Gary Pendergast
3edf686b37
Capabilities: Fall back to the `edit_posts` capability for orphaned comments.
...
Merge of the `capabilities.php` part of [33614] to the 3.9 branch.
Props pento, dd32.
See #33154 .
Built from https://develop.svn.wordpress.org/branches/3.9@33975
git-svn-id: http://core.svn.wordpress.org/branches/3.9@33944 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-09 06:14:14 +00:00
Gary Pendergast
c5eb54f359
Capabilities: When creating an auto-draft, ensure that the current user still has permission to do so.
...
Merge of [33357] to the 3.9 branch.
Built from https://develop.svn.wordpress.org/branches/3.9@33377
git-svn-id: http://core.svn.wordpress.org/branches/3.9@33348 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-23 04:12:14 +00:00
Gary Pendergast
7bd9e93fef
In Multisite, prevent plugins from unintentionally switching sites. Merge of [32173] to the 3.9 branch.
...
Props mdawaffe, pento.
Built from https://develop.svn.wordpress.org/branches/3.9@32200
git-svn-id: http://core.svn.wordpress.org/branches/3.9@32173 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-20 13:23:15 +00:00
Andrew Nacin
c67c9565f1
Don't default to current user for capability checks when dealing with a post without an author (post_author = 0).
...
Undoes [12053]. While it risks breakage, this is a far safer and saner default for these situations.
props danielbachhuber.
fixes #27020 .
Built from https://develop.svn.wordpress.org/trunk@27390
git-svn-id: http://core.svn.wordpress.org/trunk@27238 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-04 03:09:15 +00:00
Sergey Biryukov
1c8b834b0c
Inline documentation for hooks in wp-includes/capabilities.php.
...
props ptahdunbar, kpdesign.
fixes #25531 .
Built from https://develop.svn.wordpress.org/trunk@26126
git-svn-id: http://core.svn.wordpress.org/trunk@26038 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-13 04:39:08 +00:00
Sergey Biryukov
8d659b278c
Fix docblock formatting. fixes #25893 .
...
Built from https://develop.svn.wordpress.org/trunk@26081
git-svn-id: http://core.svn.wordpress.org/trunk@26001 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-11 13:32:10 +00:00
Andrew Nacin
d93d8b850d
Reverse the order of roles in wp_dropdown_roles(). Reset to 'subscriber' when the default role is removed and when a save is invalid.
...
props garyc40, wonderboymusic.
fixes #14578 .
Built from https://develop.svn.wordpress.org/trunk@25695
git-svn-id: http://core.svn.wordpress.org/trunk@25610 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-06 10:56:09 +00:00
Scott Taylor
80bac8fe09
`WP_User::get_role_caps()` now returns the caps it was already setting. The method was previously just setting `$allprops` and requiring that property to be read.
...
Props nofearinc.
Fixes #24962 .
Built from https://develop.svn.wordpress.org/trunk@25673
git-svn-id: http://core.svn.wordpress.org/trunk@25589 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-02 21:36:09 +00:00
Sergey Biryukov
8bda461ca9
Remove inaccurate @return value from remove_role(). props tivnet. fixes #25450 .
...
Built from https://develop.svn.wordpress.org/trunk@25653
git-svn-id: http://core.svn.wordpress.org/trunk@25570 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-01 02:53:11 +00:00
Andrew Nacin
0e620877fd
Use the wpdb method instead of $wpdb->prefix.
...
props hakre.
fixes #16756 .
Built from https://develop.svn.wordpress.org/trunk@25615
git-svn-id: http://core.svn.wordpress.org/trunk@25532 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-24 23:41:10 +00:00
Scott Taylor
daa4b531e8
Fix several esoteric errors related to AJAX unit tests for comments:
...
* `wp_ajax_get_comments()` relies on the `$post_id` global - even though `$_POST['p']` is passed to every action in the test methods. If `$post_id` is still lingering in between tests and doesn't match `p` in the request, the cap check might pass while the queries for comments will blow up. I added `unset( $GLOBALS['post_id'] )` to `Tests_Ajax_GetComments::setUp()`.
* If the global `$post_id` is empty, but `$_REQUEST['p']` is not, `$post_id` is now set to `absint( $_REQUEST['p'] )` and sanity-checked in `wp_ajax_get_comments()`.
* `map_meta_cap()` always assumes that `get_comment()` succeeds when checking for the `edit_comment` cap. It doesn't. I added sanity checks in a few places where it will break early if `get_post()` or `get_comment()` are empty.
* `wp_update_comment()` always assumes `get_comment()` succeeds. It doesn't. I added a check for empty.
All AJAX unit tests run and pass in debug mode. All general unit tests pass against these changes.
Fixes #25282 .
Built from https://develop.svn.wordpress.org/trunk@25438
git-svn-id: http://core.svn.wordpress.org/trunk@25360 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-14 18:36:09 +00:00
Scott Taylor
cb70e277af
Add an additional available param (the `WP_User` instance) to the `user_has_cap` filter.
...
Props Viper007Bond.
Fixes #24490 .
Built from https://develop.svn.wordpress.org/trunk@25329
git-svn-id: http://core.svn.wordpress.org/trunk@25291 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-10 22:23:10 +00:00
Andrew Nacin
cbad0048a4
Don't set up $post_author_data in map_meta_cap() as we don't need it.
...
props duck_.
fixes #25177 .
Built from https://develop.svn.wordpress.org/trunk@25177
git-svn-id: http://core.svn.wordpress.org/trunk@25150 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-30 04:01:08 +00:00
Andrew Nacin
c2db94d10c
Use meta caps edit_post, read_post, and delete_post directly, rather than consulting the post type object. map_meta_cap() handles that for us. props markjaquith, kovshenin. fixes #23226 .
...
git-svn-id: http://core.svn.wordpress.org/trunk@24593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-08 20:05:42 +00:00
Sergey Biryukov
81e2420c0a
Correct return value for get_role() and WP_Roles::get_role(). props tivnet. fixes #24607 .
...
git-svn-id: http://core.svn.wordpress.org/trunk@24491 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-06-21 13:01:55 +00:00
Ryan Boren
982694749b
In WP_User::get_data_by(), don't abs int negative IDs. Instead, return false when an ID less than 1 is passed.
...
Props nacin, mordauk
fixes #23480
git-svn-id: http://core.svn.wordpress.org/trunk@24316 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-22 18:14:37 +00:00
Sergey Biryukov
362b41c33a
Pass old roles to set_user_role action. props awellis13. fixes #19134 .
...
git-svn-id: http://core.svn.wordpress.org/trunk@23358 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-01-31 01:15:25 +00:00
Ryan Boren
54ac1d939b
Make current_user_can_for_blog() safe to run single site.
...
Props nacin, MarkJaquith
fixes #22803
git-svn-id: http://core.svn.wordpress.org/trunk@23117 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-12-07 09:53:27 +00:00
Andrew Nacin
61caecfa93
Use the create_posts post type cap in more places. Remove the janky create_posts meta cap. see #16714 .
...
git-svn-id: http://core.svn.wordpress.org/trunk@22908 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-28 22:28:20 +00:00
Ryan Boren
fac33f51fa
When using WP_User::set_role() to set the role, don't unset all caps when the requested role matches the current role.
...
Props scribu, jammitch
fixes #18932
git-svn-id: http://core.svn.wordpress.org/trunk@22418 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-07 17:16:37 +00:00
Dion Hulse
f4976f40b3
Fix a PHP Notice when attempting to Add or remove capabilities from nonexistant roles. Props SergeyBiryukov. Fixes #18461
...
git-svn-id: http://core.svn.wordpress.org/trunk@22354 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-31 23:18:33 +00:00
Ryan Boren
f9ddde8da6
Return WP_User objects when querying 'all' fields with WP_User_Query.
...
Allow passing stdClass or WP_User to the WP_User constructor.
fixes #22057
git-svn-id: http://core.svn.wordpress.org/trunk@22248 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-16 20:05:40 +00:00
Ryan Boren
77518e9c71
Objects no longer need to be explicitly passed by ref to call_user_func*() to be callable. Props wonderboymusic. fixes #21865
...
git-svn-id: http://core.svn.wordpress.org/trunk@22118 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-04 20:00:16 +00:00
Ryan Boren
f8f60ac01b
Introduce create_posts meta capability. Props scribu, nacin, casben79. see #16714
...
git-svn-id: http://core.svn.wordpress.org/trunk@22060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-27 15:33:19 +00:00
Ryan Boren
afe19c7437
Add publish_post meta cap. Props nacin. fixes #21288
...
git-svn-id: http://core.svn.wordpress.org/trunk@22056 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-27 12:48:59 +00:00
Ryan Boren
ba84c90e1b
Allow remove_cap() to unset a negative capability. Props johnjamesjacoby. fixes #21786
...
git-svn-id: http://core.svn.wordpress.org/trunk@21940 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-21 13:41:43 +00:00
Andrew Nacin
37537626e3
Don't use hard-coded indexes when dealing with an array of roles. props elyobo. fixes #19222 .
...
git-svn-id: http://core.svn.wordpress.org/trunk@21866 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-16 16:24:33 +00:00
Andrew Nacin
46eb6f0c26
Move the optimization done to get_user_by() in [21376] higher up the stack, into map_meta_cap() and is_super_admin().
...
This provides nearly the same benefits without possibly receiving a stale object from get_userdata(),
which could affect authentication, and introduce side effects for plugins.
see #21120 .
git-svn-id: http://core.svn.wordpress.org/trunk@21563 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-20 21:58:34 +00:00
Andrew Nacin
84c3a86036
Hide the link manager from the UI on upgrade, if the site has no links. New DB option, link_manager_enabled.
...
Enforce this by denying the 'manage_links' capability, which hides the All Links, Add New Link, and Link Categories screens. Hide WP_Widget_Links and the UI for the default_link_category as well.
Convert all references to 'posts and links' when handling reassignment on user deletion to just 'posts'.
see #21307 .
git-svn-id: http://core.svn.wordpress.org/trunk@21501 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-13 16:18:42 +00:00
Ryan Boren
cbd6a8becd
Allow passing stdClass and WP_User to wp_insert_user() and wp_update_user(). Introduce WP_User::to_array(). Eliminate uses of get_object_vars() when passing to wp_*_user(). fixes #21429
...
git-svn-id: http://core.svn.wordpress.org/trunk@21496 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-10 15:36:54 +00:00
ryan
d286875515
switch_to_blog() and restore_current_blog() housekeeping.
...
wp-includes/admin-bar.php:
* Replace get_admin_url() and get_home_url() with admin_url() and home_url() and place them inside a switch/restore. Likewise replace current_user_can_for_blog() with current_user_can(). This avoids doing multiple switch restores.
wp-includes/ms-blogs.php:
* Deprecate the $validate argument to switch_to_blog(). This avoids a not very necessary call to get_blog_details(), possibly saving a few queries.
* Use $_wp_switched and $_wp_switched_stack instead of $switched and $switched_stack to make it less likely these globals will be stomped.
* Use GLOBALS to access blog_id and other globals. I've preferred this style lately since it makes it obvious a global is being used and avoids global blog_id being stomped by a local variable.
* Lose some is_object() checks. wp_get_current_user() always returns an object, for example.
* Call the new WP_Roles::reinit() method.
wp-includes/class-wp-xmlrpc-server.php:
* Replace current_user_can_for_blog() with current_user_can() and move it inside the switch/restore pair. This eliminates a switch/restore.
wp-includes/capabilities.php:
* Use array_keys() instead of $role => $data since $data is unused. I *think* this is a bit faster.
* Introduce WP_Roles::reinit(). This reinitializes WP_Roles and is used after switch_to_blog() has already update the blog ID in the wpdb object. If a global roles array is being used instead of the db, reinit is skipped.
* current_user_can_for_blog() now does a switch/restore. It didn't before meaning it could be reinitializing the user with the wrong role information for the current blog.
wp-includes/ms-settings.php:
* Define $_wp_switched_stack and $_wp_switched. This way switch_to_blog() and restore_current_blog() can rely on it being set.
wp-settings.php:
* Instantiate the WP_Roles global. This was it is always defined during init. To remove the WP_Roles checks from WP_Role and WP_User this would probably have to move before plugins are loaded, which might not be a good thing.
wp-includes/functions.php:
* Update wp_upload_dir() to reference _wp_switched.
git-svn-id: http://core.svn.wordpress.org/trunk@21485 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-09 16:28:15 +00:00
nacin
7127ed1197
Move most instances of new WP_User to get_userdata(). see #21120 .
...
git-svn-id: http://core.svn.wordpress.org/trunk@21413 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-03 01:06:05 +00:00
nacin
fed9492cbc
Use get_userdata() rather than new WP_User in is_super_admin(), to take advantage of the performance improvements in [21376]. see #21120 .
...
git-svn-id: http://core.svn.wordpress.org/trunk@21377 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-31 17:47:08 +00:00
nacin
fcae3978c3
Don't call get_userdata() every time for the current user in map_meta_cap()'s read_post, edit_post, and delete_post branches. see #21120 .
...
git-svn-id: http://core.svn.wordpress.org/trunk@21375 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-31 17:39:14 +00:00
nacin
9d20dfc4e1
Enforce multisite plugins menu preference in map_meta_cap(). This means a simple current_user_can('activate_plugins') check will handle the 'Enable administration menus' setting.
...
Remove bogus checks for enabling/disabling the 'themes' menu (something core does not handle out of the box) when in the network admin.
fixes #21123 .
git-svn-id: http://core.svn.wordpress.org/trunk@21198 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-30 12:40:25 +00:00
nacin
4add59f0c1
Remove 'fall through' points in map_meta_cap() as they can hide bugs.
...
git-svn-id: http://core.svn.wordpress.org/trunk@21152 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-27 19:27:54 +00:00
ryan
0a22489dc7
Fix warning when processing read_post cap. Props duck_. fixes #20917
...
git-svn-id: http://core.svn.wordpress.org/trunk@21060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-12 13:50:51 +00:00
ryan
d4311fb73e
Make read_post more useful. Map read_post to edit_post for posts with protected post states. This makes read_post work naturally for draft, future, and pending posts belonging to other users. If the current user cannot edit these non-public posts then the user should not be able to read them either.
...
git-svn-id: http://core.svn.wordpress.org/trunk@21046 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-10 16:21:44 +00:00
nacin
bd1224eacf
Update phpdoc for WP_User::has_cap(). props nunomorgadinho. see #19756 .
...
git-svn-id: http://core.svn.wordpress.org/trunk@20683 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-05-02 14:17:04 +00:00
nacin
4fae1f64c2
Do not block file mod/edit caps when DISALLOW_UNFILTERED_HTML is set. There are separate constants (DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS for those). fixes #20488 .
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@20534 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-04-19 14:05:05 +00:00
ryan
de41bc288b
Introduce WP_User::exists(). see #20372
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@20378 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-04-06 19:18:45 +00:00
ryan
e3b46b25d3
Lose EOF ?>. Clean up EOF newlines. fixes #12307
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@19712 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-08 17:01:11 +00:00
ryan
340e93324c
Remove extraneous spaces. Props kenan3008, dimadin. fixes #19501 #19433
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@19596 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-12-14 17:36:38 +00:00
ryan
07ff8b216b
Use one space, not two, after trailing punctuation. fixes #19537
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@19593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-12-13 23:45:31 +00:00
duck_
27a55d6459
Provide back compat mapping for user_level, wp_usersettings and wp_usersettingstime properties of WP_User objects. Fixes #19265 .
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@19325 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-11-17 20:40:24 +00:00
nacin
68c443e9ee
Remove dead code. empty() will catch anything that equals false.
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@19171 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-11-05 13:35:48 +00:00
ryan
c1e7325db6
Avoid 'Only variables should be assigned by reference' warning. Props arena. fixes #18867
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@18956 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-10-12 20:41:06 +00:00
ryan
8f50fdf79a
Don't stomp meta fields in wp_update_user(). Props scribu. see #15458
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@18909 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-10-07 02:34:41 +00:00
duck_
e4ed63fc6f
Fix typos in documentation (wp-includes/[a-h]). See #18560 .
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@18633 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-09-03 16:02:41 +00:00
ryan
8edd1656f7
Handle null user ID in the WP_User constructor. Props kawauso. fixes #17894
...
git-svn-id: http://svn.automattic.com/wordpress/trunk@18598 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-08-24 19:47:35 +00:00