`\CoBlocks_Post_Meta::auth_callback()` may be redundant.

  • \CoBlocks_Post_Meta::auth_callback() may be redundant.

    1. \register_meta() adds $auth_callback as "auth_{$object_type}_meta_{$meta_key}" filter.
    2. REST Meta controller (\WP_REST_Meta_Fields class) checks "edit_{$meta_type}_meta" capability. In this case $meta_type is 'post'.
    3. \map_meta_cap() maps "edit_{$meta_type}_meta" to "edit_{$object_type}" and call $auth_callback as "auth_{$object_type}_meta_{$meta_key}" filter. In this case $object_type is 'post'.

    The 'edit_posts' check in \CoBlocks_Post_Meta::auth_callback() is considered redundant since 'edit_post' is checked.

    And 'edit_posts' may not work for custom post types. current_user_can( get_post_type_object( $post_id )->cap->edit_posts ) should be used, see \get_post_type_capabilities().
    Alternatively, you may limit post meta registration to just the post using \register_post_meta().

    The WordPress capability system is very arcane…

  • You must be logged in to reply to this topic.