[wp-trac] [WordPress Trac] #44399: Add unique capability for oembed

WordPress Trac noreply at wordpress.org
Wed Jun 20 19:52:54 UTC 2018 

#44399: Add unique capability for oembed
-------------------------------------------------+-------------------------
 Reporter:  jason_the_adams                      |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Embeds                               |     Version:  trunk
 Severity:  normal                               |  Resolution:
 Keywords:  dev-feedback needs-patch needs-      |     Focuses:
  unit-tests                                     |
-------------------------------------------------+-------------------------

Comment (by jason_the_adams):

 Hi!

 Replying to [comment:3 joyously]:
 > Is this ticket reporting a problem with the capability check for embeds
 or is it proposing a new capability? Or maybe both.
 Both. There is an issue with oembed capability checks as they require
 either a post context or the user to have `edit_posts` which doesn't fit
 custom post types with capabilities.

 > It seems to me that the existing capability check assumes a post
 context, which your use case has a problem with. Would putting a filter on
 that capability check work? Are there other places where embeds might be
 wanted, but checking `edit_posts` wouldn't work? Like comments or custom
 widgets?
 Regarding the filter, that could work but the issue is that there isn't
 really any further context that a hook could do anything with. If there's
 a post, it's working fine; if there's no post, there's not much context.

 You're right on with the other scenarios. That's why, along with my last
 point, I'm suggesting a new capability, similar to `upload_files` or other
 one-off capabilities. I think it's good to check if a user has a
 capability, I just don't think `edit_posts` is the right one as it impacts
 far too much else.

 > Is it just embeds that has this problem? I've seen some other
 discussions about other places where core checks for a capability that
 doesn't work in all contexts. ''(I also have a use case for custom role
 with custom post type created with a custom editor, and I don't want the
 user to `edit_posts`. This seems likely to be common for sites with user-
 created content.)''
 I'm trying to keep the scope of this issue to just embeds. I think other
 scenarios are worth considering, but I don't think there's a fundamental
 issue with the capability system, just niche situations that could use
 some tweaking.

 ---

 Thanks for chiming in! I hope this helps clarify my thinking. :)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44399#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list