X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/5964d2279dc52bdfe105f9bfa17e04337d47a3fa..4713a14935b83517997f3c88f808eb41da55033d:/wp-includes/capabilities.php?ds=sidebyside diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php index 3503316c..89e854b7 100644 --- a/wp-includes/capabilities.php +++ b/wp-includes/capabilities.php @@ -95,7 +95,7 @@ class WP_Roles { */ function _init () { global $wpdb, $wp_user_roles; - $this->role_key = $wpdb->prefix . 'user_roles'; + $this->role_key = $wpdb->get_blog_prefix() . 'user_roles'; if ( ! empty( $wp_user_roles ) ) { $this->roles = $wp_user_roles; $this->use_db = false; @@ -131,7 +131,7 @@ class WP_Roles { global $wpdb, $wp_user_roles; // Duplicated from _init() to avoid an extra function call. - $this->role_key = $wpdb->prefix . 'user_roles'; + $this->role_key = $wpdb->get_blog_prefix() . 'user_roles'; $this->roles = get_option( $this->role_key ); if ( empty( $this->roles ) ) return; @@ -158,7 +158,7 @@ class WP_Roles { * @param string $role Role name. * @param string $display_name Role display name. * @param array $capabilities List of role capabilities in the above format. - * @return null|WP_Role WP_Role object if role is added, null if already exists. + * @return WP_Role|null WP_Role object if role is added, null if already exists. */ function add_role( $role, $display_name, $capabilities = array() ) { if ( isset( $this->roles[$role] ) ) @@ -193,6 +193,9 @@ class WP_Roles { if ( $this->use_db ) update_option( $this->role_key, $this->roles ); + + if ( get_option( 'default_role' ) == $role ) + update_option( 'default_role', 'subscriber' ); } /** @@ -239,7 +242,7 @@ class WP_Roles { * @access public * * @param string $role Role name. - * @return object|null Null, if role does not exist. WP_Role object, if found. + * @return WP_Role|null WP_Role object if found, null if the role does not exist. */ function get_role( $role ) { if ( isset( $this->role_objects[$role] ) ) @@ -375,6 +378,15 @@ class WP_Role { * @return bool True, if user has capability. False, if doesn't have capability. */ function has_cap( $cap ) { + /** + * Filter which capabilities a role has. + * + * @since 2.0.0 + * + * @param array $capabilities Array of role capabilities. + * @param string $cap Capability name. + * @param string $name Role name. + */ $capabilities = apply_filters( 'role_has_cap', $this->capabilities, $cap, $this->name ); if ( !empty( $capabilities[$cap] ) ) return $capabilities[$cap]; @@ -535,7 +547,9 @@ class WP_User { // to int 1. if ( ! is_numeric( $value ) ) return false; - $value = absint( $value ); + $value = intval( $value ); + if ( $value < 1 ) + return false; } else { $value = trim( $value ); } @@ -679,7 +693,7 @@ class WP_User { return $this->__isset( $key ); } - /* + /** * Return an array representation. * * @since 3.5.0 @@ -707,7 +721,7 @@ class WP_User { global $wpdb; if ( empty($cap_key) ) - $this->cap_key = $wpdb->prefix . 'capabilities'; + $this->cap_key = $wpdb->get_blog_prefix() . 'capabilities'; else $this->cap_key = $cap_key; @@ -730,6 +744,8 @@ class WP_User { * @since 2.0.0 * @uses $wp_roles * @access public + * + * @return array List of all capabilities for the user. */ function get_role_caps() { global $wp_roles; @@ -748,6 +764,8 @@ class WP_User { $this->allcaps = array_merge( (array) $this->allcaps, (array) $the_role->capabilities ); } $this->allcaps = array_merge( (array) $this->allcaps, (array) $this->caps ); + + return $this->allcaps; } /** @@ -803,6 +821,7 @@ class WP_User { foreach ( (array) $this->roles as $oldrole ) unset( $this->caps[$oldrole] ); + $old_roles = $this->roles; if ( !empty( $role ) ) { $this->caps[$role] = true; $this->roles = array( $role => true ); @@ -812,7 +831,18 @@ class WP_User { update_user_meta( $this->ID, $this->cap_key, $this->caps ); $this->get_role_caps(); $this->update_user_level_from_caps(); - do_action( 'set_user_role', $this->ID, $role ); + + /** + * Fires after the user's role has changed. + * + * @since 2.9.0 + * @since 3.6.0 Added $old_roles to include an array of the user's previous roles. + * + * @param int $user_id The user ID. + * @param string $role The new role. + * @param array $old_roles An array of the user's previous roles. + */ + do_action( 'set_user_role', $this->ID, $role, $old_roles ); } /** @@ -856,7 +886,7 @@ class WP_User { function update_user_level_from_caps() { global $wpdb; $this->user_level = array_reduce( array_keys( $this->allcaps ), array( $this, 'level_reduction' ), 0 ); - update_user_meta( $this->ID, $wpdb->prefix . 'user_level', $this->user_level ); + update_user_meta( $this->ID, $wpdb->get_blog_prefix() . 'user_level', $this->user_level ); } /** @@ -898,7 +928,7 @@ class WP_User { global $wpdb; $this->caps = array(); delete_user_meta( $this->ID, $this->cap_key ); - delete_user_meta( $this->ID, $wpdb->prefix . 'user_level' ); + delete_user_meta( $this->ID, $wpdb->get_blog_prefix() . 'user_level' ); $this->get_role_caps(); } @@ -932,8 +962,19 @@ class WP_User { return true; } + /** + * Dynamically filter a user's capabilities. + * + * @since 2.0.0 + * @since 3.7.0 Added the user object. + * + * @param array $allcaps An array of all the role's capabilities. + * @param array $caps Actual capabilities for meta capability. + * @param array $args Optional parameters passed to has_cap(), typically object ID. + * @param WP_User $user The user object. + */ // Must have ALL requested caps - $capabilities = apply_filters( 'user_has_cap', $this->allcaps, $caps, $args ); + $capabilities = apply_filters( 'user_has_cap', $this->allcaps, $caps, $args, $this ); $capabilities['exist'] = true; // Everyone is allowed to exist foreach ( (array) $caps as $cap ) { if ( empty( $capabilities[ $cap ] ) ) @@ -1030,22 +1071,15 @@ function map_meta_cap( $cap, $user_id ) { break; } - $post_author_id = $post->post_author; - - // If no author set yet, default to current user for cap checks. - if ( ! $post_author_id ) - $post_author_id = $user_id; - - $post_author_data = $post_author_id == get_current_user_id() ? wp_get_current_user() : get_userdata( $post_author_id ); - - // If the user is the author... - if ( is_object( $post_author_data ) && $user_id == $post_author_data->ID ) { + // If the post author is set and the user is the author... + if ( $post->post_author && $user_id == $post->post_author ) { // If the post is published... if ( 'publish' == $post->post_status ) { $caps[] = $post_type->cap->delete_published_posts; } elseif ( 'trash' == $post->post_status ) { - if ('publish' == get_post_meta($post->ID, '_wp_trash_meta_status', true) ) + if ( 'publish' == get_post_meta( $post->ID, '_wp_trash_meta_status', true ) ) { $caps[] = $post_type->cap->delete_published_posts; + } } else { // If the post is draft... $caps[] = $post_type->cap->delete_posts; @@ -1054,10 +1088,11 @@ function map_meta_cap( $cap, $user_id ) { // The user is trying to edit someone else's post. $caps[] = $post_type->cap->delete_others_posts; // The post is published, extra cap required. - if ( 'publish' == $post->post_status ) + if ( 'publish' == $post->post_status ) { $caps[] = $post_type->cap->delete_published_posts; - elseif ( 'private' == $post->post_status ) + } elseif ( 'private' == $post->post_status ) { $caps[] = $post_type->cap->delete_private_posts; + } } break; // edit_post breaks down to edit_posts, edit_published_posts, or @@ -1065,6 +1100,8 @@ function map_meta_cap( $cap, $user_id ) { case 'edit_post': case 'edit_page': $post = get_post( $args[0] ); + if ( empty( $post ) ) + break; if ( 'revision' == $post->post_type ) { $post = get_post( $post->post_parent ); @@ -1080,22 +1117,15 @@ function map_meta_cap( $cap, $user_id ) { break; } - $post_author_id = $post->post_author; - - // If no author set yet, default to current user for cap checks. - if ( ! $post_author_id ) - $post_author_id = $user_id; - - $post_author_data = $post_author_id == get_current_user_id() ? wp_get_current_user() : get_userdata( $post_author_id ); - - // If the user is the author... - if ( is_object( $post_author_data ) && $user_id == $post_author_data->ID ) { + // If the post author is set and the user is the author... + if ( $post->post_author && $user_id == $post->post_author ) { // If the post is published... if ( 'publish' == $post->post_status ) { $caps[] = $post_type->cap->edit_published_posts; } elseif ( 'trash' == $post->post_status ) { - if ('publish' == get_post_meta($post->ID, '_wp_trash_meta_status', true) ) + if ( 'publish' == get_post_meta( $post->ID, '_wp_trash_meta_status', true ) ) { $caps[] = $post_type->cap->edit_published_posts; + } } else { // If the post is draft... $caps[] = $post_type->cap->edit_posts; @@ -1104,10 +1134,11 @@ function map_meta_cap( $cap, $user_id ) { // The user is trying to edit someone else's post. $caps[] = $post_type->cap->edit_others_posts; // The post is published, extra cap required. - if ( 'publish' == $post->post_status ) + if ( 'publish' == $post->post_status ) { $caps[] = $post_type->cap->edit_published_posts; - elseif ( 'private' == $post->post_status ) + } elseif ( 'private' == $post->post_status ) { $caps[] = $post_type->cap->edit_private_posts; + } } break; case 'read_post': @@ -1134,20 +1165,13 @@ function map_meta_cap( $cap, $user_id ) { break; } - $post_author_id = $post->post_author; - - // If no author set yet, default to current user for cap checks. - if ( ! $post_author_id ) - $post_author_id = $user_id; - - $post_author_data = $post_author_id == get_current_user_id() ? wp_get_current_user() : get_userdata( $post_author_id ); - - if ( is_object( $post_author_data ) && $user_id == $post_author_data->ID ) + if ( $post->post_author && $user_id == $post->post_author ) { $caps[] = $post_type->cap->read; - elseif ( $status_obj->private ) + } elseif ( $status_obj->private ) { $caps[] = $post_type->cap->read_private_posts; - else + } else { $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); + } break; case 'publish_post': $post = get_post( $args[0] ); @@ -1159,12 +1183,26 @@ function map_meta_cap( $cap, $user_id ) { case 'delete_post_meta': case 'add_post_meta': $post = get_post( $args[0] ); - $post_type_object = get_post_type_object( $post->post_type ); - $caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID ); + $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; if ( $meta_key && has_filter( "auth_post_meta_{$meta_key}" ) ) { + /** + * Filter whether the user is allowed to add post meta to a post. + * + * The dynamic portion of the hook name, $meta_key, refers to the + * meta key passed to map_meta_cap(). + * + * @since 3.3.0 + * + * @param bool $allowed Whether the user can add the post meta. Default false. + * @param string $meta_key The meta key. + * @param int $post_id Post ID. + * @param int $user_id User ID. + * @param string $cap Capability name. + * @param array $caps User capabilities. + */ $allowed = apply_filters( "auth_post_meta_{$meta_key}", false, $meta_key, $post->ID, $user_id, $cap, $caps ); if ( ! $allowed ) $caps[] = $cap; @@ -1174,10 +1212,10 @@ function map_meta_cap( $cap, $user_id ) { break; case 'edit_comment': $comment = get_comment( $args[0] ); + if ( empty( $comment ) ) + break; $post = get_post( $comment->comment_post_ID ); - $post_type_object = get_post_type_object( $post->post_type ); - - $caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID ); + $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); break; case 'unfiltered_upload': if ( defined('ALLOW_UNFILTERED_UPLOADS') && ALLOW_UNFILTERED_UPLOADS && ( !is_multisite() || is_super_admin( $user_id ) ) ) @@ -1266,7 +1304,17 @@ function map_meta_cap( $cap, $user_id ) { $caps[] = $cap; } - return apply_filters('map_meta_cap', $caps, $cap, $user_id, $args); + /** + * Filter a user's capabilities depending on specific context and/or privilege. + * + * @since 2.8.0 + * + * @param array $caps Returns the user's actual capabilities. + * @param string $cap Capability name. + * @param int $user_id The user ID. + * @param array $args Adds the context to the cap. Typically the object ID. + */ + return apply_filters( 'map_meta_cap', $caps, $cap, $user_id, $args ); } /** @@ -1371,7 +1419,7 @@ function user_can( $user, $capability ) { * @since 2.0.0 * * @param string $role Role name. - * @return object + * @return WP_Role|null WP_Role object if found, null if the role does not exist. */ function get_role( $role ) { global $wp_roles; @@ -1391,7 +1439,7 @@ function get_role( $role ) { * @param string $role Role name. * @param string $display_name Display name for role. * @param array $capabilities List of capabilities, e.g. array( 'edit_posts' => true, 'delete_posts' => false ); - * @return null|WP_Role WP_Role object if role is added, null if already exists. + * @return WP_Role|null WP_Role object if role is added, null if already exists. */ function add_role( $role, $display_name, $capabilities = array() ) { global $wp_roles; @@ -1409,7 +1457,6 @@ function add_role( $role, $display_name, $capabilities = array() ) { * @since 2.0.0 * * @param string $role Role name. - * @return null */ function remove_role( $role ) { global $wp_roles; @@ -1417,7 +1464,7 @@ function remove_role( $role ) { if ( ! isset( $wp_roles ) ) $wp_roles = new WP_Roles(); - return $wp_roles->remove_role( $role ); + $wp_roles->remove_role( $role ); } /**