[wp-trac] [WordPress Trac] #36376: current_user_can/has_cap fails when user has multiple roles
WordPress Trac
noreply at wordpress.org
Wed Dec 6 01:42:47 UTC 2017
#36376: current_user_can/has_cap fails when user has multiple roles
-----------------------------------------+-----------------------
Reporter: mikejolley | Owner: dd32
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 5.0
Component: Role/Capability | Version:
Severity: normal | Resolution:
Keywords: has-unit-tests dev-feedback | Focuses:
-----------------------------------------+-----------------------
Comment (by dd32):
Replying to [comment:14 knutsp]:
> Replying to [comment:13 dd32]:
> > - `John` is given the role of `editor`, a role of
`denied_publish_capabilities`, but then allowed to publish through
`publish_posts => true`. Should John be able to post? IMHO: Yes.
>
> In such cases, `denied_publish_capabilities` must be removed before
`publish_posts => true` can have effect. That will be consistent and
easier to document than having exceptions that is hard to grasp.
If we were designing it from scratch, I would maybe agree. However, I see
a capability as more specific than a role, if I have a capability granted,
I expect it should override all roles (That includes taking away the
ability from a roll). Todays implementation also seems to apply direct
capabilities prior to role application too, so that has to be taken into
account.
I think the only change we can make here, would be to ensure that two
users have the same cap rules, regardless of the order the roles are
applied.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36376#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list