Use meta caps edit_post, read_post, and delete_post directly, rather than consulting the post type object. map_meta_cap() handles that for us. props markjaquith, kovshenin. fixes #23226.
git-svn-id: https://develop.svn.wordpress.org/trunk@24593 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
e16dca6fc9
commit
f3b332e9bb
@ -47,8 +47,7 @@ if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id
|
||||
$post = get_post( $id );
|
||||
if ( 'attachment' != $post->post_type )
|
||||
wp_die( __( 'Unknown post type.' ) );
|
||||
$post_type_object = get_post_type_object( 'attachment' );
|
||||
if ( ! current_user_can( $post_type_object->cap->edit_post, $id ) )
|
||||
if ( ! current_user_can( 'edit_post', $id ) )
|
||||
wp_die( __( 'You are not allowed to edit this item.' ) );
|
||||
|
||||
switch ( $_REQUEST['fetch'] ) {
|
||||
|
@ -78,7 +78,7 @@ if ( $doaction ) {
|
||||
$trashed = $locked = 0;
|
||||
|
||||
foreach( (array) $post_ids as $post_id ) {
|
||||
if ( !current_user_can($post_type_object->cap->delete_post, $post_id) )
|
||||
if ( !current_user_can( 'delete_post', $post_id) )
|
||||
wp_die( __('You are not allowed to move this item to the Trash.') );
|
||||
|
||||
if ( wp_check_post_lock( $post_id ) ) {
|
||||
@ -97,7 +97,7 @@ if ( $doaction ) {
|
||||
case 'untrash':
|
||||
$untrashed = 0;
|
||||
foreach( (array) $post_ids as $post_id ) {
|
||||
if ( !current_user_can($post_type_object->cap->delete_post, $post_id) )
|
||||
if ( !current_user_can( 'delete_post', $post_id) )
|
||||
wp_die( __('You are not allowed to restore this item from the Trash.') );
|
||||
|
||||
if ( !wp_untrash_post($post_id) )
|
||||
@ -112,7 +112,7 @@ if ( $doaction ) {
|
||||
foreach( (array) $post_ids as $post_id ) {
|
||||
$post_del = get_post($post_id);
|
||||
|
||||
if ( !current_user_can($post_type_object->cap->delete_post, $post_id) )
|
||||
if ( !current_user_can( 'delete_post', $post_id ) )
|
||||
wp_die( __('You are not allowed to delete this item.') );
|
||||
|
||||
if ( $post_del->post_type == 'attachment' ) {
|
||||
|
@ -480,7 +480,7 @@ class WP_Posts_List_Table extends WP_List_Table {
|
||||
$edit_link = get_edit_post_link( $post->ID );
|
||||
$title = _draft_or_post_title();
|
||||
$post_type_object = get_post_type_object( $post->post_type );
|
||||
$can_edit_post = current_user_can( $post_type_object->cap->edit_post, $post->ID );
|
||||
$can_edit_post = current_user_can( 'edit_post', $post->ID );
|
||||
|
||||
$alternate = 'alternate' == $alternate ? '' : 'alternate';
|
||||
$classes = $alternate . ' iedit author-' . ( get_current_user_id() == $post->post_author ? 'self' : 'other' );
|
||||
@ -585,7 +585,7 @@ class WP_Posts_List_Table extends WP_List_Table {
|
||||
$actions['edit'] = '<a href="' . get_edit_post_link( $post->ID, true ) . '" title="' . esc_attr( __( 'Edit this item' ) ) . '">' . __( 'Edit' ) . '</a>';
|
||||
$actions['inline hide-if-no-js'] = '<a href="#" class="editinline" title="' . esc_attr( __( 'Edit this item inline' ) ) . '">' . __( 'Quick Edit' ) . '</a>';
|
||||
}
|
||||
if ( current_user_can( $post_type_object->cap->delete_post, $post->ID ) ) {
|
||||
if ( current_user_can( 'delete_post', $post->ID ) ) {
|
||||
if ( 'trash' == $post->post_status )
|
||||
$actions['untrash'] = "<a title='" . esc_attr( __( 'Restore this item from the Trash' ) ) . "' href='" . wp_nonce_url( admin_url( sprintf( $post_type_object->_edit_link . '&action=untrash', $post->ID ) ), 'untrash-post_' . $post->ID ) . "'>" . __( 'Restore' ) . "</a>";
|
||||
elseif ( EMPTY_TRASH_DAYS )
|
||||
|
@ -496,9 +496,8 @@ function media_upload_form_handler() {
|
||||
|
||||
if ( !empty($_POST['attachments']) ) foreach ( $_POST['attachments'] as $attachment_id => $attachment ) {
|
||||
$post = $_post = get_post($attachment_id, ARRAY_A);
|
||||
$post_type_object = get_post_type_object( $post[ 'post_type' ] );
|
||||
|
||||
if ( !current_user_can( $post_type_object->cap->edit_post, $attachment_id ) )
|
||||
if ( !current_user_can( 'edit_post', $attachment_id ) )
|
||||
continue;
|
||||
|
||||
if ( isset($attachment['post_content']) )
|
||||
|
@ -28,7 +28,7 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
|
||||
|
||||
$ptype = get_post_type_object( $post_data['post_type'] );
|
||||
|
||||
if ( $update && ! current_user_can( $ptype->cap->edit_post, $post_data['ID'] ) ) {
|
||||
if ( $update && ! current_user_can( 'edit_post', $post_data['ID'] ) ) {
|
||||
if ( 'page' == $post_data['post_type'] )
|
||||
return new WP_Error( 'edit_others_pages', __( 'You are not allowed to edit pages as this user.' ) );
|
||||
else
|
||||
@ -172,7 +172,7 @@ function edit_post( $post_data = null ) {
|
||||
$post_data['post_mime_type'] = $post->post_mime_type;
|
||||
|
||||
$ptype = get_post_type_object($post_data['post_type']);
|
||||
if ( !current_user_can( $ptype->cap->edit_post, $post_ID ) ) {
|
||||
if ( !current_user_can( 'edit_post', $post_ID ) ) {
|
||||
if ( 'page' == $post_data['post_type'] )
|
||||
wp_die( __('You are not allowed to edit this page.' ));
|
||||
else
|
||||
@ -374,7 +374,7 @@ function bulk_edit_posts( $post_data = null ) {
|
||||
foreach ( $post_IDs as $post_ID ) {
|
||||
$post_type_object = get_post_type_object( get_post_type( $post_ID ) );
|
||||
|
||||
if ( !isset( $post_type_object ) || ( isset($children) && in_array($post_ID, $children) ) || !current_user_can( $post_type_object->cap->edit_post, $post_ID ) ) {
|
||||
if ( !isset( $post_type_object ) || ( isset($children) && in_array($post_ID, $children) ) || !current_user_can( 'edit_post', $post_ID ) ) {
|
||||
$skipped[] = $post_ID;
|
||||
continue;
|
||||
}
|
||||
|
@ -240,7 +240,7 @@ function wp_link_category_checklist( $link_id = 0 ) {
|
||||
*/
|
||||
function get_inline_data($post) {
|
||||
$post_type_object = get_post_type_object($post->post_type);
|
||||
if ( ! current_user_can($post_type_object->cap->edit_post, $post->ID) )
|
||||
if ( ! current_user_can( 'edit_post', $post->ID ) )
|
||||
return;
|
||||
|
||||
$title = esc_textarea( trim( $post->post_title ) );
|
||||
|
@ -139,7 +139,7 @@ case 'edit':
|
||||
if ( ! $post_type_object )
|
||||
wp_die( __( 'Unknown post type.' ) );
|
||||
|
||||
if ( ! current_user_can( $post_type_object->cap->edit_post, $post_id ) )
|
||||
if ( ! current_user_can( 'edit_post', $post_id ) )
|
||||
wp_die( __( 'You are not allowed to edit this item.' ) );
|
||||
|
||||
if ( 'trash' == $post->post_status )
|
||||
@ -235,7 +235,7 @@ case 'trash':
|
||||
if ( ! $post_type_object )
|
||||
wp_die( __( 'Unknown post type.' ) );
|
||||
|
||||
if ( ! current_user_can( $post_type_object->cap->delete_post, $post_id ) )
|
||||
if ( ! current_user_can( 'delete_post', $post_id ) )
|
||||
wp_die( __( 'You are not allowed to move this item to the Trash.' ) );
|
||||
|
||||
if ( $user_id = wp_check_post_lock( $post_id ) ) {
|
||||
@ -259,7 +259,7 @@ case 'untrash':
|
||||
if ( ! $post_type_object )
|
||||
wp_die( __( 'Unknown post type.' ) );
|
||||
|
||||
if ( ! current_user_can( $post_type_object->cap->delete_post, $post_id ) )
|
||||
if ( ! current_user_can( 'delete_post', $post_id ) )
|
||||
wp_die( __( 'You are not allowed to move this item out of the Trash.' ) );
|
||||
|
||||
if ( ! wp_untrash_post( $post_id ) )
|
||||
@ -278,7 +278,7 @@ case 'delete':
|
||||
if ( ! $post_type_object )
|
||||
wp_die( __( 'Unknown post type.' ) );
|
||||
|
||||
if ( ! current_user_can( $post_type_object->cap->delete_post, $post_id ) )
|
||||
if ( ! current_user_can( 'delete_post', $post_id ) )
|
||||
wp_die( __( 'You are not allowed to delete this item.' ) );
|
||||
|
||||
$force = ! EMPTY_TRASH_DAYS;
|
||||
|
@ -429,7 +429,7 @@ function wp_admin_bar_edit_menu( $wp_admin_bar ) {
|
||||
if ( 'post' == $current_screen->base
|
||||
&& 'add' != $current_screen->action
|
||||
&& ( $post_type_object = get_post_type_object( $post->post_type ) )
|
||||
&& current_user_can( $post_type_object->cap->read_post, $post->ID )
|
||||
&& current_user_can( 'read_post', $post->ID )
|
||||
&& ( $post_type_object->public )
|
||||
&& ( $post_type_object->show_in_admin_bar ) )
|
||||
{
|
||||
@ -457,7 +457,7 @@ function wp_admin_bar_edit_menu( $wp_admin_bar ) {
|
||||
|
||||
if ( ! empty( $current_object->post_type )
|
||||
&& ( $post_type_object = get_post_type_object( $current_object->post_type ) )
|
||||
&& current_user_can( $post_type_object->cap->edit_post, $current_object->ID )
|
||||
&& current_user_can( 'edit_post', $current_object->ID )
|
||||
&& $post_type_object->show_ui && $post_type_object->show_in_admin_bar )
|
||||
{
|
||||
$wp_admin_bar->add_menu( array(
|
||||
|
@ -1162,8 +1162,7 @@ function map_meta_cap( $cap, $user_id ) {
|
||||
case 'delete_post_meta':
|
||||
case 'add_post_meta':
|
||||
$post = get_post( $args[0] );
|
||||
$post_type_object = get_post_type_object( $post->post_type );
|
||||
$caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID );
|
||||
$caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
|
||||
|
||||
$meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false;
|
||||
|
||||
@ -1178,9 +1177,7 @@ function map_meta_cap( $cap, $user_id ) {
|
||||
case 'edit_comment':
|
||||
$comment = get_comment( $args[0] );
|
||||
$post = get_post( $comment->comment_post_ID );
|
||||
$post_type_object = get_post_type_object( $post->post_type );
|
||||
|
||||
$caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID );
|
||||
$caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
|
||||
break;
|
||||
case 'unfiltered_upload':
|
||||
if ( defined('ALLOW_UNFILTERED_UPLOADS') && ALLOW_UNFILTERED_UPLOADS && ( !is_multisite() || is_super_admin( $user_id ) ) )
|
||||
|
@ -1017,7 +1017,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||
if ( $update ) {
|
||||
if ( ! get_post( $post_data['ID'] ) )
|
||||
return new IXR_Error( 401, __( 'Invalid post ID.' ) );
|
||||
if ( ! current_user_can( $post_type->cap->edit_post, $post_data['ID'] ) )
|
||||
if ( ! current_user_can( 'edit_post', $post_data['ID'] ) )
|
||||
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) );
|
||||
if ( $post_data['post_type'] != get_post_type( $post_data['ID'] ) )
|
||||
return new IXR_Error( 401, __( 'The post type may not be changed.' ) );
|
||||
@ -1327,8 +1327,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||
if ( empty( $post['ID'] ) )
|
||||
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
|
||||
|
||||
$post_type = get_post_type_object( $post['post_type'] );
|
||||
if ( ! current_user_can( $post_type->cap->delete_post, $post_id ) )
|
||||
if ( ! current_user_can( 'delete_post', $post_id ) )
|
||||
return new IXR_Error( 401, __( 'Sorry, you are not allowed to delete this post.' ) );
|
||||
|
||||
$result = wp_delete_post( $post_id );
|
||||
@ -1409,8 +1408,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||
if ( empty( $post['ID'] ) )
|
||||
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
|
||||
|
||||
$post_type = get_post_type_object( $post['post_type'] );
|
||||
if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) )
|
||||
if ( ! current_user_can( 'edit_post', $post_id ) )
|
||||
return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
|
||||
|
||||
return $this->_prepare_post( $post, $fields );
|
||||
@ -1505,8 +1503,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||
$struct = array();
|
||||
|
||||
foreach ( $posts_list as $post ) {
|
||||
$post_type = get_post_type_object( $post['post_type'] );
|
||||
if ( ! current_user_can( $post_type->cap->edit_post, $post['ID'] ) )
|
||||
if ( ! current_user_can( 'edit_post', $post['ID'] ) )
|
||||
continue;
|
||||
|
||||
$struct[] = $this->_prepare_post( $post, $fields );
|
||||
|
@ -906,7 +906,7 @@ function get_edit_post_link( $id = 0, $context = 'display' ) {
|
||||
if ( !$post_type_object )
|
||||
return;
|
||||
|
||||
if ( !current_user_can( $post_type_object->cap->edit_post, $post->ID ) )
|
||||
if ( !current_user_can( 'edit_post', $post->ID ) )
|
||||
return;
|
||||
|
||||
return apply_filters( 'get_edit_post_link', admin_url( sprintf($post_type_object->_edit_link . $action, $post->ID) ), $post->ID, $context );
|
||||
@ -960,7 +960,7 @@ function get_delete_post_link( $id = 0, $deprecated = '', $force_delete = false
|
||||
if ( !$post_type_object )
|
||||
return;
|
||||
|
||||
if ( !current_user_can( $post_type_object->cap->delete_post, $post->ID ) )
|
||||
if ( !current_user_can( 'delete_post', $post->ID ) )
|
||||
return;
|
||||
|
||||
$action = ( $force_delete || !EMPTY_TRASH_DAYS ) ? 'delete' : 'trash';
|
||||
|
@ -2440,14 +2440,13 @@ class WP_Query {
|
||||
$post_type_object = get_post_type_object ( 'post' );
|
||||
}
|
||||
|
||||
$edit_cap = 'edit_post';
|
||||
$read_cap = 'read_post';
|
||||
|
||||
if ( ! empty( $post_type_object ) ) {
|
||||
$edit_cap = $post_type_object->cap->edit_post;
|
||||
$read_cap = $post_type_object->cap->read_post;
|
||||
$edit_others_cap = $post_type_object->cap->edit_others_posts;
|
||||
$read_private_cap = $post_type_object->cap->read_private_posts;
|
||||
} else {
|
||||
$edit_cap = 'edit_' . $post_type_cap;
|
||||
$read_cap = 'read_' . $post_type_cap;
|
||||
$edit_others_cap = 'edit_others_' . $post_type_cap . 's';
|
||||
$read_private_cap = 'read_private_' . $post_type_cap . 's';
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user