[wp-trac] [WordPress Trac] #38303: register_meta and capabilities aren't working as expected

WordPress Trac noreply at wordpress.org
Thu Oct 13 14:43:20 UTC 2016 

#38303: register_meta and capabilities aren't working as expected
-----------------------------+-----------------------------
 Reporter:  tharsheblows     |      Owner:
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Role/Capability  |    Version:  4.6
 Severity:  normal           |   Keywords:
  Focuses:                   |
-----------------------------+-----------------------------
 The first part of this is #38284, there aren't capabilities for object
 types other than posts.

 The second part is best described by a use case:

 I want logged in users to be able to flag inappropriate comments. After 10
 flags, the comment gets unpublished and a notice goes to a moderator to
 check it. I'm going to store these flags and the user in the comment meta
 table using something like

 {{{#!php
 <?php
 if( current_user_can( 'edit_comment_meta' ) ){
 add_comment_meta(  $comment_id, 'flagged', $user_id, false );
 }
 }}}

 with register_meta and the auth callback looking something like

 {{{#!php
 <?php
 $args =  array(
 'type' => 'string',
 'show_in_rest' => true,
 'auth_callback' => 'check_logged_in' );

 register_meta( 'comment', 'flagged', $args );

 function check_logged_in(){
 return is_user_logged_in();
 }

 }}}

 However, I don't want them to be able to edit the comment itself so
 `current_user_can( 'edit_comment' )` should return false.

 So that's the use case.

 What happens at the moment is, well, no one can update the comment because
 there's no edit_comment_meta capability. But it's not a problem making the
 capabilities work like that.

 However,  `edit_post_meta` currently doesn't work like that. For
 `current_user_can( 'edit_post_meta' )` to return true, a user also has to
 have the `edit_post` capability. It's straightforward to change, but does
 have one backwards incompatibility: if someone is using current_user_can(
 'edit_post_meta' ) with a registered meta key which has an auth_callback
 that returns true but they really ''don't'' want the person to update the
 post meta so are relying on the fact that they don't have the edit_post
 capability, then that will change and that person will be able to update
 the post meta. It's a slightly convoluted edge case, admittedly.

 Attached is a patch that shows how it would work with unit tests.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38303>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list