parent 16674f715f
commit b84023ea33
11 changed files with 93 additions and 44 deletions
--- a/wp-admin/edit-tags.php
+++ b/wp-admin/edit-tags.php
@ -108,7 +108,7 @@ case 'delete':
 	$tag_ID = (int) $_REQUEST['tag_ID'];
 	check_admin_referer( 'delete-tag_' . $tag_ID );
-	if ( ! current_user_can( $tax->cap->delete_terms ) ) {
+	if ( ! current_user_can( 'delete_term', $tag_ID ) ) {
 		wp_die(
 			'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
 			'<p>' . __( 'Sorry, you are not allowed to delete this item.' ) . '</p>',
@ -168,7 +168,7 @@ case 'editedtag':
 	$tag_ID = (int) $_POST['tag_ID'];
 	check_admin_referer( 'update-tag_' . $tag_ID );
-	if ( ! current_user_can( $tax->cap->edit_terms ) ) {
+	if ( ! current_user_can( 'edit_term', $tag_ID ) ) {
 		wp_die(
 			'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
 			'<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>',
@ -314,14 +314,6 @@ if ( 'category' == $taxonomy || 'link_category' == $taxonomy || 'post_tag' == $t
 require_once( ABSPATH . 'wp-admin/admin-header.php' );
 if ( ! current_user_can( $tax->cap->edit_terms ) ) {
 	wp_die(
 		'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
 		'<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>',
 		403
 	);
 }
 /** Also used by the Edit Tag  form */
 require_once( ABSPATH . 'wp-admin/includes/edit-tag-messages.php' );
--- a/wp-admin/includes/ajax-actions.php
+++ b/wp-admin/includes/ajax-actions.php
@ -594,12 +594,11 @@ function wp_ajax_delete_tag() {
 	$tag_id = (int) $_POST['tag_ID'];
 	check_ajax_referer( "delete-tag_$tag_id" );
-	$taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
+	if ( ! current_user_can( 'delete_term', $tag_id ) ) {
 	$tax = get_taxonomy($taxonomy);
 	if ( !current_user_can( $tax->cap->delete_terms ) )
 		wp_die( -1 );
 	}
 	$taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
 	$tag = get_term( $tag_id, $taxonomy );
 	if ( !$tag || is_wp_error( $tag ) )
 		wp_die( 1 );
@ -796,8 +795,10 @@ function wp_ajax_add_link_category( $action ) {
 	if ( empty( $action ) )
 		$action = 'add-link-category';
 	check_ajax_referer( $action );
-	if ( !current_user_can( 'manage_categories' ) )
+	$tax = get_taxonomy( 'link_category' );
 	if ( ! current_user_can( $tax->cap->manage_terms ) ) {
 		wp_die( -1 );
 	}
 	$names = explode(',', wp_unslash( $_POST['newcat'] ) );
 	$x = new WP_Ajax_Response();
 	foreach ( $names as $cat_name ) {
@ -1703,14 +1704,16 @@ function wp_ajax_inline_save_tax() {
 	if ( ! $tax )
 		wp_die( 0 );
-	if ( ! current_user_can( $tax->cap->edit_terms ) )
+	if ( ! isset( $_POST['tax_ID'] ) || ! ( $id = (int) $_POST['tax_ID'] ) ) {
 		wp_die( -1 );
 	}
 	if ( ! current_user_can( 'edit_term', $id ) ) {
 		wp_die( -1 );
 	}
 	$wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) );
 	if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) )
 		wp_die( -1 );
 	$tag = get_term( $id, $taxonomy );
 	$_POST['description'] = $tag->description;
--- a/wp-admin/includes/class-wp-terms-list-table.php
+++ b/wp-admin/includes/class-wp-terms-list-table.php
@ -151,7 +151,10 @@ class WP_Terms_List_Table extends WP_List_Table {
 	 */
 	protected function get_bulk_actions() {
 		$actions = array();
-		$actions['delete'] = __( 'Delete' );
+
 		if ( current_user_can( get_taxonomy( $this->screen->taxonomy )->cap->delete_terms ) ) {
 			$actions['delete'] = __( 'Delete' );
 		}
 		return $actions;
 	}
@ -332,11 +335,10 @@ class WP_Terms_List_Table extends WP_List_Table {
 	 * @return string
 	 */
 	public function column_cb( $tag ) {
-		$default_term = get_option( 'default_' . $this->screen->taxonomy );
+		if ( current_user_can( 'delete_term', $tag->term_id ) ) {
 		if ( current_user_can( get_taxonomy( $this->screen->taxonomy )->cap->delete_terms ) && $tag->term_id != $default_term )
 			return '<label class="screen-reader-text" for="cb-select-' . $tag->term_id . '">' . sprintf( __( 'Select %s' ), $tag->name ) . '</label>'
 				. '<input type="checkbox" name="delete_tags[]" value="' . $tag->term_id . '" id="cb-select-' . $tag->term_id . '" />';
 		}
 		return '&nbsp;';
 	}
@ -423,8 +425,6 @@ class WP_Terms_List_Table extends WP_List_Table {
 		$taxonomy = $this->screen->taxonomy;
 		$tax = get_taxonomy( $taxonomy );
 		$default_term = get_option( 'default_' . $taxonomy );
 		$uri = wp_doing_ajax() ? wp_get_referer() : $_SERVER['REQUEST_URI'];
 		$edit_link = add_query_arg(
@ -434,7 +434,7 @@ class WP_Terms_List_Table extends WP_List_Table {
 		);
 		$actions = array();
-		if ( current_user_can( $tax->cap->edit_terms ) ) {
+		if ( current_user_can( 'edit_term', $tag->term_id ) ) {
 			$actions['edit'] = sprintf(
 				'<a href="%s" aria-label="%s">%s</a>',
 				esc_url( $edit_link ),
@ -449,7 +449,7 @@ class WP_Terms_List_Table extends WP_List_Table {
 				__( 'Quick&nbsp;Edit' )
 			);
 		}
-		if ( current_user_can( $tax->cap->delete_terms ) && $tag->term_id != $default_term ) {
+		if ( current_user_can( 'delete_term', $tag->term_id ) ) {
 			$actions['delete'] = sprintf(
 				'<a href="%s" class="delete-tag aria-button-if-js" aria-label="%s">%s</a>',
 				wp_nonce_url( "edit-tags.php?action=delete&amp;taxonomy=$taxonomy&amp;tag_ID=$tag->term_id", 'delete-tag_' . $tag->term_id ),
--- a/wp-admin/includes/meta-boxes.php
+++ b/wp-admin/includes/meta-boxes.php
@ -434,6 +434,8 @@ function post_tags_meta_box( $post, $box ) {
 		<input type="button" class="button tagadd" value="<?php esc_attr_e('Add'); ?>" /></p>
 	</div>
 	<p class="howto" id="new-tag-<?php echo $tax_name; ?>-desc"><?php echo $taxonomy->labels->separate_items_with_commas; ?></p>
 	<?php elseif ( empty( $terms_to_edit ) ): ?>
 		<p><?php echo $taxonomy->labels->no_terms; ?></p>
 	<?php endif; ?>
 	</div>
 	<div class="tagchecklist"></div>
--- a/wp-admin/term.php
+++ b/wp-admin/term.php
@ -31,11 +31,11 @@ $taxonomy = $tax->name;
 $title    = $tax->labels->edit_item;
 if ( ! in_array( $taxonomy, get_taxonomies( array( 'show_ui' => true ) ) ) ||
-     ! current_user_can( $tax->cap->manage_terms )
+     ! current_user_can( 'edit_term', $tag->term_id )
 ) {
 	wp_die(
 		'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
-		'<p>' . __( 'Sorry, you are not allowed to manage this item.' ) . '</p>',
+		'<p>' . __( 'Sorry, you are not allowed to edit this item.' ) . '</p>',
 		403
 	);
 }
--- a/wp-includes/admin-bar.php
+++ b/wp-includes/admin-bar.php
@ -635,7 +635,7 @@ function wp_admin_bar_edit_menu( $wp_admin_bar ) {
 			) );
 		} elseif ( ! empty( $current_object->taxonomy )
 			&& ( $tax = get_taxonomy( $current_object->taxonomy ) )
-			&& current_user_can( $tax->cap->edit_terms )
+			&& current_user_can( 'edit_term', $current_object->term_id )
 			&& $edit_term_link = get_edit_term_link( $current_object->term_id, $current_object->taxonomy ) )
 		{
 			$wp_admin_bar->add_menu( array(
--- a/wp-includes/capabilities.php
+++ b/wp-includes/capabilities.php
@ -402,6 +402,43 @@ function map_meta_cap( $cap, $user_id ) {
 	case 'delete_site':
 		$caps[] = 'manage_options';
 		break;
 	case 'edit_term':
 	case 'delete_term':
 	case 'assign_term':
 		$term_id = $args[0];
 		$term = get_term( $term_id );
 		if ( ! $term || is_wp_error( $term ) ) {
 			$caps[] = 'do_not_allow';
 			break;
 		}
 		$tax = get_taxonomy( $term->taxonomy );
 		if ( ! $tax ) {
 			$caps[] = 'do_not_allow';
 			break;
 		}
 		if ( 'delete_term' === $cap && ( $term->term_id == get_option( 'default_' . $term->taxonomy ) ) ) {
 			$caps[] = 'do_not_allow';
 			break;
 		}
 		$taxo_cap = $cap . 's';
 		$caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id );
 		break;
 	case 'manage_post_tags':
 	case 'edit_categories':
 	case 'edit_post_tags':
 	case 'delete_categories':
 	case 'delete_post_tags':
 		$caps[] = 'manage_categories';
 		break;
 	case 'assign_categories':
 	case 'assign_post_tags':
 		$caps[] = 'edit_posts';
 		break;
 	case 'create_sites':
 	case 'delete_sites':
 	case 'manage_network':
--- a/wp-includes/class-wp-xmlrpc-server.php
+++ b/wp-includes/class-wp-xmlrpc-server.php
@ -1886,8 +1886,9 @@ class wp_xmlrpc_server extends IXR_Server {
 		$taxonomy = get_taxonomy( $content_struct['taxonomy'] );
-		if ( ! current_user_can( $taxonomy->cap->manage_terms ) )
+		if ( ! current_user_can( $taxonomy->cap->edit_terms ) ) {
 			return new IXR_Error( 401, __( 'Sorry, you are not allowed to create terms in this taxonomy.' ) );
 		}
 		$taxonomy = (array) $taxonomy;
@ -1973,9 +1974,6 @@ class wp_xmlrpc_server extends IXR_Server {
 		$taxonomy = get_taxonomy( $content_struct['taxonomy'] );
 		if ( ! current_user_can( $taxonomy->cap->edit_terms ) )
 			return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ) );
 		$taxonomy = (array) $taxonomy;
 		// hold the data of the term
@ -1989,6 +1987,10 @@ class wp_xmlrpc_server extends IXR_Server {
 		if ( ! $term )
 			return new IXR_Error( 404, __( 'Invalid term ID.' ) );
 		if ( ! current_user_can( 'edit_term', $term_id ) ) {
 			return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this term.' ) );
 		}
 		if ( isset( $content_struct['name'] ) ) {
 			$term_data['name'] = trim( $content_struct['name'] );
@ -2068,10 +2070,6 @@ class wp_xmlrpc_server extends IXR_Server {
 			return new IXR_Error( 403, __( 'Invalid taxonomy.' ) );
 		$taxonomy = get_taxonomy( $taxonomy );
 		if ( ! current_user_can( $taxonomy->cap->delete_terms ) )
 			return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete terms in this taxonomy.' ) );
 		$term = get_term( $term_id, $taxonomy->name );
 		if ( is_wp_error( $term ) )
@ -2080,6 +2078,10 @@ class wp_xmlrpc_server extends IXR_Server {
 		if ( ! $term )
 			return new IXR_Error( 404, __( 'Invalid term ID.' ) );
 		if ( ! current_user_can( 'delete_term', $term_id ) ) {
 			return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this term.' ) );
 		}
 		$result = wp_delete_term( $term_id, $taxonomy->name );
 		if ( is_wp_error( $result ) )
@ -2140,9 +2142,6 @@ class wp_xmlrpc_server extends IXR_Server {
 		$taxonomy = get_taxonomy( $taxonomy );
 		if ( ! current_user_can( $taxonomy->cap->assign_terms ) )
 			return new IXR_Error( 401, __( 'Sorry, you are not allowed to assign terms in this taxonomy.' ) );
 		$term = get_term( $term_id , $taxonomy->name, ARRAY_A );
 		if ( is_wp_error( $term ) )
@ -2151,6 +2150,10 @@ class wp_xmlrpc_server extends IXR_Server {
 		if ( ! $term )
 			return new IXR_Error( 404, __( 'Invalid term ID.' ) );
 		if ( ! current_user_can( 'assign_term', $term_id ) ) {
 			return new IXR_Error( 401, __( 'Sorry, you are not allowed to assign this term.' ) );
 		}
 		return $this->_prepare_term( $term );
 	}
--- a/wp-includes/link-template.php
+++ b/wp-includes/link-template.php
@ -930,7 +930,7 @@ function get_edit_term_link( $term_id, $taxonomy = '', $object_type = '' ) {
 	}
 	$tax = get_taxonomy( $term->taxonomy );
-	if ( ! $tax || ! current_user_can( $tax->cap->edit_terms ) ) {
+	if ( ! $tax || ! current_user_can( 'edit_term', $term->term_id ) ) {
 		return;
 	}
@ -984,7 +984,7 @@ function edit_term_link( $link = '', $before = '', $after = '', $term = null, $e
 		return;
 	$tax = get_taxonomy( $term->taxonomy );
-	if ( ! current_user_can( $tax->cap->edit_terms ) ) {
+	if ( ! current_user_can( 'edit_term', $term->term_id ) ) {
 		return;
 	}
--- a/wp-includes/taxonomy.php
+++ b/wp-includes/taxonomy.php
@ -61,6 +61,12 @@ function create_initial_taxonomies() {
 		'show_ui' => true,
 		'show_admin_column' => true,
 		'_builtin' => true,
 		'capabilities' => array(
 			'manage_terms' => 'manage_categories',
 			'edit_terms'   => 'edit_categories',
 			'delete_terms' => 'delete_categories',
 			'assign_terms' => 'assign_categories',
 		),
 	) );
 	register_taxonomy( 'post_tag', 'post', array(
@ -71,6 +77,12 @@ function create_initial_taxonomies() {
 		'show_ui' => true,
 		'show_admin_column' => true,
 		'_builtin' => true,
 		'capabilities' => array(
 			'manage_terms' => 'manage_post_tags',
 			'edit_terms'   => 'edit_post_tags',
 			'delete_terms' => 'delete_post_tags',
 			'assign_terms' => 'assign_post_tags',
 		),
 	) );
 	register_taxonomy( 'nav_menu', 'nav_menu_item', array(
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.7-alpha-38697';
+$wp_version = '4.7-alpha-38698';
 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.