[wp-trac] [WordPress Trac] #49741: WP_REST_Terms_Controller::create_item_permissions_check did not work as expected

WordPress Trac noreply at wordpress.org
Tue Mar 31 13:05:01 UTC 2020 

#49741: WP_REST_Terms_Controller::create_item_permissions_check did not work as
expected
--------------------------+-----------------------------
 Reporter:  jihaisse      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:  rest-api      |
--------------------------+-----------------------------
 Hello

 I’ve created few taxonomies with CPTUI and I wanted to specify
 capabilities for them, so I did it like this :

 {{{#!php
 <?php
 function notes_customize_taxonomy($args, $taxonomy_slug)
 {
     // These would already be used as default value, but providing as an
 example.
     // $taxonomy_slug parameter would be the slug of the taxonomy
 currently being registered.
     $args['capabilities'] = array(
         'manage_terms' => "manage_categories",
         'edit_terms' => "manage_categories",
         'delete_terms' => "manage_categories",
         'assign_terms' => "edit_posts",
     );

     return $args;
 }
 add_filter('cptui_pre_register_taxonomy', 'notes_customize_taxonomy', 10,
 2);
 }}}


 So I imagined that if a user have the permission “edit_posts” he can
 assign a term to a post, but not create a new one on that taxonomy.

 But, in the create_item_permissions_check method, it’s not like this :
 {{{#!php
 <?php

 if ( ( is_taxonomy_hierarchical( $this->taxonomy )
             && ! current_user_can( $taxonomy_obj->cap->edit_terms ) )
         || ( ! is_taxonomy_hierarchical( $this->taxonomy )
             && ! current_user_can( $taxonomy_obj->cap->assign_terms ) ) )
 }}}


 The capablility tested is different if the taxonomy is hierarchical or
 not.
 Why ?

 Is this realy what is wanted ?

 I think this is really confusing. It didn't allow us to have a user who
 can only assign terms without creating new ones.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49741>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list