<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[39179] trunk: Roles/Capabilities: Add meta-caps for comment, term, and user meta.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/39179">39179</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/39179","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>rmccue</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2016-11-09 03:41:07 +0000 (Wed, 09 Nov 2016)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Roles/Capabilities: Add meta-caps for comment, term, and user meta.
Additionally, use these meta-caps in the REST API endpoints.
Previously, register_meta()'s auth_callback had no effect for non-post meta. This introduces `{add,edit,delete}_{comment,term,user}_meta` meta-caps to match the existing post meta capabilities. These are currently only used in the REST API.
Props tharsheblows, boonebgorges.
Fixes <a href="https://core.trac.wordpress.org/ticket/38303">#38303</a>, fixes <a href="https://core.trac.wordpress.org/ticket/38412">#38412</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludescapabilitiesphp">trunk/src/wp-includes/capabilities.php</a></li>
<li><a href="#trunksrcwpincludesrestapiendpointsclasswprestcommentscontrollerphp">trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php</a></li>
<li><a href="#trunksrcwpincludesrestapifieldsclasswprestmetafieldsphp">trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php</a></li>
<li><a href="#trunktestsphpunittestsusercapabilitiesphp">trunk/tests/phpunit/tests/user/capabilities.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludescapabilitiesphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/capabilities.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/capabilities.php 2016-11-09 01:47:50 UTC (rev 39178)
+++ trunk/src/wp-includes/capabilities.php 2016-11-09 03:41:07 UTC (rev 39179)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -242,56 +242,77 @@
</span><span class="cx" style="display: block; padding: 0 10px"> case 'edit_post_meta':
</span><span class="cx" style="display: block; padding: 0 10px"> case 'delete_post_meta':
</span><span class="cx" style="display: block; padding: 0 10px"> case 'add_post_meta':
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $post = get_post( $args[0] );
- if ( ! $post ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ case 'edit_comment_meta':
+ case 'delete_comment_meta':
+ case 'add_comment_meta':
+ case 'edit_term_meta':
+ case 'delete_term_meta':
+ case 'add_term_meta':
+ case 'edit_user_meta':
+ case 'delete_user_meta':
+ case 'add_user_meta':
+ list( $_, $object_type, $_ ) = explode( '_', $cap );
+ $object_id = (int) $args[0];
+
+ switch ( $object_type ) {
+ case 'post':
+ $post = get_post( $object_id );
+ if ( ! $post ) {
+ break;
+ }
+
+ $sub_type = get_post_type( $post );
+ break;
+
+ case 'comment':
+ $comment = get_comment( $object_id );
+ if ( ! $comment ) {
+ break;
+ }
+
+ $sub_type = empty( $comment->comment_type ) ? 'comment' : $comment->comment_type;
+ break;
+
+ case 'term':
+ $term = get_term( $object_id );
+ if ( ! $term ) {
+ break;
+ }
+
+ $sub_type = $term->taxonomy;
+ break;
+
+ case 'user':
+ $user = get_user_by( 'id', $object_id );
+ if ( ! $user ) {
+ break;
+ }
+
+ $sub_type = 'user';
+ break;
+ }
+
+ if ( empty( $sub_type ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> $caps[] = 'do_not_allow';
</span><span class="cx" style="display: block; padding: 0 10px"> break;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $post_type = get_post_type( $post );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $meta_key = isset( $args[1] ) ? $args[1] : false;
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $has_filter = has_filter( "auth_{$object_type}_meta_{$meta_key}" ) || has_filter( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}" );
+ if ( $meta_key && $has_filter ) {
+ /** This filter is documented in wp-includes/meta.php */
+ $allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}", false, $meta_key, $object_id, $user_id, $cap, $caps );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( $meta_key && ( has_filter( "auth_post_meta_{$meta_key}" ) || has_filter( "auth_post_{$post_type}_meta_{$meta_key}" ) ) ) {
- /**
- * Filters whether the user is allowed to add post meta to a post.
- *
- * The dynamic portion of the hook name, `$meta_key`, refers to the
- * meta key passed to map_meta_cap().
- *
- * @since 3.3.0
- *
- * @param bool $allowed Whether the user can add the post meta. Default false.
- * @param string $meta_key The meta key.
- * @param int $post_id Post ID.
- * @param int $user_id User ID.
- * @param string $cap Capability name.
- * @param array $caps User capabilities.
- */
- $allowed = apply_filters( "auth_post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /** This filter is documented in wp-includes/meta.php */
+ $allowed = apply_filters( "auth_{$object_type}_{$sub_type}_meta_{$meta_key}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- /**
- * Filters whether the user is allowed to add post meta to a post of a given type.
- *
- * The dynamic portions of the hook name, `$meta_key` and `$post_type`,
- * refer to the meta key passed to map_meta_cap() and the post type, respectively.
- *
- * @since 4.6.0
- *
- * @param bool $allowed Whether the user can add the post meta. Default false.
- * @param string $meta_key The meta key.
- * @param int $post_id Post ID.
- * @param int $user_id User ID.
- * @param string $cap Capability name.
- * @param array $caps User capabilities.
- */
- $allowed = apply_filters( "auth_post_{$post_type}_meta_{$meta_key}", $allowed, $meta_key, $post->ID, $user_id, $cap, $caps );
-
- if ( ! $allowed )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! $allowed ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> $caps[] = $cap;
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- } elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ }
+ } elseif ( $meta_key && is_protected_meta( $meta_key, $object_type ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> $caps[] = $cap;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> break;
</span></span></pre></div>
<a id="trunksrcwpincludesrestapiendpointsclasswprestcommentscontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php 2016-11-09 01:47:50 UTC (rev 39178)
+++ trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php 2016-11-09 03:41:07 UTC (rev 39179)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -631,7 +631,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! $change ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error( 'rest_comment_failed_edit', __( 'Updating comment status failed.' ), array( 'status' => 500 ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- } else {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ } elseif ( ! empty( $prepared_args ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( is_wp_error( $prepared_args ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return $prepared_args;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="trunksrcwpincludesrestapifieldsclasswprestmetafieldsphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php 2016-11-09 01:47:50 UTC (rev 39178)
+++ trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php 2016-11-09 03:41:07 UTC (rev 39179)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -122,7 +122,6 @@
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> public function update_value( $request, $object_id ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $fields = $this->get_registered_fields();
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-
</del><span class="cx" style="display: block; padding: 0 10px"> foreach ( $fields as $name => $args ) {
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! array_key_exists( $name, $request ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> continue;
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -159,7 +158,8 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @return bool|WP_Error True if meta field is deleted, WP_Error otherwise.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> protected function delete_meta_value( $object_id, $name ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! current_user_can( 'delete_post_meta', $object_id, $name ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $meta_type = $this->get_meta_type();
+ if ( ! current_user_can( "delete_{$meta_type}_meta", $object_id, $name ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px"> 'rest_cannot_delete',
</span><span class="cx" style="display: block; padding: 0 10px"> sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -167,7 +167,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! delete_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ) ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! delete_metadata( $meta_type, $object_id, wp_slash( $name ) ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px"> 'rest_meta_database_error',
</span><span class="cx" style="display: block; padding: 0 10px"> __( 'Could not delete meta value from database.' ),
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -192,7 +192,8 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @return bool|WP_Error True if meta fields are updated, WP_Error otherwise.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> protected function update_multi_meta_value( $object_id, $name, $values ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! current_user_can( 'edit_post_meta', $object_id, $name ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $meta_type = $this->get_meta_type();
+ if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $name ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px"> 'rest_cannot_update',
</span><span class="cx" style="display: block; padding: 0 10px"> sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -200,7 +201,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $current = get_metadata( $this->get_meta_type(), $object_id, $name, false );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $current = get_metadata( $meta_type, $object_id, $name, false );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $to_remove = $current;
</span><span class="cx" style="display: block; padding: 0 10px"> $to_add = $values;
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -227,7 +228,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $to_remove = array_unique( $to_remove );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> foreach ( $to_remove as $value ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! delete_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! delete_metadata( $meta_type, $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px"> 'rest_meta_database_error',
</span><span class="cx" style="display: block; padding: 0 10px"> __( 'Could not update meta value in database.' ),
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -237,7 +238,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> foreach ( $to_add as $value ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! add_metadata( $this->get_meta_type(), $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! add_metadata( $meta_type, $object_id, wp_slash( $name ), wp_slash( $value ) ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px"> 'rest_meta_database_error',
</span><span class="cx" style="display: block; padding: 0 10px"> __( 'Could not update meta value in database.' ),
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -261,7 +262,8 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @return bool|WP_Error True if the meta field was updated, WP_Error otherwise.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> protected function update_meta_value( $object_id, $name, $value ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! current_user_can( 'edit_post_meta', $object_id, $name ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $meta_type = $this->get_meta_type();
+ if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $name ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px"> 'rest_cannot_update',
</span><span class="cx" style="display: block; padding: 0 10px"> sprintf( __( 'You do not have permission to edit the %s custom field.' ), $name ),
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -269,7 +271,6 @@
</span><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $meta_type = $this->get_meta_type();
</del><span class="cx" style="display: block; padding: 0 10px"> $meta_key = wp_slash( $name );
</span><span class="cx" style="display: block; padding: 0 10px"> $meta_value = wp_slash( $value );
</span><span class="cx" style="display: block; padding: 0 10px">
</span></span></pre></div>
<a id="trunktestsphpunittestsusercapabilitiesphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/user/capabilities.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/user/capabilities.php 2016-11-09 01:47:50 UTC (rev 39178)
+++ trunk/tests/phpunit/tests/user/capabilities.php 2016-11-09 03:41:07 UTC (rev 39179)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -431,10 +431,19 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $expected['delete_post_meta'],
</span><span class="cx" style="display: block; padding: 0 10px"> $expected['add_post_meta'],
</span><span class="cx" style="display: block; padding: 0 10px"> $expected['edit_comment'],
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $expected['edit_comment_meta'],
+ $expected['delete_comment_meta'],
+ $expected['add_comment_meta'],
</ins><span class="cx" style="display: block; padding: 0 10px"> $expected['edit_term'],
</span><span class="cx" style="display: block; padding: 0 10px"> $expected['delete_term'],
</span><span class="cx" style="display: block; padding: 0 10px"> $expected['assign_term'],
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $expected['delete_user']
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $expected['edit_term_meta'],
+ $expected['delete_term_meta'],
+ $expected['add_term_meta'],
+ $expected['delete_user'],
+ $expected['edit_user_meta'],
+ $expected['delete_user_meta'],
+ $expected['add_user_meta']
</ins><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $expected = array_keys( $expected );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1663,4 +1672,85 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $wp_roles = new WP_Roles();
</span><span class="cx" style="display: block; padding: 0 10px"> $wp_roles->reinit();
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+ /**
+ * @ticket 38412
+ */
+ public function test_no_one_can_edit_user_meta_for_non_existent_term() {
+ wp_set_current_user( self::$super_admin->ID );
+ $this->assertFalse( current_user_can( 'edit_user_meta', 999999 ) );
+ }
+
+ /**
+ * @ticket 38412
+ */
+ public function test_user_can_edit_user_meta() {
+ wp_set_current_user( self::$users['administrator']->ID );
+ if ( is_multisite() ) {
+ grant_super_admin( self::$users['administrator']->ID );
+ }
+ $this->assertTrue( current_user_can( 'edit_user_meta', self::$users['subscriber']->ID, 'foo' ) );
+ }
+
+ /**
+ * @ticket 38412
+ */
+ public function test_user_cannot_edit_user_meta() {
+ wp_set_current_user( self::$users['editor']->ID );
+ $this->assertFalse( current_user_can( 'edit_user_meta', self::$users['subscriber']->ID, 'foo' ) );
+ }
+
+ /**
+ * @ticket 38412
+ */
+ public function test_no_one_can_delete_user_meta_for_non_existent_term() {
+ wp_set_current_user( self::$super_admin->ID );
+ $this->assertFalse( current_user_can( 'delete_user_meta', 999999, 'foo' ) );
+ }
+
+ /**
+ * @ticket 38412
+ */
+ public function test_user_can_delete_user_meta() {
+ wp_set_current_user( self::$users['administrator']->ID );
+ if ( is_multisite() ) {
+ grant_super_admin( self::$users['administrator']->ID );
+ }
+ $this->assertTrue( current_user_can( 'delete_user_meta', self::$users['subscriber']->ID, 'foo' ) );
+ }
+
+ /**
+ * @ticket 38412
+ */
+ public function test_user_cannot_delete_user_meta() {
+ wp_set_current_user( self::$users['editor']->ID );
+ $this->assertFalse( current_user_can( 'delete_user_meta', self::$users['subscriber']->ID, 'foo' ) );
+ }
+
+ /**
+ * @ticket 38412
+ */
+ public function test_no_one_can_add_user_meta_for_non_existent_term() {
+ wp_set_current_user( self::$super_admin->ID );
+ $this->assertFalse( current_user_can( 'add_user_meta', 999999, 'foo' ) );
+ }
+
+ /**
+ * @ticket 38412
+ */
+ public function test_user_can_add_user_meta() {
+ wp_set_current_user( self::$users['administrator']->ID );
+ if ( is_multisite() ) {
+ grant_super_admin( self::$users['administrator']->ID );
+ }
+ $this->assertTrue( current_user_can( 'add_user_meta', self::$users['subscriber']->ID, 'foo' ) );
+ }
+
+ /**
+ * @ticket 38412
+ */
+ public function test_user_cannot_add_user_meta() {
+ wp_set_current_user( self::$users['editor']->ID );
+ $this->assertFalse( current_user_can( 'add_user_meta', self::$users['subscriber']->ID, 'foo' ) );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre>
</div>
</div>
</body>
</html>