[wp-trac] [WordPress Trac] #40922: Use finer-grained capabilities with `customize_changeset` post type
WordPress Trac
noreply at wordpress.org
Mon Jun 5 04:50:27 UTC 2017
#40922: Use finer-grained capabilities with `customize_changeset` post type
-------------------------+------------------------------
Reporter: dlh | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 4.7
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Comment (by dlh):
[attachment:40922.diff] is a first pass:
- Remove the post type's custom `capability_type` and custom
`(delete|edit|read)_post` meta capabilities.
- Switch most capabilities registered with the `customize_changeset` post
type from `customize` to `edit_theme_options`. The goal is for
`current_user_can( get_post_type_object( 'customize_changeset'
)->cap->edit_post, $post_id )` to map to `edit_theme_options` as
effectively happens now.
- Use `current_user_can( 'publish_post' )` where possible.
A few notes:
- I kept the `create_posts` capability set to `customize`. As far as I can
tell, the `create_posts` property is intended to be passed directly to
`current_user_can()`, not mapped in `map_meta_cap()`.
- I'm not positive about whether the custom `capability_type` should be or
needs to be removed. It looks to me like `map_meta_cap()` will call itself
again with a `*_post` capability when the custom capability in use, so I'm
unsure what the difference is.
- There is (at least) one issue still to address with this change:
{{{
if ( $is_publish && ! current_user_can( 'publish_post', $changeset_post_id
) ) {
}}}
If the changeset post hasn't been saved yet (such as if you open a new
Customizer session and save a change quickly), `$changeset_post_id` won't
have a valid ID, so the check fails.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40922#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list