[wp-trac] [WordPress Trac] #44399: Add unique role capability for oembed
WordPress Trac
noreply at wordpress.org
Mon Jun 18 20:11:35 UTC 2018
#44399: Add unique role capability for oembed
-------------------------+-------------------------------------------------
Reporter: | Owner: (none)
jason_the_adams |
Type: defect | Status: new
(bug) |
Priority: normal | Milestone: Awaiting Review
Component: Embeds | Version: trunk
Severity: normal | Keywords: dev-feedback needs-patch needs-
Focuses: | unit-tests
-------------------------+-------------------------------------------------
Ran into a very specific use case today wherein I have a custom user role
with a custom WYSIWYG editor on their profile. The user role has unique
capabilities for a couple custom post types with unique capabilities. The
user needs to be able to paste a YouTube URL in their profile editor, but
I found that it doesn't work.
After some digging, I found that the oEmbed ajax function
`wp_ajax_parse_embed()` checks for `current_user_can('edit_posts')`. Also,
the oEmbed REST API does the same thing in the
`WP_oEmbed_Controller::wp_ajax_parse_embed()` method.
This is a problem for custom post types with custom capabilities. We don't
want the user to have the `edit_posts` permission, but they do have the
`edit_custom_posts` equivalent. While this isn't a problem for
`current_user_can('edit_post', $post_id)` calls, as it uses the post to
grab the post object and thereby post object capabilities, the
`edit_posts` primitive check has no context.
Since we can't rely on being able to gather post object context (as, in my
case, there may be no post object as we're on the user profile), I propose
creating a single (or group) of oEmbed capabilities. Something like
`create_oembeds`.
Wanted to gather some feedback and thoughts from the community before
putting together a patch. Let me know what you think! :)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44399>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list