[wp-trac] [WordPress Trac] #50128: Don't retrieve the post type object for checking post meta capabilities
WordPress Trac
noreply at wordpress.org
Fri May 8 23:02:58 UTC 2020
#50128: Don't retrieve the post type object for checking post meta capabilities
-----------------------------+---------------------
Reporter: ocean90 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.5
Component: Role/Capability | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-----------------------------+---------------------
Comment (by peterwilsoncc):
I'm genuinely not sure if this is correct but happy to defer to someone
with a greater knowledge of roles and caps.
When registering a custom post type with a custom capability, the edit,
read and delete post meta capabilities are mapped to the custom capability
in
[https://developer.wordpress.org/reference/functions/get_post_type_capabilities/
get_post_type_capabilities].
When using custom caps, the developer is responsible for mapping any meta
caps alongside giving appropriate roles the primitives.
For example registering the CPT:
{{{#!php
<?php
register_post_type (
'ocean'
[
'capability_type' => 'ocean',
'public' => true,
]
);
}}}
Will result in the capabilities:
Meta:
* edit_ocean
* delete_ocean
* read_ocean
Primitive:
* edit_oceans
* edit_others_oceans
* delete_oceans
* publish_oceans
* read_private_oceans
In Core, most built-in post types are mapped to `post` for meta caps but,
if my understanding is correct, the PR as is will certainly have adverse
affects on the REST endpoints for CPTs.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50128#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list