Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-06-26 06:45:07 +02:00
Code Issues Projects Releases Wiki Activity

Role/Capability: Use meta caps edit_post, read_post, and delete_post directly.

Browse Source 
Rather than consulting the post type object, let `map_meta_cap()` handle that for us.

Props peterwilsoncc, ocean90.
Fixes #50128.
See #23226.
Built from https://develop.svn.wordpress.org/trunk@47850


git-svn-id: http://core.svn.wordpress.org/trunk@47626 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Dominik Schilling 2020-05-23 15:24:07 +00:00
parent aaeab2f3f5
commit ed71319421
8 changed files with 18 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
wp-includes/class-wp-customize-nav-menus.php
View File

@ -1356,7 +1356,7 @@ final class WP_Customize_Nav_Menus {
if ( ! $post_type_obj ) { if ( ! $post_type_obj ) {
continue; continue;
} }
if ( ! current_user_can( $post_type_obj->cap->publish_posts ) || ! current_user_can( $post_type_obj->cap->edit_post, $post_id ) ) { if ( ! current_user_can( $post_type_obj->cap->publish_posts ) || ! current_user_can( 'edit_post', $post_id ) ) {
continue; continue;
} }
$post_ids[] = $post->ID; $post_ids[] = $post->ID;

17
wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
View File

@ -109,17 +109,12 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
} }
// Attaching media to a post requires ability to edit said post. // Attaching media to a post requires ability to edit said post.
if ( ! empty( $request['post'] ) ) { if ( ! empty( $request['post'] ) && ! current_user_can( 'edit_post', (int) $request['post'] ) ) {
$parent = get_post( (int) $request['post'] ); return new WP_Error(
$post_parent_type = get_post_type_object( $parent->post_type ); 'rest_cannot_edit',
__( 'Sorry, you are not allowed to upload media to this post.' ),
if ( ! current_user_can( $post_parent_type->cap->edit_post, $request['post'] ) ) { array( 'status' => rest_authorization_required_code() )
return new WP_Error( );
'rest_cannot_edit',
__( 'Sorry, you are not allowed to upload media to this post.' ),
array( 'status' => rest_authorization_required_code() )
);
}
} }
return true; return true;

4
wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php
View File

@ -160,9 +160,7 @@ class WP_REST_Autosaves_Controller extends WP_REST_Revisions_Controller {
return $parent; return $parent;
} }
$parent_post_type_obj = get_post_type_object( $parent->post_type ); if ( ! current_user_can( 'edit_post', $parent->ID ) ) {
if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) {
return new WP_Error( return new WP_Error(
'rest_cannot_read', 'rest_cannot_read',
__( 'Sorry, you are not allowed to view autosaves of this post.' ), __( 'Sorry, you are not allowed to view autosaves of this post.' ),

5
wp-includes/rest-api/endpoints/class-wp-rest-blocks-controller.php
View File

@ -28,9 +28,8 @@ class WP_REST_Blocks_Controller extends WP_REST_Posts_Controller {
* @return bool Whether the block can be read. * @return bool Whether the block can be read.
*/ */
public function check_read_permission( $post ) { public function check_read_permission( $post ) {
// Ensure that the user is logged in and has the read_blocks capability. // By default the read_post capability is mapped to edit_posts.
$post_type = get_post_type_object( $post->post_type ); if ( ! current_user_can( 'read_post', $post->ID ) ) {
if ( ! current_user_can( $post_type->cap->read_post, $post->ID ) ) {
return false; return false;
} }

2
wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
View File

@ -1774,7 +1774,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
} }
if ( post_password_required( $post ) ) { if ( post_password_required( $post ) ) {
$result = current_user_can( $post_type->cap->edit_post, $post->ID ); $result = current_user_can( 'edit_post', $post->ID );
} else { } else {
$result = $posts_controller->check_read_permission( $post ); $result = $posts_controller->check_read_permission( $post );
} }

6
wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
View File

@ -1479,7 +1479,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
} }
// Is the post readable? // Is the post readable?
if ( 'publish' === $post->post_status || current_user_can( $post_type->cap->read_post, $post->ID ) ) { if ( 'publish' === $post->post_status || current_user_can( 'read_post', $post->ID ) ) {
return true; return true;
} }
@ -1522,7 +1522,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
return false; return false;
} }
return current_user_can( $post_type->cap->edit_post, $post->ID ); return current_user_can( 'edit_post', $post->ID );
} }
/** /**
@ -1558,7 +1558,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
return false; return false;
} }
return current_user_can( $post_type->cap->delete_post, $post->ID ); return current_user_can( 'delete_post', $post->ID );
} }
/** /**

10
wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
View File

@ -169,9 +169,7 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller {
return $parent; return $parent;
} }
$parent_post_type_obj = get_post_type_object( $parent->post_type ); if ( ! current_user_can( 'edit_post', $parent->ID ) ) {
if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) {
return new WP_Error( return new WP_Error(
'rest_cannot_read', 'rest_cannot_read',
__( 'Sorry, you are not allowed to view revisions of this post.' ), __( 'Sorry, you are not allowed to view revisions of this post.' ),
@ -409,7 +407,7 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller {
$parent_post_type = get_post_type_object( $parent->post_type ); $parent_post_type = get_post_type_object( $parent->post_type );
if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) { if ( ! current_user_can( 'delete_post', $parent->ID ) ) {
return new WP_Error( return new WP_Error(
'rest_cannot_delete', 'rest_cannot_delete',
__( 'Sorry, you are not allowed to delete revisions of this post.' ), __( 'Sorry, you are not allowed to delete revisions of this post.' ),
@ -427,9 +425,7 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller {
return $response; return $response;
} }
$post_type = get_post_type_object( 'revision' ); if ( ! current_user_can( 'delete_post', $revision->ID ) ) {
if ( ! current_user_can( $post_type->cap->delete_post, $revision->ID ) ) {
return new WP_Error( return new WP_Error(
'rest_cannot_delete', 'rest_cannot_delete',
__( 'Sorry, you are not allowed to delete this revision.' ), __( 'Sorry, you are not allowed to delete this revision.' ),

2
wp-includes/version.php
View File

@ -13,7 +13,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.5-alpha-47849'; $wp_version = '5.5-alpha-47850';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.