[wp-trac] [WordPress Trac] #38505: Single-term API endpoints should use term-specific caps
WordPress Trac
noreply at wordpress.org
Wed Oct 26 09:20:49 UTC 2016
#38505: Single-term API endpoints should use term-specific caps
------------------------------------+---------------------------
Reporter: boonebgorges | Owner: boonebgorges
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.7
Component: REST API | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+---------------------------
Comment (by johnbillion):
The post edit interface uses the higher level `assign_terms` capability
check for tags (`post_tags_meta_box()`) because checking the `assign_term`
cap for individual terms here would require some UI and UX work.
For categories, there's just a higher level `edit_terms` check instead of
`assign_terms` (in `post_categories_meta_box()`) that looks like it was an
oversight, but this may also need some UI work to switch it to individual
`assign_term` cap checks. I'll take a look at this during beta.
@boonebgorges Those tests looks good, but I would also test the inverse,
where an Editor/Admin level user (who can normally edit/delete terms) is
required to have the `do_not_allow` cap to edit/delete a term and then
assert that the correct error response is returned.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38505#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list