Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-06-25 22:35:02 +02:00
Code Issues Projects Releases Wiki Activity

Use correct cap checks and nonces for custom post_type's

Browse Source 
git-svn-id: http://svn.automattic.com/wordpress/trunk@13786 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
dd32 2010-03-21 02:29:11 +00:00
parent adf8dd3743
commit 68445ab030
3 changed files with 11 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
wp-admin/includes/meta-boxes.php
View File

@ -14,8 +14,7 @@ function post_submit_meta_box($post) {
$post_type = $post->post_type;
$post_type_object = get_post_type_object($post_type);
$type_cap = $post_type_object->capability_type;
$can_publish = current_user_can("publish_${type_cap}s");
$can_publish = current_user_can($post_type_object->publish_cap);
?>
<div class="submitbox" id="submitpost">
@ -194,7 +193,7 @@ if ( $can_publish ) : // Contributors don't get to choose the date of publish ?>
<?php do_action('post_submitbox_start'); ?>
<div id="delete-action">
<?php
if ( current_user_can( "delete_${type_cap}", $post->ID ) ) {
if ( current_user_can( "delete_post", $post->ID ) ) {
if ( !EMPTY_TRASH_DAYS ) {
$delete_url = wp_nonce_url( add_query_arg( array('action' => 'delete', 'post' => $post->ID) ), "delete-${post_type}_{$post->ID}" );
$delete_text = __('Delete Permanently');
@ -407,7 +406,7 @@ function post_comment_status_meta_box($post) {
}
/**
* Displa comments for post table header
* Display comments for post table header
*
* @since 3.0
*

10
wp-admin/includes/template.php
View File

@ -863,9 +863,10 @@ function inline_edit_row( $screen ) {
foreach ( $taxonomy_names as $taxonomy_name ) {
$taxonomy = get_taxonomy( $taxonomy_name);
if( !$taxonomy->show_ui ) continue;
if ( !$taxonomy->show_ui )
continue;
if( $taxonomy->hierarchical )
if ( $taxonomy->hierarchical )
$hierarchical_taxonomies[] = $taxonomy;
else
$flat_taxonomies[] = $taxonomy;
@ -875,7 +876,6 @@ function inline_edit_row( $screen ) {
$hidden = array_intersect( array_keys( $columns ), array_filter( get_hidden_columns($screen) ) );
$col_count = count($columns) - count($hidden);
$m = ( isset($mode) && 'excerpt' == $mode ) ? 'excerpt' : 'list';
// @todo use capability_type
$can_publish = current_user_can($post_type_object->publish_cap);
$core_columns = array( 'cb' => true, 'date' => true, 'title' => true, 'categories' => true, 'tags' => true, 'comments' => true, 'author' => true );
@ -1561,11 +1561,11 @@ foreach ( $posts_columns as $column_name => $column_display_name ) {
}
if ( current_user_can($post_type_object->delete_cap, $page->ID) ) {
if ( $post->post_status == 'trash' )
$actions['untrash'] = "<a title='" . esc_attr(__('Remove this page from the Trash')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&amp;action=untrash&amp;post=$page->ID", 'untrash-page_' . $page->ID) . "'>" . __('Restore') . "</a>";
$actions['untrash'] = "<a title='" . esc_attr(__('Remove this page from the Trash')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&amp;action=untrash&amp;post=$page->ID", 'untrash-' . $post->post_type . '_' . $page->ID) . "'>" . __('Restore') . "</a>";
elseif ( EMPTY_TRASH_DAYS )
$actions['trash'] = "<a class='submitdelete' title='" . esc_attr(__('Move this page to the Trash')) . "' href='" . get_delete_post_link($page->ID) . "'>" . __('Trash') . "</a>";
if ( $post->post_status == 'trash' || !EMPTY_TRASH_DAYS )
$actions['delete'] = "<a class='submitdelete' title='" . esc_attr(__('Delete this page permanently')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&amp;action=delete&amp;post=$page->ID", 'delete-page_' . $page->ID) . "'>" . __('Delete Permanently') . "</a>";
$actions['delete'] = "<a class='submitdelete' title='" . esc_attr(__('Delete this page permanently')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&amp;action=delete&amp;post=$page->ID", 'delete-' . $post->post_type . '_' . $page->ID) . "'>" . __('Delete Permanently') . "</a>";
}
if ( in_array($post->post_status, array('pending', 'draft')) ) {
if ( current_user_can($post_type_object->edit_cap, $page->ID) )

6
wp-includes/capabilities.php
View File

@ -810,7 +810,7 @@ function map_meta_cap( $cap, $user_id ) {
$post = get_post( $args[0] );
$post_type = get_post_type_object( $post->post_type );
if ( $post_type && 'post' != $post_type->capability_type ) {
$args = array_merge( array( 'delete_' . $post_type->capability_type, $user_id ), $args );
$args = array_merge( array( $post_type->delete_cap, $user_id ), $args );
return call_user_func_array( 'map_meta_cap', $args );
}
@ -887,7 +887,7 @@ function map_meta_cap( $cap, $user_id ) {
$post = get_post( $args[0] );
$post_type = get_post_type_object( $post->post_type );
if ( $post_type && 'post' != $post_type->capability_type ) {
$args = array_merge( array( 'edit_' . $post_type->capability_type, $user_id ), $args );
$args = array_merge( array( $post_type->edit_cap, $user_id ), $args );
return call_user_func_array( 'map_meta_cap', $args );
}
$post_author_data = get_userdata( $post->post_author );
@ -946,7 +946,7 @@ function map_meta_cap( $cap, $user_id ) {
$post = get_post( $args[0] );
$post_type = get_post_type_object( $post->post_type );
if ( $post_type && 'post' != $post_type->capability_type ) {
$args = array_merge( array( 'read_' . $post_type->capability_type, $user_id ), $args );
$args = array_merge( array( $post_type->read_cap, $user_id ), $args );
return call_user_func_array( 'map_meta_cap', $args );
}