'post_type' => 'post',
'post_status' => 'draft',
'post_format' => ( ! empty( $_POST['post_format'] ) ) ? sanitize_text_field( $_POST['post_format'] ) : '',
- 'tax_input' => ( ! empty( $_POST['tax_input'] ) ) ? $_POST['tax_input'] : array(),
- 'post_category' => ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array(),
);
+ // Only accept categories if the user actually can assign
+ $category_tax = get_taxonomy( 'category' );
+ if ( current_user_can( $category_tax->cap->assign_terms ) ) {
+ $post_data['post_category'] = ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array();
+ }
+
+ // Only accept taxonomies if the user can actually assign
+ if ( ! empty( $_POST['tax_input'] ) ) {
+ $tax_input = $_POST['tax_input'];
+ foreach ( $tax_input as $tax => $_ti ) {
+ $tax_object = get_taxonomy( $tax );
+ if ( ! $tax_object || ! current_user_can( $tax_object->cap->assign_terms ) ) {
+ unset( $tax_input[ $tax ] );
+ }
+ }
+
+ $post_data['tax_input'] = $tax_input;
+ }
+
+ // Toggle status to pending if user cannot actually publish
if ( ! empty( $_POST['post_status'] ) && 'publish' === $_POST['post_status'] ) {
if ( current_user_can( 'publish_posts' ) ) {
$post_data['post_status'] = 'publish';
* @since 4.2.0
*
* @param string $src Embed source URL.
- * @return string If not from a supported provider, an empty string. Otherwise, a reformattd embed URL.
+ * @return string If not from a supported provider, an empty string. Otherwise, a reformatted embed URL.
*/
private function _limit_embed( $src ) {
$src = $this->_limit_url( $src );
public function categories_html( $post ) {
$taxonomy = get_taxonomy( 'category' );
+ // Bail if user cannot assign terms
+ if ( ! current_user_can( $taxonomy->cap->assign_terms ) ) {
+ return;
+ }
+
+ // Only show "add" if user can edit terms
if ( current_user_can( $taxonomy->cap->edit_terms ) ) {
?>
<button type="button" class="add-cat-toggle button-link" aria-expanded="false">
wp_enqueue_script( 'json2' );
wp_enqueue_script( 'editor' );
+ $categories_tax = get_taxonomy( 'category' );
+ $show_categories = current_user_can( $categories_tax->cap->assign_terms ) || current_user_can( $categories_tax->cap->edit_terms );
+
+ $tag_tax = get_taxonomy( 'post_tag' );
+ $show_tags = current_user_can( $tag_tax->cap->assign_terms );
+
$supports_formats = false;
$post_format = 0;
</button>
<?php endif; ?>
- <button type="button" class="button-link post-option">
- <span class="dashicons dashicons-category"></span>
- <span class="post-option-title"><?php _e( 'Categories' ); ?></span>
- <span class="dashicons post-option-forward"></span>
- </button>
-
- <button type="button" class="button-link post-option">
- <span class="dashicons dashicons-tag"></span>
- <span class="post-option-title"><?php _e( 'Tags' ); ?></span>
- <span class="dashicons post-option-forward"></span>
- </button>
+ <?php if ( $show_categories ) : ?>
+ <button type="button" class="button-link post-option">
+ <span class="dashicons dashicons-category"></span>
+ <span class="post-option-title"><?php _e( 'Categories' ); ?></span>
+ <span class="dashicons post-option-forward"></span>
+ </button>
+ <?php endif; ?>
+
+ <?php if ( $show_tags ) : ?>
+ <button type="button" class="button-link post-option">
+ <span class="dashicons dashicons-tag"></span>
+ <span class="post-option-title"><?php _e( 'Tags' ); ?></span>
+ <span class="dashicons post-option-forward"></span>
+ </button>
+ <?php endif; ?>
</div>
<?php if ( $supports_formats ) : ?>
</div>
<?php endif; ?>
- <div class="setting-modal is-off-screen is-hidden">
- <button type="button" class="button-link modal-close">
- <span class="dashicons post-option-back"></span>
- <span class="setting-title" aria-hidden="true"><?php _e( 'Categories' ); ?></span>
- <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
- </button>
- <?php $this->categories_html( $post ); ?>
- </div>
+ <?php if ( $show_categories ) : ?>
+ <div class="setting-modal is-off-screen is-hidden">
+ <button type="button" class="button-link modal-close">
+ <span class="dashicons post-option-back"></span>
+ <span class="setting-title" aria-hidden="true"><?php _e( 'Categories' ); ?></span>
+ <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
+ </button>
+ <?php $this->categories_html( $post ); ?>
+ </div>
+ <?php endif; ?>
- <div class="setting-modal tags is-off-screen is-hidden">
- <button type="button" class="button-link modal-close">
- <span class="dashicons post-option-back"></span>
- <span class="setting-title" aria-hidden="true"><?php _e( 'Tags' ); ?></span>
- <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
- </button>
- <?php $this->tags_html( $post ); ?>
- </div>
+ <?php if ( $show_tags ) : ?>
+ <div class="setting-modal tags is-off-screen is-hidden">
+ <button type="button" class="button-link modal-close">
+ <span class="dashicons post-option-back"></span>
+ <span class="setting-title" aria-hidden="true"><?php _e( 'Tags' ); ?></span>
+ <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
+ </button>
+ <?php $this->tags_html( $post ); ?>
+ </div>
+ <?php endif; ?>
</div><!-- .options-panel -->
</div><!-- .wrapper -->
if ( 'any' == $post_type ) {
$in_search_post_types = get_post_types( array('exclude_from_search' => false) );
- if ( empty( $in_search_post_types ) )
+ if ( empty( $in_search_post_types ) ) {
$where .= ' AND 1=0 ';
- else
- $where .= " AND $wpdb->posts.post_type IN ('" . join("', '", $in_search_post_types ) . "')";
+ } else {
+ $where .= " AND {$wpdb->posts}.post_type IN ('" . join( "', '", array_map( 'esc_sql', $in_search_post_types ) ) . "')";
+ }
} elseif ( !empty( $post_type ) && is_array( $post_type ) ) {
- $where .= " AND $wpdb->posts.post_type IN ('" . join("', '", $post_type) . "')";
+ $where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", esc_sql( $post_type ) ) . "')";
} elseif ( ! empty( $post_type ) ) {
- $where .= " AND $wpdb->posts.post_type = '$post_type'";
+ $where .= $wpdb->prepare( " AND {$wpdb->posts}.post_type = %s", $post_type );
$post_type_object = get_post_type_object ( $post_type );
} elseif ( $this->is_attachment ) {
$where .= " AND $wpdb->posts.post_type = 'attachment'";