[wp-trac] [WordPress Trac] #40922: Use finer-grained capabilities with `customize_changeset` post type

WordPress Trac noreply at wordpress.org
Sun Jun 11 14:38:50 UTC 2017 

#40922: Use finer-grained capabilities with `customize_changeset` post type
-------------------------+------------------
 Reporter:  dlh          |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  4.9
Component:  Customize    |     Version:  4.7
 Severity:  normal       |  Resolution:
 Keywords:  has-patch    |     Focuses:
-------------------------+------------------

Comment (by dlh):

 > If the changeset post hasn't been saved yet (such as if you open a new
 Customizer session and save a change quickly), `$changeset_post_id` won't
 have a valid ID, so the check fails.

 One approach could be to fall back to the `publish_posts` capability when
 no valid changeset post ID exists:

 {{{#!php
 if ( $is_publish ) {
     if ( $changeset_post_id ) {
         $current_user_can_publish = current_user_can( 'publish_post',
 $changeset_post_id );
     } else {
         $current_user_can_publish = current_user_can(
 get_post_type_object( 'customize_changeset' )->cap->publish_posts );
     }

     if ( ! $current_user_can_publish ) {
         wp_send_json_error( 'changeset_publish_unauthorized', 403 );
     }
 }
 }}}

 This approach is simple, but perhaps not as useful for anyone filtering
 `map_meta_cap` or `user_has_cap`.

 Alternatively, we could create a valid ID. To do that, of course, we would
 need to create a changeset post. But what should the changeset post's
 content be? Empty?

 I experimented with this approach:

 {{{#!php
 if ( $is_publish ) {
     if ( ! $changeset_post_id ) {
         $create_changeset = $this->save_changeset_post();

         if ( is_wp_error( $create_changeset ) ) {
             wp_send_json_error( 'changeset_publish_unauthorized', 403 );
         }

         $changeset_post_id = $this->changeset_post_id();
     }

     if ( ! current_user_can( 'publish_post', $changeset_post_id ) ) {
         wp_send_json_error( 'changeset_publish_unauthorized', 403 );
     }
 }
 }}}

 Which creates the changeset post, but the resulting post content is
 something of a hybrid because it includes data from
 `unsanitized_post_values()`, which is called within
 `save_changeset_post()`.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40922#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list