Use meta caps edit_post, read_post, and delete_post directly, rather than consulting the post type object. map_meta_cap() handles that for us. props markjaquith, kovshenin. fixes #23226.

git-svn-id: http://core.svn.wordpress.org/trunk@24593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Nacin 2013-07-08 20:05:42 +00:00
parent 3039682176
commit c2db94d10c
12 changed files with 28 additions and 37 deletions

View File

@ -47,8 +47,7 @@ if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id
$post = get_post( $id ); $post = get_post( $id );
if ( 'attachment' != $post->post_type ) if ( 'attachment' != $post->post_type )
wp_die( __( 'Unknown post type.' ) ); wp_die( __( 'Unknown post type.' ) );
$post_type_object = get_post_type_object( 'attachment' ); if ( ! current_user_can( 'edit_post', $id ) )
if ( ! current_user_can( $post_type_object->cap->edit_post, $id ) )
wp_die( __( 'You are not allowed to edit this item.' ) ); wp_die( __( 'You are not allowed to edit this item.' ) );
switch ( $_REQUEST['fetch'] ) { switch ( $_REQUEST['fetch'] ) {

View File

@ -78,7 +78,7 @@ if ( $doaction ) {
$trashed = $locked = 0; $trashed = $locked = 0;
foreach( (array) $post_ids as $post_id ) { foreach( (array) $post_ids as $post_id ) {
if ( !current_user_can($post_type_object->cap->delete_post, $post_id) ) if ( !current_user_can( 'delete_post', $post_id) )
wp_die( __('You are not allowed to move this item to the Trash.') ); wp_die( __('You are not allowed to move this item to the Trash.') );
if ( wp_check_post_lock( $post_id ) ) { if ( wp_check_post_lock( $post_id ) ) {
@ -97,7 +97,7 @@ if ( $doaction ) {
case 'untrash': case 'untrash':
$untrashed = 0; $untrashed = 0;
foreach( (array) $post_ids as $post_id ) { foreach( (array) $post_ids as $post_id ) {
if ( !current_user_can($post_type_object->cap->delete_post, $post_id) ) if ( !current_user_can( 'delete_post', $post_id) )
wp_die( __('You are not allowed to restore this item from the Trash.') ); wp_die( __('You are not allowed to restore this item from the Trash.') );
if ( !wp_untrash_post($post_id) ) if ( !wp_untrash_post($post_id) )
@ -112,7 +112,7 @@ if ( $doaction ) {
foreach( (array) $post_ids as $post_id ) { foreach( (array) $post_ids as $post_id ) {
$post_del = get_post($post_id); $post_del = get_post($post_id);
if ( !current_user_can($post_type_object->cap->delete_post, $post_id) ) if ( !current_user_can( 'delete_post', $post_id ) )
wp_die( __('You are not allowed to delete this item.') ); wp_die( __('You are not allowed to delete this item.') );
if ( $post_del->post_type == 'attachment' ) { if ( $post_del->post_type == 'attachment' ) {

View File

@ -480,7 +480,7 @@ class WP_Posts_List_Table extends WP_List_Table {
$edit_link = get_edit_post_link( $post->ID ); $edit_link = get_edit_post_link( $post->ID );
$title = _draft_or_post_title(); $title = _draft_or_post_title();
$post_type_object = get_post_type_object( $post->post_type ); $post_type_object = get_post_type_object( $post->post_type );
$can_edit_post = current_user_can( $post_type_object->cap->edit_post, $post->ID ); $can_edit_post = current_user_can( 'edit_post', $post->ID );
$alternate = 'alternate' == $alternate ? '' : 'alternate'; $alternate = 'alternate' == $alternate ? '' : 'alternate';
$classes = $alternate . ' iedit author-' . ( get_current_user_id() == $post->post_author ? 'self' : 'other' ); $classes = $alternate . ' iedit author-' . ( get_current_user_id() == $post->post_author ? 'self' : 'other' );
@ -585,7 +585,7 @@ class WP_Posts_List_Table extends WP_List_Table {
$actions['edit'] = '<a href="' . get_edit_post_link( $post->ID, true ) . '" title="' . esc_attr( __( 'Edit this item' ) ) . '">' . __( 'Edit' ) . '</a>'; $actions['edit'] = '<a href="' . get_edit_post_link( $post->ID, true ) . '" title="' . esc_attr( __( 'Edit this item' ) ) . '">' . __( 'Edit' ) . '</a>';
$actions['inline hide-if-no-js'] = '<a href="#" class="editinline" title="' . esc_attr( __( 'Edit this item inline' ) ) . '">' . __( 'Quick&nbsp;Edit' ) . '</a>'; $actions['inline hide-if-no-js'] = '<a href="#" class="editinline" title="' . esc_attr( __( 'Edit this item inline' ) ) . '">' . __( 'Quick&nbsp;Edit' ) . '</a>';
} }
if ( current_user_can( $post_type_object->cap->delete_post, $post->ID ) ) { if ( current_user_can( 'delete_post', $post->ID ) ) {
if ( 'trash' == $post->post_status ) if ( 'trash' == $post->post_status )
$actions['untrash'] = "<a title='" . esc_attr( __( 'Restore this item from the Trash' ) ) . "' href='" . wp_nonce_url( admin_url( sprintf( $post_type_object->_edit_link . '&amp;action=untrash', $post->ID ) ), 'untrash-post_' . $post->ID ) . "'>" . __( 'Restore' ) . "</a>"; $actions['untrash'] = "<a title='" . esc_attr( __( 'Restore this item from the Trash' ) ) . "' href='" . wp_nonce_url( admin_url( sprintf( $post_type_object->_edit_link . '&amp;action=untrash', $post->ID ) ), 'untrash-post_' . $post->ID ) . "'>" . __( 'Restore' ) . "</a>";
elseif ( EMPTY_TRASH_DAYS ) elseif ( EMPTY_TRASH_DAYS )

View File

@ -496,9 +496,8 @@ function media_upload_form_handler() {
if ( !empty($_POST['attachments']) ) foreach ( $_POST['attachments'] as $attachment_id => $attachment ) { if ( !empty($_POST['attachments']) ) foreach ( $_POST['attachments'] as $attachment_id => $attachment ) {
$post = $_post = get_post($attachment_id, ARRAY_A); $post = $_post = get_post($attachment_id, ARRAY_A);
$post_type_object = get_post_type_object( $post[ 'post_type' ] );
if ( !current_user_can( $post_type_object->cap->edit_post, $attachment_id ) ) if ( !current_user_can( 'edit_post', $attachment_id ) )
continue; continue;
if ( isset($attachment['post_content']) ) if ( isset($attachment['post_content']) )

View File

@ -28,7 +28,7 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
$ptype = get_post_type_object( $post_data['post_type'] ); $ptype = get_post_type_object( $post_data['post_type'] );
if ( $update && ! current_user_can( $ptype->cap->edit_post, $post_data['ID'] ) ) { if ( $update && ! current_user_can( 'edit_post', $post_data['ID'] ) ) {
if ( 'page' == $post_data['post_type'] ) if ( 'page' == $post_data['post_type'] )
return new WP_Error( 'edit_others_pages', __( 'You are not allowed to edit pages as this user.' ) ); return new WP_Error( 'edit_others_pages', __( 'You are not allowed to edit pages as this user.' ) );
else else
@ -172,7 +172,7 @@ function edit_post( $post_data = null ) {
$post_data['post_mime_type'] = $post->post_mime_type; $post_data['post_mime_type'] = $post->post_mime_type;
$ptype = get_post_type_object($post_data['post_type']); $ptype = get_post_type_object($post_data['post_type']);
if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) { if ( !current_user_can( 'edit_post', $post_ID ) ) {
if ( 'page' == $post_data['post_type'] ) if ( 'page' == $post_data['post_type'] )
wp_die( __('You are not allowed to edit this page.' )); wp_die( __('You are not allowed to edit this page.' ));
else else
@ -374,7 +374,7 @@ function bulk_edit_posts( $post_data = null ) {
foreach ( $post_IDs as $post_ID ) { foreach ( $post_IDs as $post_ID ) {
$post_type_object = get_post_type_object( get_post_type( $post_ID ) ); $post_type_object = get_post_type_object( get_post_type( $post_ID ) );
if ( !isset( $post_type_object ) || ( isset($children) && in_array($post_ID, $children) ) || !current_user_can( $post_type_object->cap->edit_post, $post_ID ) ) { if ( !isset( $post_type_object ) || ( isset($children) && in_array($post_ID, $children) ) || !current_user_can( 'edit_post', $post_ID ) ) {
$skipped[] = $post_ID; $skipped[] = $post_ID;
continue; continue;
} }

View File

@ -240,7 +240,7 @@ function wp_link_category_checklist( $link_id = 0 ) {
*/ */
function get_inline_data($post) { function get_inline_data($post) {
$post_type_object = get_post_type_object($post->post_type); $post_type_object = get_post_type_object($post->post_type);
if ( ! current_user_can($post_type_object->cap->edit_post, $post->ID) ) if ( ! current_user_can( 'edit_post', $post->ID ) )
return; return;
$title = esc_textarea( trim( $post->post_title ) ); $title = esc_textarea( trim( $post->post_title ) );

View File

@ -139,7 +139,7 @@ case 'edit':
if ( ! $post_type_object ) if ( ! $post_type_object )
wp_die( __( 'Unknown post type.' ) ); wp_die( __( 'Unknown post type.' ) );
if ( ! current_user_can( $post_type_object->cap->edit_post, $post_id ) ) if ( ! current_user_can( 'edit_post', $post_id ) )
wp_die( __( 'You are not allowed to edit this item.' ) ); wp_die( __( 'You are not allowed to edit this item.' ) );
if ( 'trash' == $post->post_status ) if ( 'trash' == $post->post_status )
@ -235,7 +235,7 @@ case 'trash':
if ( ! $post_type_object ) if ( ! $post_type_object )
wp_die( __( 'Unknown post type.' ) ); wp_die( __( 'Unknown post type.' ) );
if ( ! current_user_can( $post_type_object->cap->delete_post, $post_id ) ) if ( ! current_user_can( 'delete_post', $post_id ) )
wp_die( __( 'You are not allowed to move this item to the Trash.' ) ); wp_die( __( 'You are not allowed to move this item to the Trash.' ) );
if ( $user_id = wp_check_post_lock( $post_id ) ) { if ( $user_id = wp_check_post_lock( $post_id ) ) {
@ -259,7 +259,7 @@ case 'untrash':
if ( ! $post_type_object ) if ( ! $post_type_object )
wp_die( __( 'Unknown post type.' ) ); wp_die( __( 'Unknown post type.' ) );
if ( ! current_user_can( $post_type_object->cap->delete_post, $post_id ) ) if ( ! current_user_can( 'delete_post', $post_id ) )
wp_die( __( 'You are not allowed to move this item out of the Trash.' ) ); wp_die( __( 'You are not allowed to move this item out of the Trash.' ) );
if ( ! wp_untrash_post( $post_id ) ) if ( ! wp_untrash_post( $post_id ) )
@ -278,7 +278,7 @@ case 'delete':
if ( ! $post_type_object ) if ( ! $post_type_object )
wp_die( __( 'Unknown post type.' ) ); wp_die( __( 'Unknown post type.' ) );
if ( ! current_user_can( $post_type_object->cap->delete_post, $post_id ) ) if ( ! current_user_can( 'delete_post', $post_id ) )
wp_die( __( 'You are not allowed to delete this item.' ) ); wp_die( __( 'You are not allowed to delete this item.' ) );
$force = ! EMPTY_TRASH_DAYS; $force = ! EMPTY_TRASH_DAYS;

View File

@ -429,7 +429,7 @@ function wp_admin_bar_edit_menu( $wp_admin_bar ) {
if ( 'post' == $current_screen->base if ( 'post' == $current_screen->base
&& 'add' != $current_screen->action && 'add' != $current_screen->action
&& ( $post_type_object = get_post_type_object( $post->post_type ) ) && ( $post_type_object = get_post_type_object( $post->post_type ) )
&& current_user_can( $post_type_object->cap->read_post, $post->ID ) && current_user_can( 'read_post', $post->ID )
&& ( $post_type_object->public ) && ( $post_type_object->public )
&& ( $post_type_object->show_in_admin_bar ) ) && ( $post_type_object->show_in_admin_bar ) )
{ {
@ -457,7 +457,7 @@ function wp_admin_bar_edit_menu( $wp_admin_bar ) {
if ( ! empty( $current_object->post_type ) if ( ! empty( $current_object->post_type )
&& ( $post_type_object = get_post_type_object( $current_object->post_type ) ) && ( $post_type_object = get_post_type_object( $current_object->post_type ) )
&& current_user_can( $post_type_object->cap->edit_post, $current_object->ID ) && current_user_can( 'edit_post', $current_object->ID )
&& $post_type_object->show_ui && $post_type_object->show_in_admin_bar ) && $post_type_object->show_ui && $post_type_object->show_in_admin_bar )
{ {
$wp_admin_bar->add_menu( array( $wp_admin_bar->add_menu( array(

View File

@ -1162,8 +1162,7 @@ function map_meta_cap( $cap, $user_id ) {
case 'delete_post_meta': case 'delete_post_meta':
case 'add_post_meta': case 'add_post_meta':
$post = get_post( $args[0] ); $post = get_post( $args[0] );
$post_type_object = get_post_type_object( $post->post_type ); $caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
$caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID );
$meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false;
@ -1178,9 +1177,7 @@ function map_meta_cap( $cap, $user_id ) {
case 'edit_comment': case 'edit_comment':
$comment = get_comment( $args[0] ); $comment = get_comment( $args[0] );
$post = get_post( $comment->comment_post_ID ); $post = get_post( $comment->comment_post_ID );
$post_type_object = get_post_type_object( $post->post_type ); $caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
$caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID );
break; break;
case 'unfiltered_upload': case 'unfiltered_upload':
if ( defined('ALLOW_UNFILTERED_UPLOADS') && ALLOW_UNFILTERED_UPLOADS && ( !is_multisite() || is_super_admin( $user_id ) ) ) if ( defined('ALLOW_UNFILTERED_UPLOADS') && ALLOW_UNFILTERED_UPLOADS && ( !is_multisite() || is_super_admin( $user_id ) ) )

View File

@ -1017,7 +1017,7 @@ class wp_xmlrpc_server extends IXR_Server {
if ( $update ) { if ( $update ) {
if ( ! get_post( $post_data['ID'] ) ) if ( ! get_post( $post_data['ID'] ) )
return new IXR_Error( 401, __( 'Invalid post ID.' ) ); return new IXR_Error( 401, __( 'Invalid post ID.' ) );
if ( ! current_user_can( $post_type->cap->edit_post, $post_data['ID'] ) ) if ( ! current_user_can( 'edit_post', $post_data['ID'] ) )
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) ); return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) );
if ( $post_data['post_type'] != get_post_type( $post_data['ID'] ) ) if ( $post_data['post_type'] != get_post_type( $post_data['ID'] ) )
return new IXR_Error( 401, __( 'The post type may not be changed.' ) ); return new IXR_Error( 401, __( 'The post type may not be changed.' ) );
@ -1327,8 +1327,7 @@ class wp_xmlrpc_server extends IXR_Server {
if ( empty( $post['ID'] ) ) if ( empty( $post['ID'] ) )
return new IXR_Error( 404, __( 'Invalid post ID.' ) ); return new IXR_Error( 404, __( 'Invalid post ID.' ) );
$post_type = get_post_type_object( $post['post_type'] ); if ( ! current_user_can( 'delete_post', $post_id ) )
if ( ! current_user_can( $post_type->cap->delete_post, $post_id ) )
return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this post.' ) ); return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this post.' ) );
$result = wp_delete_post( $post_id ); $result = wp_delete_post( $post_id );
@ -1409,8 +1408,7 @@ class wp_xmlrpc_server extends IXR_Server {
if ( empty( $post['ID'] ) ) if ( empty( $post['ID'] ) )
return new IXR_Error( 404, __( 'Invalid post ID.' ) ); return new IXR_Error( 404, __( 'Invalid post ID.' ) );
$post_type = get_post_type_object( $post['post_type'] ); if ( ! current_user_can( 'edit_post', $post_id ) )
if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) )
return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) ); return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
return $this->_prepare_post( $post, $fields ); return $this->_prepare_post( $post, $fields );
@ -1505,8 +1503,7 @@ class wp_xmlrpc_server extends IXR_Server {
$struct = array(); $struct = array();
foreach ( $posts_list as $post ) { foreach ( $posts_list as $post ) {
$post_type = get_post_type_object( $post['post_type'] ); if ( ! current_user_can( 'edit_post', $post['ID'] ) )
if ( ! current_user_can( $post_type->cap->edit_post, $post['ID'] ) )
continue; continue;
$struct[] = $this->_prepare_post( $post, $fields ); $struct[] = $this->_prepare_post( $post, $fields );

View File

@ -906,7 +906,7 @@ function get_edit_post_link( $id = 0, $context = 'display' ) {
if ( !$post_type_object ) if ( !$post_type_object )
return; return;
if ( !current_user_can( $post_type_object->cap->edit_post, $post->ID ) ) if ( !current_user_can( 'edit_post', $post->ID ) )
return; return;
return apply_filters( 'get_edit_post_link', admin_url( sprintf($post_type_object->_edit_link . $action, $post->ID) ), $post->ID, $context ); return apply_filters( 'get_edit_post_link', admin_url( sprintf($post_type_object->_edit_link . $action, $post->ID) ), $post->ID, $context );
@ -960,7 +960,7 @@ function get_delete_post_link( $id = 0, $deprecated = '', $force_delete = false
if ( !$post_type_object ) if ( !$post_type_object )
return; return;
if ( !current_user_can( $post_type_object->cap->delete_post, $post->ID ) ) if ( !current_user_can( 'delete_post', $post->ID ) )
return; return;
$action = ( $force_delete || !EMPTY_TRASH_DAYS ) ? 'delete' : 'trash'; $action = ( $force_delete || !EMPTY_TRASH_DAYS ) ? 'delete' : 'trash';

View File

@ -2440,14 +2440,13 @@ class WP_Query {
$post_type_object = get_post_type_object ( 'post' ); $post_type_object = get_post_type_object ( 'post' );
} }
$edit_cap = 'edit_post';
$read_cap = 'read_post';
if ( ! empty( $post_type_object ) ) { if ( ! empty( $post_type_object ) ) {
$edit_cap = $post_type_object->cap->edit_post;
$read_cap = $post_type_object->cap->read_post;
$edit_others_cap = $post_type_object->cap->edit_others_posts; $edit_others_cap = $post_type_object->cap->edit_others_posts;
$read_private_cap = $post_type_object->cap->read_private_posts; $read_private_cap = $post_type_object->cap->read_private_posts;
} else { } else {
$edit_cap = 'edit_' . $post_type_cap;
$read_cap = 'read_' . $post_type_cap;
$edit_others_cap = 'edit_others_' . $post_type_cap . 's'; $edit_others_cap = 'edit_others_' . $post_type_cap . 's';
$read_private_cap = 'read_private_' . $post_type_cap . 's'; $read_private_cap = 'read_private_' . $post_type_cap . 's';
} }