From 233a0f8d9be0acd30b2b974fc45f5e2eca00dafd Mon Sep 17 00:00:00 2001 From: Dominik Schilling Date: Thu, 26 Jan 2017 14:12:33 +0000 Subject: [PATCH] Press This: Do not show Categories & Tags UI for users who cannot assign terms to posts anyways. Merge of [39968] to the 4.4 branch. Built from https://develop.svn.wordpress.org/branches/4.4@39973 git-svn-id: http://core.svn.wordpress.org/branches/4.4@39910 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/class-wp-press-this.php | 96 ++++++++++++++++------- 1 file changed, 67 insertions(+), 29 deletions(-) diff --git a/wp-admin/includes/class-wp-press-this.php b/wp-admin/includes/class-wp-press-this.php index cdc4ad79bb..0ee8783556 100644 --- a/wp-admin/includes/class-wp-press-this.php +++ b/wp-admin/includes/class-wp-press-this.php @@ -119,10 +119,28 @@ class WP_Press_This { 'post_type' => 'post', 'post_status' => 'draft', 'post_format' => ( ! empty( $_POST['post_format'] ) ) ? sanitize_text_field( $_POST['post_format'] ) : '', - 'tax_input' => ( ! empty( $_POST['tax_input'] ) ) ? $_POST['tax_input'] : array(), - 'post_category' => ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array(), ); + // Only accept categories if the user actually can assign + $category_tax = get_taxonomy( 'category' ); + if ( current_user_can( $category_tax->cap->assign_terms ) ) { + $post_data['post_category'] = ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array(); + } + + // Only accept taxonomies if the user can actually assign + if ( ! empty( $_POST['tax_input'] ) ) { + $tax_input = $_POST['tax_input']; + foreach ( $tax_input as $tax => $_ti ) { + $tax_object = get_taxonomy( $tax ); + if ( ! $tax_object || ! current_user_can( $tax_object->cap->assign_terms ) ) { + unset( $tax_input[ $tax ] ); + } + } + + $post_data['tax_input'] = $tax_input; + } + + // Toggle status to pending if user cannot actually publish if ( ! empty( $_POST['post_status'] ) && 'publish' === $_POST['post_status'] ) { if ( current_user_can( 'publish_posts' ) ) { $post['post_status'] = 'publish'; @@ -444,7 +462,7 @@ class WP_Press_This { * @since 4.2.0 * * @param string $src Embed source URL. - * @return string If not from a supported provider, an empty string. Otherwise, a reformattd embed URL. + * @return string If not from a supported provider, an empty string. Otherwise, a reformatted embed URL. */ private function _limit_embed( $src ) { $src = $this->_limit_url( $src ); @@ -874,6 +892,12 @@ class WP_Press_This { public function categories_html( $post ) { $taxonomy = get_taxonomy( 'category' ); + // Bail if user cannot assign terms + if ( ! current_user_can( $taxonomy->cap->assign_terms ) ) { + return; + } + + // Only show "add" if user can edit terms if ( current_user_can( $taxonomy->cap->edit_terms ) ) { ?> - + + + - + + + @@ -1462,23 +1496,27 @@ class WP_Press_This { - + + + - + + +