Feature request (incl code): Check for capabilities in admin screens

  • Resolved Solinx

    (@solinx)


    10 years, 8 months ago

    Hello Chouby,

    First I want to thank you for making this plugin. We very much appreciate the manner in which it integrates in the wordpress administrative interface.

    Unfortunately there is one rather important aspect missing: capability checks.
    As it is our restricted users are presented with an “add translation” button that tries to link them to a page to which they have no rights. The result is an ugly “permission denied” warning. We could create an ugly fix using late firing filters, but we’d rather do things properly and help you improve the plugin.

    Below you’ll find a modified version of your “admin-filters-columns.php”. The changes were made in the ‘post_column’ and ‘term_column’ methods.

    In ‘post_column’ the changes comprise a CPT specific check for ‘edit_posts’ and ‘create_posts’ capabilities. (The latter are undocumented in WP, but do exist. If not explicitly specified it is the same as ‘edit_posts’). In ‘term_column’ the changes comprise a taxonomy specific check for ‘edit_terms’ and ‘manage_terms’ capabilities.

    We hope you’ll consider evaluating and using this code for your next update. Thanks in advance!

    https://pastebin.com/vCvKKt69

    [Moderator note: In future please use PasteBin to distribute large amounts of code]
    https://www.ads-software.com/plugins/polylang/

    @moderator: Got it.

    @chouby: Forgot to mention that I used a new class name for the situation where there should be a “create new” link, but the user does not have the required capabilities. As such the column is without an icon unless you add one.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter Solinx

    (@solinx)

    Came across another problem concerning user capabilities.

    In both admin-filter-post.php and frontend-filter.php you hook in on the ‘save_post’ action. In the method that you apply you check for both the edit_posts and create_posts capabilities, without checking whether the post that is being saved is new or not.

    This can easily be fixed by applying the following code.

    First change the param count when you register the ‘save_post’ action.
    add_action('save_post', array(&$this, 'save_post'), 200, 3);

    Then modify the ‘save_post’ methods.
    1. Add ‘$updated’ as 3rd argument to the method.
    2. Change the capability if statement into the following:
    if (!current_user_can($post_type_object->cap->edit_posts) || !current_user_can($post_type_object->cap->create_posts))

    We’d appreciate it if could also include these modifications into the next release. Thanks in advance!

    Regards,
    Wouter van Dam

    Plugin Author Chouby

    (@chouby)

    Hi!

    Your proposal makes sense. I will consider it for a future release.

    However I don’t understand your second post. The if statement is the same as in the current version of Polylang and you don’t use the $updated argument.

    Plugin Author Chouby

    (@chouby)

    I had a quick look and it looks a bit more complex than that.

    In previous versions, I considered that a user who can’t edit posts would have no access to the posts list table and so that it was not useful to check for capabilities when creating the links. Thanks to your suggestion, I went deeper in my reflexion and it’s true that an author can edit his own posts and not other posts, so I should check for
    current_user_can('edit-post', $post_id))
    instead of
    current_user_can($post_type_object->cap->edit_posts))
    However, an author cannot manage terms, so he can’t even access to tags list table. So I guess it’s still useless to check for ‘manage_terms’ or ‘edit_terms’. Have you a use case where it would be useful to do these checks?

    Thread Starter Solinx

    (@solinx)

    Hi Chouby,

    Thanks for considering the proposal.

    Good point about checking for user owned posts. You’ll want to check with current_user_can($post_type_object->cap->edit_post, $post_id) to stay compatible with custom post types.

    In my second post I was a bit too quick with the copy&paste – I copied from the original file. Taking your feedback into account the capability statement should have been:
    if ($updated && !current_user_can($post_type_object->cap->edit_post, $post_id)) || (!$updated && !current_user_can($post_type_object->cap->create_posts))
    The $updated value provided by the ‘save_post’ hook is true when a post is being edited, and false when a post is being created.

    And also a good point about not needing to check for those term permissions. It actually highlights an upcoming problem with my current project. I’ll need to figure out a way to limit a custom role to only being able to edit their own tags.

    Thanks again for looking into this.

    Cheers,
    Wouter van Dam

    Plugin Author Chouby

    (@chouby)

    OK thanks, that’s clearer now.
    You can check what I have done in the development version (1.5.2.4).
    https://downloads.www.ads-software.com/plugin/polylang.zip

    Thread Starter Solinx

    (@solinx)

    Thanks.

    I’ve done a few quick tests and everything appears to work as expected.

    And I’ve also taken a look at the code. The code in ‘admin-filters-column’ and ‘admin-filter-post.php’ looks good, but I noticed that the ‘frontend-filters.php’ code is unchanged. Could you apply the same changes in that file as you did in ‘admin-filter-post.php’?

    Cheers,
    Wouter van Dam

    Plugin Author Chouby

    (@chouby)

    Hi!

    Yes you are right. I fixed this in the new development version (1.5.2.5).
    Thansk for your tests ??

    Thread Starter Solinx

    (@solinx)

    You’re welcome. And thanks again for taking the time to make these changes.

    Cheers,
    Wouter van Dam

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Feature request (incl code): Check for capabilities in admin screens’ is closed to new replies.