[wp-trac] [WordPress Trac] #19373: wp_insert_post() should not contain current_user_can() checks
WordPress Trac
wp-trac at lists.automattic.com
Sun Nov 27 17:02:31 UTC 2011
#19373: wp_insert_post() should not contain current_user_can() checks
--------------------------+-----------------------------
Reporter: alexkingorg | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Taxonomy | Version: 3.3
Severity: major | Keywords:
--------------------------+-----------------------------
wp_insert_post() is a utility function, it should not have a reliance on
user capabilities. There are only two places in this function where there
is a current_user_can() check - for updating custom taxonomies and for
setting post slugs. All other checks (can user publish posts, etc.) are
properly handled outside of the utility function.
wp_insert_post() should be safe to use in code that is run without a user
context, for example via CRON. With the current code, this is the case
*except* for the custom taxonomy feature. This inconsistency can cause a
BrilliantDeveloperTM to lose a good deal of time debugging why the same
data being passed in is coming back with different results.
For 3.4 (please!), perhaps we can figure out a way to move the checks for
user capabilities on taxonomies out of the utility function and into the
controller/procedural code. I'm happy to author and submit a patch once an
approach has been determined.
For other developers who run into this and need to work around it, either
of these 2 options work:
1. call wp_set_post_terms() to add your taxonomies after calling
wp_insert_post()
2. set up a "current user" in your script before calling wp_insert_post()
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19373>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list