From 6f62362b96d2ea941a6f463998147486cc56ea0e Mon Sep 17 00:00:00 2001 From: Dion Hulse <dd32@git.wordpress.org> Date: Sun, 21 Mar 2010 02:29:11 +0000 Subject: [PATCH] Use correct cap checks and nonces for custom post_type's git-svn-id: https://develop.svn.wordpress.org/trunk@13786 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-admin/includes/meta-boxes.php | 7 +++---- wp-admin/includes/template.php | 10 +++++----- wp-includes/capabilities.php | 6 +++--- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/wp-admin/includes/meta-boxes.php b/wp-admin/includes/meta-boxes.php index cd7f0690fb..936ae92f32 100644 --- a/wp-admin/includes/meta-boxes.php +++ b/wp-admin/includes/meta-boxes.php @@ -14,8 +14,7 @@ function post_submit_meta_box($post) { $post_type = $post->post_type; $post_type_object = get_post_type_object($post_type); - $type_cap = $post_type_object->capability_type; - $can_publish = current_user_can("publish_${type_cap}s"); + $can_publish = current_user_can($post_type_object->publish_cap); ?> <div class="submitbox" id="submitpost"> @@ -194,7 +193,7 @@ if ( $can_publish ) : // Contributors don't get to choose the date of publish ?> <?php do_action('post_submitbox_start'); ?> <div id="delete-action"> <?php -if ( current_user_can( "delete_${type_cap}", $post->ID ) ) { +if ( current_user_can( "delete_post", $post->ID ) ) { if ( !EMPTY_TRASH_DAYS ) { $delete_url = wp_nonce_url( add_query_arg( array('action' => 'delete', 'post' => $post->ID) ), "delete-${post_type}_{$post->ID}" ); $delete_text = __('Delete Permanently'); @@ -407,7 +406,7 @@ function post_comment_status_meta_box($post) { } /** - * Displa comments for post table header + * Display comments for post table header * * @since 3.0 * diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php index bb53a2a054..bdf58e5e94 100644 --- a/wp-admin/includes/template.php +++ b/wp-admin/includes/template.php @@ -863,9 +863,10 @@ function inline_edit_row( $screen ) { foreach ( $taxonomy_names as $taxonomy_name ) { $taxonomy = get_taxonomy( $taxonomy_name); - if( !$taxonomy->show_ui ) continue; + if ( !$taxonomy->show_ui ) + continue; - if( $taxonomy->hierarchical ) + if ( $taxonomy->hierarchical ) $hierarchical_taxonomies[] = $taxonomy; else $flat_taxonomies[] = $taxonomy; @@ -875,7 +876,6 @@ function inline_edit_row( $screen ) { $hidden = array_intersect( array_keys( $columns ), array_filter( get_hidden_columns($screen) ) ); $col_count = count($columns) - count($hidden); $m = ( isset($mode) && 'excerpt' == $mode ) ? 'excerpt' : 'list'; - // @todo use capability_type $can_publish = current_user_can($post_type_object->publish_cap); $core_columns = array( 'cb' => true, 'date' => true, 'title' => true, 'categories' => true, 'tags' => true, 'comments' => true, 'author' => true ); @@ -1561,11 +1561,11 @@ foreach ( $posts_columns as $column_name => $column_display_name ) { } if ( current_user_can($post_type_object->delete_cap, $page->ID) ) { if ( $post->post_status == 'trash' ) - $actions['untrash'] = "<a title='" . esc_attr(__('Remove this page from the Trash')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&action=untrash&post=$page->ID", 'untrash-page_' . $page->ID) . "'>" . __('Restore') . "</a>"; + $actions['untrash'] = "<a title='" . esc_attr(__('Remove this page from the Trash')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&action=untrash&post=$page->ID", 'untrash-' . $post->post_type . '_' . $page->ID) . "'>" . __('Restore') . "</a>"; elseif ( EMPTY_TRASH_DAYS ) $actions['trash'] = "<a class='submitdelete' title='" . esc_attr(__('Move this page to the Trash')) . "' href='" . get_delete_post_link($page->ID) . "'>" . __('Trash') . "</a>"; if ( $post->post_status == 'trash' || !EMPTY_TRASH_DAYS ) - $actions['delete'] = "<a class='submitdelete' title='" . esc_attr(__('Delete this page permanently')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&action=delete&post=$page->ID", 'delete-page_' . $page->ID) . "'>" . __('Delete Permanently') . "</a>"; + $actions['delete'] = "<a class='submitdelete' title='" . esc_attr(__('Delete this page permanently')) . "' href='" . wp_nonce_url("post.php?post_type=$post_type&action=delete&post=$page->ID", 'delete-' . $post->post_type . '_' . $page->ID) . "'>" . __('Delete Permanently') . "</a>"; } if ( in_array($post->post_status, array('pending', 'draft')) ) { if ( current_user_can($post_type_object->edit_cap, $page->ID) ) diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php index 366de783cd..30528aa8ba 100644 --- a/wp-includes/capabilities.php +++ b/wp-includes/capabilities.php @@ -810,7 +810,7 @@ function map_meta_cap( $cap, $user_id ) { $post = get_post( $args[0] ); $post_type = get_post_type_object( $post->post_type ); if ( $post_type && 'post' != $post_type->capability_type ) { - $args = array_merge( array( 'delete_' . $post_type->capability_type, $user_id ), $args ); + $args = array_merge( array( $post_type->delete_cap, $user_id ), $args ); return call_user_func_array( 'map_meta_cap', $args ); } @@ -887,7 +887,7 @@ function map_meta_cap( $cap, $user_id ) { $post = get_post( $args[0] ); $post_type = get_post_type_object( $post->post_type ); if ( $post_type && 'post' != $post_type->capability_type ) { - $args = array_merge( array( 'edit_' . $post_type->capability_type, $user_id ), $args ); + $args = array_merge( array( $post_type->edit_cap, $user_id ), $args ); return call_user_func_array( 'map_meta_cap', $args ); } $post_author_data = get_userdata( $post->post_author ); @@ -946,7 +946,7 @@ function map_meta_cap( $cap, $user_id ) { $post = get_post( $args[0] ); $post_type = get_post_type_object( $post->post_type ); if ( $post_type && 'post' != $post_type->capability_type ) { - $args = array_merge( array( 'read_' . $post_type->capability_type, $user_id ), $args ); + $args = array_merge( array( $post_type->read_cap, $user_id ), $args ); return call_user_func_array( 'map_meta_cap', $args ); }