This introduces the following meta capabilities:
* `activate_plugin`
* `deactivate_plugin`
* `deactivate_plugins`
The singular `activate_plugin` and `deactivate_plugin` capabilities are used along with the corresponding plugin name when
determining whether or not a user can activate or deactivate an individual plugin.
The plural `deactivate_plugins` capability is used in place of the existing `activate_plugins` capability when determining
whether a user can deactivate plugins.
Each of these new meta capabilities map to the existing `activate_plugins` primitive capability, which means there is no
change in existing behaviour, but plugins can now filter the capabilities required to activate and deactivate individual
plugins.
Fixes#38652
git-svn-id: https://develop.svn.wordpress.org/trunk@41290 602fd350-edb4-49c9-b593-d223f7449a82
The new meta capabilities are called `install_languages` and `update_languages`. Prior to this change, there were no proper capability checks applied. Instead only the filesystem and related constants were checked, and for actual permissions a rather vague fallback was used where a user needed to have at least one of the other updating capabilities. In addition to being generally more verbose, the new capabilities make it possible for example to allow a user to update languages, but nothing else. By default they fall back to the original way of how they were handled.
Props johnbillion, flixos90.
Fixes#39677.
git-svn-id: https://develop.svn.wordpress.org/trunk@41268 602fd350-edb4-49c9-b593-d223f7449a82
Previously, checks like `current_user_can( 'edit_term_meta', $term_id )`
returned the proper value, but generated a PHP notice due to the fact
that `get_term( $term_id )` could, in certain instances, return
`WP_Error` objects.
Props caercam.
Fixes#40891.
git-svn-id: https://develop.svn.wordpress.org/trunk@40999 602fd350-edb4-49c9-b593-d223f7449a82
Prior to this change, a mix of `is_super_admin()` calls and `manage_network` capability checks was used to determine whether the current user could upgrade the network. With this changeset a dedicated capability is introduced that allows more granular handling.
Props dhanendran for the original patch.
Fixes#39205. See #37616.
git-svn-id: https://develop.svn.wordpress.org/trunk@40404 602fd350-edb4-49c9-b593-d223f7449a82
This is a wrapper around the checks for the `DISALLOW_FILE_MODS` constant to determine whether file modifications are disallowed.
Props MaximeCulea.
Fixes#38673.
git-svn-id: https://develop.svn.wordpress.org/trunk@40394 602fd350-edb4-49c9-b593-d223f7449a82
`setup_network` is a new meta capability that brings more granular control over the permissions to setup a multisite environment. In a non-multisite environment it falls back to `manage_options` while in a multisite it falls back to `manage_network_options`. The introduction of this capability furthermore allows replacing an `is_super_admin()` check.
Props ashokkumar24 for the original patch.
Fixes#39206. See #37616.
git-svn-id: https://develop.svn.wordpress.org/trunk@40390 602fd350-edb4-49c9-b593-d223f7449a82
Site administrators should not be able to remove themselves from a site. This moves the enforcement of this rule from `wp-admin/users.php` to `remove_user_from_blog()` via the `remove_user` capability, which furthermore allows us to get rid of two additional clauses and their `is_super_admin()` checks in `wp-admin/users.php`. A unit test for the new behavior has been added.
Fixes#39063. See #37616.
git-svn-id: https://develop.svn.wordpress.org/trunk@39588 602fd350-edb4-49c9-b593-d223f7449a82
This capability is not relevant on single site installs; it only applies to deleting a site on a multisite installation.
Fixes#38326
git-svn-id: https://develop.svn.wordpress.org/trunk@39494 602fd350-edb4-49c9-b593-d223f7449a82
As an extra level of sanity checking, the term ID should be cast as an int in `map_meta_cap()`.
Props johnbillion, nacin, dd32, pento.
See #35614.
Fixes#39012.
git-svn-id: https://develop.svn.wordpress.org/trunk@39464 602fd350-edb4-49c9-b593-d223f7449a82
Additionally, use these meta-caps in the REST API endpoints.
Previously, register_meta()'s auth_callback had no effect for non-post meta. This introduces `{add,edit,delete}_{comment,term,user}_meta` meta-caps to match the existing post meta capabilities. These are currently only used in the REST API.
Props tharsheblows, boonebgorges.
Fixes#38303, fixes#38412.
git-svn-id: https://develop.svn.wordpress.org/trunk@39179 602fd350-edb4-49c9-b593-d223f7449a82
* Custom CSS is associated with a given theme and is displayed in an inline `style` element at the `wp_head` hook after the `wp_print_styles` is called so that it overrides any enqueued stylesheets.
* A `wp_get_custom_css()` function is used for accessing the CSS associated with the current theme (or another theme) and a `wp_get_custom_css` filter for manipulating it.
* CSS is managed in customizer via a new "Additional CSS" section with a single `textarea` control.
* `WP_Customize_Section::$description_hidden` is introduced for hiding extended descriptions in customizer sections behind a help toggle as done with panels.
* CSS is stored in a `custom_css` post type with the theme (stylesheet) slug as the `post_name`.
* `WP_Customize_Custom_CSS_Setting` is introduced to handle validation of CSS, previewing, and persisting the CSS to the `custom_css` post type.
* The `custom_css` setting is tied to a new `unfiltered_css` capability which maps to `unfiltered_html` by default.
* Escaping the message in the notification template is removed to allow markup (`code` tags) to be rendered.
See https://make.wordpress.org/core/2016/10/11/feature-proposal-better-theme-customizations-via-custom-css-with-live-previews/
Props johnregan3, celloexpressions, folletto, westonruter.
Fixes#35395.
git-svn-id: https://develop.svn.wordpress.org/trunk@38829 602fd350-edb4-49c9-b593-d223f7449a82
This introduces the singular `edit_term`, `delete_term`, and `assign_term` meta capabilities for terms, and switches the base capability name for tags from `manage_categories` to `manage_post_tags` and the corresponding `edit_post_tags`, `delete_post_tags`, and `assign_post_tags`.
All of these capabilities ultimately map to `manage_categories` so by default there is no change in the behaviour of the capabilities for categories, tags, or custom taxonomies. The `map_meta_cap` filter and the `capabilities` argument when registering a taxonomy now allow for control over editing, deleting, and assigning individual terms, as well as a separation of capabilities for tags from those of categories.
Fixes#35614
Props johnjamesjacoby for feedback
git-svn-id: https://develop.svn.wordpress.org/trunk@38698 602fd350-edb4-49c9-b593-d223f7449a82
`register_meta()` has been altered to accept an array of arguments as the third parameter in order to support its usage beyond XML-RPC, notably in the REST API and other projects that may build on top of meta, such as a potential Fields API. Arguments are whitelisted to reserve the right for core to add more later.
New functions added to complement this expansion are:
* `registered_meta_key_exists()`
* `unregister_meta_key()`
* `get_registered_meta_keys()`
* `get_registered_metadata()`
* A "private" function for the aforementioned whitelisting.
There still need to be lots of tests written for previous and new behaviors, and many things are subject to change. Maybe things will explode. #yolo
props jeremyfelt, ericlewis, sc0ttkclark, helen, rmccue, ocean90, voldemortensen.
see #35658.
git-svn-id: https://develop.svn.wordpress.org/trunk@37924 602fd350-edb4-49c9-b593-d223f7449a82
Known functions, classes, and methods are now auto-linked in Code Reference pages following #meta1483.
Note: Hook references are still linked via inline `@see` tags due to the unlikelihood of reliably matching for known hooks based on a RegEx pattern.
See #32246.
git-svn-id: https://develop.svn.wordpress.org/trunk@37342 602fd350-edb4-49c9-b593-d223f7449a82
Moving these functions to `wp-includes/capabilities.php` allows plugins to access more than just `is_super_admin()` and `get_super_admin()` from the front end without including a file via `wp-admin/`. Add an `is_multisite()` check to prevent use of these on single site environments now that they have left `ms.php`..
Props johnjamesjacoby.
Fixes#21788.
git-svn-id: https://develop.svn.wordpress.org/trunk@37200 602fd350-edb4-49c9-b593-d223f7449a82
Multisite functions use the term "blog" to refer to what we now call a "site," e.g. `get_current_blog_id()`. These functions are here to stay because of our commitment to backwards compatibility. What we can do is set the documentation straight.
See #35417.
git-svn-id: https://develop.svn.wordpress.org/trunk@36416 602fd350-edb4-49c9-b593-d223f7449a82
Creates:
`class-wp-roles.php`
`class-wp-role.php`
`class-wp-user.php`
`capbilities-functions.php`
`capbilities.php` contains only top-level code. Class files only contains classes. Functions file only contains functions.
See #33413.
git-svn-id: https://develop.svn.wordpress.org/trunk@33752 602fd350-edb4-49c9-b593-d223f7449a82
Also avoid PHP notices because of orphaned comments in the comments list table.
Includes unit test.
props pento, dd32.
fixes#33154.
git-svn-id: https://develop.svn.wordpress.org/trunk@33614 602fd350-edb4-49c9-b593-d223f7449a82
Map `delete_site` as a meta capability to `manage_options` so that the ability to delete sites can be more granularly managed for individual site administrators on a multisite network.
Props thomaswm.
Fixes#30470.
git-svn-id: https://develop.svn.wordpress.org/trunk@31673 602fd350-edb4-49c9-b593-d223f7449a82
In PHP 5.3.0, `is_a()` is no longer deprecated, and will therefore no longer throw `E_STRICT` warnings.
To avoid warnings in PHP < 5.3.0, convert all `is_a()` calls to `$var instanceof WP_Class` calls.
`instanceof` does not throw any error if the variable being tested is not an object, it simply returns `false`.
Props markoheijnen, wonderboymusic.
Fixes#25672.
git-svn-id: https://develop.svn.wordpress.org/trunk@31188 602fd350-edb4-49c9-b593-d223f7449a82
Add `@property` annotations to `WP_User` and `WP_Post`.
Remove erroneous `@param`s from image editor class methods.
Officially add the property `$_column_headers` to `WP_List_Table`.
See #30799.
git-svn-id: https://develop.svn.wordpress.org/trunk@31127 602fd350-edb4-49c9-b593-d223f7449a82
* In `WP_Plugin_Install_List_Table`, use `public` instead of `var`
* In `WP_User`, `->data` is accessed directly on an instance if the constructor receives it: make it `public`
* In `WP_Locale`, every property is exported to a global and is already `public` via `var`, half of the properties are accessed directly already, make them all `public`
* In `WP_Rewrite`, several properties are accessed publicly in functions via the `$wp_rewrite` global, make those props `public`.
* In `WP_Rewrite`, the property `->comment_feed_structure` was misspelled as `->comments_feed_structure`
See #30799.
git-svn-id: https://develop.svn.wordpress.org/trunk@31078 602fd350-edb4-49c9-b593-d223f7449a82
