[wp-trac] [WordPress Trac] #40922: Use finer-grained capabilities with `customize_changeset` post type
WordPress Trac
noreply at wordpress.org
Mon Jun 5 04:44:03 UTC 2017
#40922: Use finer-grained capabilities with `customize_changeset` post type
-------------------------+-----------------------------
Reporter: dlh | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 4.7
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
The `customize_changeset` post type is currently registered with all of
its post type capabilities set to `customize`. As part of adding changeset
endpoints in the REST API (#38900):
> fine-grained capabilities should be introduced for the
`customize_changeset` post `caps`, instead of mapping all to `customize`.
@westonruter has compiled links to previous discussions and efforts around
changeset capabilities here: https://github.com/WP-API/wp-api-customize-
endpoints/pull/5#discussion_r118804994.
An example of unexpected behavior caused by the current mapping is where a
post ID is passed to `current_user_can()`, such as
{{{
current_user_can( get_post_type_object( 'customize_changeset'
)->cap->edit_post, $changeset_post_id )
}}}
This is equivalent to `current_user_can( 'customize' )`, which means the
post ID is ignored because `map_meta_cap()` doesn't check the `$args` when
mapping the `'customize'` meta cap.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40922>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list