[wp-trac] [WordPress Trac] #38303: register_meta and capabilities aren't working as expected

WordPress Trac noreply at wordpress.org
Mon Nov 14 07:41:31 UTC 2016 

#38303: register_meta and capabilities aren't working as expected
------------------------------------------+-----------------------
 Reporter:  tharsheblows                  |       Owner:  rmccue
     Type:  defect (bug)                  |      Status:  reopened
 Priority:  normal                        |   Milestone:  4.8
Component:  Role/Capability               |     Version:  4.6
 Severity:  normal                        |  Resolution:
 Keywords:  needs-patch needs-unit-tests  |     Focuses:
------------------------------------------+-----------------------
Changes (by rmccue):

 * keywords:  has-patch needs-testing has-unit-tests => needs-patch needs-
     unit-tests
 * status:  closed => reopened
 * resolution:  fixed =>
 * milestone:  4.7 => 4.8


Comment:

 Reopening here, since it wasn't actually fixed in the above commit. My
 apologies for misunderstanding this. Some discussion has continued on
 #38412, but we should continue it here, as it's a different issue.

 [attachment:38412.5.diff:ticket:38412] has me concerned that we're
 changing an existing cap very late in a cycle. In addition, if there's any
 plugin code relying on `auth_callback` being set, this could be
 problematic.

 ----

 The tl;dr of this issue: if a meta key has `auth_callback` set, the actual
 check is `current_user_can( 'edit_post', $id ) && $auth_callback()`. This
 means you can't write an auth callback that allows people without
 `edit_post` to edit the meta.

 The change would make `auth_callback` authoritative (if you return true,
 the user can edit it, no further checks), which requires changing the
 default `auth_callback` currently in place, and is hence kinda a BC break.
 If you pass in `__return_true` as the `auth_callback` currently, the
 permissions required to edit that meta would change from `edit_post` to
 nothing.

 Since this is very late in the cycle, and a potential BC break, I think we
 need to punt to 4.8. There's lots that could break here, and I think we're
 locked in with BC.

 I'm going to punt this to 4.8, and we reconsider the approach. We could
 instead add an option to `register_meta` that allows you to specify
 whether you want the `edit_post` check (something like `'require_edit' =>
 true`).

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38303#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list