[wp-trac] [WordPress Trac] #26409: Non-Editors can create (non-hierarchical) terms even though they can't manage_terms
WordPress Trac
noreply at wordpress.org
Wed Dec 4 20:44:05 UTC 2013
#26409: Non-Editors can create (non-hierarchical) terms even though they can't
manage_terms
--------------------------+-----------------------------
Reporter: westonruter | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Taxonomy | Version:
Severity: normal | Keywords:
--------------------------+-----------------------------
When a taxonomy is registered, the `$default_caps` are:
{{{
'manage_terms' => 'manage_categories',
'edit_terms' => 'manage_categories',
'delete_terms' => 'manage_categories',
'assign_terms' => 'edit_posts',
}}}
This should mean that Authors and Contributors should not be able to
create new terms because they (normally) do not have the
`manage_categories` capability. For hierarchical taxonomies (like
categories), the UI for creating new terms is removed from the metabox.
However, for non-hierarchical taxonomies (like tags), the UI does not
change based on whether the they can `manage_categories` or not: they can
still enter arbitrary terms and add them, and when saving the post, the
new terms get created. This seems wrong.
There should be `current_user_can( $taxonomy->caps->manage_terms )` checks
done when saving a post, and the UI should be updated to prevent new terms
from seeming to be accepted. The `ajax-tag-search` could be used to
determine if the entered tag exists, and only allow it to be added if it
does.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/26409>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list