<?php

[0] Fix | Delete

/**

[1] Fix | Delete

* Core User Role & Capabilities API

[2] Fix | Delete

*

[3] Fix | Delete

* @package WordPress

[4] Fix | Delete

* @subpackage Users

[5] Fix | Delete

*/

[6] Fix | Delete

[7] Fix | Delete

/**

[8] Fix | Delete

* Maps a capability to the primitive capabilities required of the given user to

[9] Fix | Delete

* satisfy the capability being checked.

[10] Fix | Delete

*

[11] Fix | Delete

* This function also accepts an ID of an object to map against if the capability is a meta capability. Meta

[12] Fix | Delete

* capabilities such as `edit_post` and `edit_user` are capabilities used by this function to map to primitive

[13] Fix | Delete

* capabilities that a user or role requires, such as `edit_posts` and `edit_others_posts`.

[14] Fix | Delete

*

[15] Fix | Delete

* Example usage:

[16] Fix | Delete

*

[17] Fix | Delete

* map_meta_cap( 'edit_posts', $user->ID );

[18] Fix | Delete

* map_meta_cap( 'edit_post', $user->ID, $post->ID );

[19] Fix | Delete

* map_meta_cap( 'edit_post_meta', $user->ID, $post->ID, $meta_key );

[20] Fix | Delete

*

[21] Fix | Delete

* This function does not check whether the user has the required capabilities,

[22] Fix | Delete

* it just returns what the required capabilities are.

[23] Fix | Delete

*

[24] Fix | Delete

* @since 2.0.0

[25] Fix | Delete

* @since 4.9.6 Added the `export_others_personal_data`, `erase_others_personal_data`,

[26] Fix | Delete

* and `manage_privacy_options` capabilities.

[27] Fix | Delete

* @since 5.1.0 Added the `update_php` capability.

[28] Fix | Delete

* @since 5.2.0 Added the `resume_plugin` and `resume_theme` capabilities.

[29] Fix | Delete

* @since 5.3.0 Formalized the existing and already documented `...$args` parameter

[30] Fix | Delete

* by adding it to the function signature.

[31] Fix | Delete

* @since 5.7.0 Added the `create_app_password`, `list_app_passwords`, `read_app_password`,

[32] Fix | Delete

* `edit_app_password`, `delete_app_passwords`, `delete_app_password`,

[33] Fix | Delete

* and `update_https` capabilities.

[34] Fix | Delete

*

[35] Fix | Delete

* @global array $post_type_meta_caps Used to get post type meta capabilities.

[36] Fix | Delete

*

[37] Fix | Delete

* @param string $cap Capability being checked.

[38] Fix | Delete

* @param int $user_id User ID.

[39] Fix | Delete

* @param mixed ...$args Optional further parameters, typically starting with an object ID.

[40] Fix | Delete

* @return string[] Primitive capabilities required of the user.

[41] Fix | Delete

*/

[42] Fix | Delete

function map_meta_cap( $cap, $user_id, ...$args ) {

[43] Fix | Delete

$caps = array();

[44] Fix | Delete

[45] Fix | Delete

switch ( $cap ) {

[46] Fix | Delete

case 'remove_user':

[47] Fix | Delete

// In multisite the user must be a super admin to remove themselves.

[48] Fix | Delete

if ( isset( $args[0] ) && $user_id == $args[0] && ! is_super_admin( $user_id ) ) {

[49] Fix | Delete

$caps[] = 'do_not_allow';

[50] Fix | Delete

} else {

[51] Fix | Delete

$caps[] = 'remove_users';

[52] Fix | Delete

}

[53] Fix | Delete

break;

[54] Fix | Delete

case 'promote_user':

[55] Fix | Delete

case 'add_users':

[56] Fix | Delete

$caps[] = 'promote_users';

[57] Fix | Delete

break;

[58] Fix | Delete

case 'edit_user':

[59] Fix | Delete

case 'edit_users':

[60] Fix | Delete

// Allow user to edit themselves.

[61] Fix | Delete

if ( 'edit_user' === $cap && isset( $args[0] ) && $user_id == $args[0] ) {

[62] Fix | Delete

break;

[63] Fix | Delete

}

[64] Fix | Delete

[65] Fix | Delete

// In multisite the user must have manage_network_users caps. If editing a super admin, the user must be a super admin.

[66] Fix | Delete

if ( is_multisite() && ( ( ! is_super_admin( $user_id ) && 'edit_user' === $cap && is_super_admin( $args[0] ) ) || ! user_can( $user_id, 'manage_network_users' ) ) ) {

[67] Fix | Delete

$caps[] = 'do_not_allow';

[68] Fix | Delete

} else {

[69] Fix | Delete

$caps[] = 'edit_users'; // edit_user maps to edit_users.

[70] Fix | Delete

}

[71] Fix | Delete

break;

[72] Fix | Delete

case 'delete_post':

[73] Fix | Delete

case 'delete_page':

[74] Fix | Delete

if ( ! isset( $args[0] ) ) {

[75] Fix | Delete

if ( 'delete_post' === $cap ) {

[76] Fix | Delete

/* translators: %s: Capability name. */

[77] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific post.' );

[78] Fix | Delete

} else {

[79] Fix | Delete

/* translators: %s: Capability name. */

[80] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific page.' );

[81] Fix | Delete

}

[82] Fix | Delete

[83] Fix | Delete

_doing_it_wrong(

[84] Fix | Delete

__FUNCTION__,

[85] Fix | Delete

sprintf( $message, '<code>' . $cap . '</code>' ),

[86] Fix | Delete

'6.1.0'

[87] Fix | Delete

);

[88] Fix | Delete

[89] Fix | Delete

$caps[] = 'do_not_allow';

[90] Fix | Delete

break;

[91] Fix | Delete

}

[92] Fix | Delete

[93] Fix | Delete

$post = get_post( $args[0] );

[94] Fix | Delete

if ( ! $post ) {

[95] Fix | Delete

$caps[] = 'do_not_allow';

[96] Fix | Delete

break;

[97] Fix | Delete

}

[98] Fix | Delete

[99] Fix | Delete

if ( 'revision' === $post->post_type ) {

[100] Fix | Delete

$caps[] = 'do_not_allow';

[101] Fix | Delete

break;

[102] Fix | Delete

}

[103] Fix | Delete

[104] Fix | Delete

if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) {

[105] Fix | Delete

$caps[] = 'manage_options';

[106] Fix | Delete

break;

[107] Fix | Delete

}

[108] Fix | Delete

[109] Fix | Delete

$post_type = get_post_type_object( $post->post_type );

[110] Fix | Delete

if ( ! $post_type ) {

[111] Fix | Delete

/* translators: 1: Post type, 2: Capability name. */

[112] Fix | Delete

$message = __( 'The post type %1$s is not registered, so it may not be reliable to check the capability %2$s against a post of that type.' );

[113] Fix | Delete

[114] Fix | Delete

_doing_it_wrong(

[115] Fix | Delete

__FUNCTION__,

[116] Fix | Delete

sprintf(

[117] Fix | Delete

$message,

[118] Fix | Delete

'<code>' . $post->post_type . '</code>',

[119] Fix | Delete

'<code>' . $cap . '</code>'

[120] Fix | Delete

),

[121] Fix | Delete

'4.4.0'

[122] Fix | Delete

);

[123] Fix | Delete

[124] Fix | Delete

$caps[] = 'edit_others_posts';

[125] Fix | Delete

break;

[126] Fix | Delete

}

[127] Fix | Delete

[128] Fix | Delete

if ( ! $post_type->map_meta_cap ) {

[129] Fix | Delete

$caps[] = $post_type->cap->$cap;

[130] Fix | Delete

// Prior to 3.1 we would re-call map_meta_cap here.

[131] Fix | Delete

if ( 'delete_post' === $cap ) {

[132] Fix | Delete

$cap = $post_type->cap->$cap;

[133] Fix | Delete

}

[134] Fix | Delete

break;

[135] Fix | Delete

}

[136] Fix | Delete

[137] Fix | Delete

// If the post author is set and the user is the author...

[138] Fix | Delete

if ( $post->post_author && $user_id == $post->post_author ) {

[139] Fix | Delete

// If the post is published or scheduled...

[140] Fix | Delete

if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {

[141] Fix | Delete

$caps[] = $post_type->cap->delete_published_posts;

[142] Fix | Delete

} elseif ( 'trash' === $post->post_status ) {

[143] Fix | Delete

$status = get_post_meta( $post->ID, '_wp_trash_meta_status', true );

[144] Fix | Delete

if ( in_array( $status, array( 'publish', 'future' ), true ) ) {

[145] Fix | Delete

$caps[] = $post_type->cap->delete_published_posts;

[146] Fix | Delete

} else {

[147] Fix | Delete

$caps[] = $post_type->cap->delete_posts;

[148] Fix | Delete

}

[149] Fix | Delete

} else {

[150] Fix | Delete

// If the post is draft...

[151] Fix | Delete

$caps[] = $post_type->cap->delete_posts;

[152] Fix | Delete

}

[153] Fix | Delete

} else {

[154] Fix | Delete

// The user is trying to edit someone else's post.

[155] Fix | Delete

$caps[] = $post_type->cap->delete_others_posts;

[156] Fix | Delete

// The post is published or scheduled, extra cap required.

[157] Fix | Delete

if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {

[158] Fix | Delete

$caps[] = $post_type->cap->delete_published_posts;

[159] Fix | Delete

} elseif ( 'private' === $post->post_status ) {

[160] Fix | Delete

$caps[] = $post_type->cap->delete_private_posts;

[161] Fix | Delete

}

[162] Fix | Delete

}

[163] Fix | Delete

[164] Fix | Delete

/*

[165] Fix | Delete

* Setting the privacy policy page requires `manage_privacy_options`,

[166] Fix | Delete

* so deleting it should require that too.

[167] Fix | Delete

*/

[168] Fix | Delete

if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) {

[169] Fix | Delete

$caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) );

[170] Fix | Delete

}

[171] Fix | Delete

[172] Fix | Delete

break;

[173] Fix | Delete

/*

[174] Fix | Delete

* edit_post breaks down to edit_posts, edit_published_posts, or

[175] Fix | Delete

* edit_others_posts.

[176] Fix | Delete

*/

[177] Fix | Delete

case 'edit_post':

[178] Fix | Delete

case 'edit_page':

[179] Fix | Delete

if ( ! isset( $args[0] ) ) {

[180] Fix | Delete

if ( 'edit_post' === $cap ) {

[181] Fix | Delete

/* translators: %s: Capability name. */

[182] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific post.' );

[183] Fix | Delete

} else {

[184] Fix | Delete

/* translators: %s: Capability name. */

[185] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific page.' );

[186] Fix | Delete

}

[187] Fix | Delete

[188] Fix | Delete

_doing_it_wrong(

[189] Fix | Delete

__FUNCTION__,

[190] Fix | Delete

sprintf( $message, '<code>' . $cap . '</code>' ),

[191] Fix | Delete

'6.1.0'

[192] Fix | Delete

);

[193] Fix | Delete

[194] Fix | Delete

$caps[] = 'do_not_allow';

[195] Fix | Delete

break;

[196] Fix | Delete

}

[197] Fix | Delete

[198] Fix | Delete

$post = get_post( $args[0] );

[199] Fix | Delete

if ( ! $post ) {

[200] Fix | Delete

$caps[] = 'do_not_allow';

[201] Fix | Delete

break;

[202] Fix | Delete

}

[203] Fix | Delete

[204] Fix | Delete

if ( 'revision' === $post->post_type ) {

[205] Fix | Delete

$post = get_post( $post->post_parent );

[206] Fix | Delete

if ( ! $post ) {

[207] Fix | Delete

$caps[] = 'do_not_allow';

[208] Fix | Delete

break;

[209] Fix | Delete

}

[210] Fix | Delete

}

[211] Fix | Delete

[212] Fix | Delete

$post_type = get_post_type_object( $post->post_type );

[213] Fix | Delete

if ( ! $post_type ) {

[214] Fix | Delete

/* translators: 1: Post type, 2: Capability name. */

[215] Fix | Delete

$message = __( 'The post type %1$s is not registered, so it may not be reliable to check the capability %2$s against a post of that type.' );

[216] Fix | Delete

[217] Fix | Delete

_doing_it_wrong(

[218] Fix | Delete

__FUNCTION__,

[219] Fix | Delete

sprintf(

[220] Fix | Delete

$message,

[221] Fix | Delete

'<code>' . $post->post_type . '</code>',

[222] Fix | Delete

'<code>' . $cap . '</code>'

[223] Fix | Delete

),

[224] Fix | Delete

'4.4.0'

[225] Fix | Delete

);

[226] Fix | Delete

[227] Fix | Delete

$caps[] = 'edit_others_posts';

[228] Fix | Delete

break;

[229] Fix | Delete

}

[230] Fix | Delete

[231] Fix | Delete

if ( ! $post_type->map_meta_cap ) {

[232] Fix | Delete

$caps[] = $post_type->cap->$cap;

[233] Fix | Delete

// Prior to 3.1 we would re-call map_meta_cap here.

[234] Fix | Delete

if ( 'edit_post' === $cap ) {

[235] Fix | Delete

$cap = $post_type->cap->$cap;

[236] Fix | Delete

}

[237] Fix | Delete

break;

[238] Fix | Delete

}

[239] Fix | Delete

[240] Fix | Delete

// If the post author is set and the user is the author...

[241] Fix | Delete

if ( $post->post_author && $user_id == $post->post_author ) {

[242] Fix | Delete

// If the post is published or scheduled...

[243] Fix | Delete

if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {

[244] Fix | Delete

$caps[] = $post_type->cap->edit_published_posts;

[245] Fix | Delete

} elseif ( 'trash' === $post->post_status ) {

[246] Fix | Delete

$status = get_post_meta( $post->ID, '_wp_trash_meta_status', true );

[247] Fix | Delete

if ( in_array( $status, array( 'publish', 'future' ), true ) ) {

[248] Fix | Delete

$caps[] = $post_type->cap->edit_published_posts;

[249] Fix | Delete

} else {

[250] Fix | Delete

$caps[] = $post_type->cap->edit_posts;

[251] Fix | Delete

}

[252] Fix | Delete

} else {

[253] Fix | Delete

// If the post is draft...

[254] Fix | Delete

$caps[] = $post_type->cap->edit_posts;

[255] Fix | Delete

}

[256] Fix | Delete

} else {

[257] Fix | Delete

// The user is trying to edit someone else's post.

[258] Fix | Delete

$caps[] = $post_type->cap->edit_others_posts;

[259] Fix | Delete

// The post is published or scheduled, extra cap required.

[260] Fix | Delete

if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {

[261] Fix | Delete

$caps[] = $post_type->cap->edit_published_posts;

[262] Fix | Delete

} elseif ( 'private' === $post->post_status ) {

[263] Fix | Delete

$caps[] = $post_type->cap->edit_private_posts;

[264] Fix | Delete

}

[265] Fix | Delete

}

[266] Fix | Delete

[267] Fix | Delete

/*

[268] Fix | Delete

* Setting the privacy policy page requires `manage_privacy_options`,

[269] Fix | Delete

* so editing it should require that too.

[270] Fix | Delete

*/

[271] Fix | Delete

if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) {

[272] Fix | Delete

$caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) );

[273] Fix | Delete

}

[274] Fix | Delete

[275] Fix | Delete

break;

[276] Fix | Delete

case 'read_post':

[277] Fix | Delete

case 'read_page':

[278] Fix | Delete

if ( ! isset( $args[0] ) ) {

[279] Fix | Delete

if ( 'read_post' === $cap ) {

[280] Fix | Delete

/* translators: %s: Capability name. */

[281] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific post.' );

[282] Fix | Delete

} else {

[283] Fix | Delete

/* translators: %s: Capability name. */

[284] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific page.' );

[285] Fix | Delete

}

[286] Fix | Delete

[287] Fix | Delete

_doing_it_wrong(

[288] Fix | Delete

__FUNCTION__,

[289] Fix | Delete

sprintf( $message, '<code>' . $cap . '</code>' ),

[290] Fix | Delete

'6.1.0'

[291] Fix | Delete

);

[292] Fix | Delete

[293] Fix | Delete

$caps[] = 'do_not_allow';

[294] Fix | Delete

break;

[295] Fix | Delete

}

[296] Fix | Delete

[297] Fix | Delete

$post = get_post( $args[0] );

[298] Fix | Delete

if ( ! $post ) {

[299] Fix | Delete

$caps[] = 'do_not_allow';

[300] Fix | Delete

break;

[301] Fix | Delete

}

[302] Fix | Delete

[303] Fix | Delete

if ( 'revision' === $post->post_type ) {

[304] Fix | Delete

$post = get_post( $post->post_parent );

[305] Fix | Delete

if ( ! $post ) {

[306] Fix | Delete

$caps[] = 'do_not_allow';

[307] Fix | Delete

break;

[308] Fix | Delete

}

[309] Fix | Delete

}

[310] Fix | Delete

[311] Fix | Delete

$post_type = get_post_type_object( $post->post_type );

[312] Fix | Delete

if ( ! $post_type ) {

[313] Fix | Delete

/* translators: 1: Post type, 2: Capability name. */

[314] Fix | Delete

$message = __( 'The post type %1$s is not registered, so it may not be reliable to check the capability %2$s against a post of that type.' );

[315] Fix | Delete

[316] Fix | Delete

_doing_it_wrong(

[317] Fix | Delete

__FUNCTION__,

[318] Fix | Delete

sprintf(

[319] Fix | Delete

$message,

[320] Fix | Delete

'<code>' . $post->post_type . '</code>',

[321] Fix | Delete

'<code>' . $cap . '</code>'

[322] Fix | Delete

),

[323] Fix | Delete

'4.4.0'

[324] Fix | Delete

);

[325] Fix | Delete

[326] Fix | Delete

$caps[] = 'edit_others_posts';

[327] Fix | Delete

break;

[328] Fix | Delete

}

[329] Fix | Delete

[330] Fix | Delete

if ( ! $post_type->map_meta_cap ) {

[331] Fix | Delete

$caps[] = $post_type->cap->$cap;

[332] Fix | Delete

// Prior to 3.1 we would re-call map_meta_cap here.

[333] Fix | Delete

if ( 'read_post' === $cap ) {

[334] Fix | Delete

$cap = $post_type->cap->$cap;

[335] Fix | Delete

}

[336] Fix | Delete

break;

[337] Fix | Delete

}

[338] Fix | Delete

[339] Fix | Delete

$status_obj = get_post_status_object( get_post_status( $post ) );

[340] Fix | Delete

if ( ! $status_obj ) {

[341] Fix | Delete

/* translators: 1: Post status, 2: Capability name. */

[342] Fix | Delete

$message = __( 'The post status %1$s is not registered, so it may not be reliable to check the capability %2$s against a post with that status.' );

[343] Fix | Delete

[344] Fix | Delete

_doing_it_wrong(

[345] Fix | Delete

__FUNCTION__,

[346] Fix | Delete

sprintf(

[347] Fix | Delete

$message,

[348] Fix | Delete

'<code>' . get_post_status( $post ) . '</code>',

[349] Fix | Delete

'<code>' . $cap . '</code>'

[350] Fix | Delete

),

[351] Fix | Delete

'5.4.0'

[352] Fix | Delete

);

[353] Fix | Delete

[354] Fix | Delete

$caps[] = 'edit_others_posts';

[355] Fix | Delete

break;

[356] Fix | Delete

}

[357] Fix | Delete

[358] Fix | Delete

if ( $status_obj->public ) {

[359] Fix | Delete

$caps[] = $post_type->cap->read;

[360] Fix | Delete

break;

[361] Fix | Delete

}

[362] Fix | Delete

[363] Fix | Delete

if ( $post->post_author && $user_id == $post->post_author ) {

[364] Fix | Delete

$caps[] = $post_type->cap->read;

[365] Fix | Delete

} elseif ( $status_obj->private ) {

[366] Fix | Delete

$caps[] = $post_type->cap->read_private_posts;

[367] Fix | Delete

} else {

[368] Fix | Delete

$caps = map_meta_cap( 'edit_post', $user_id, $post->ID );

[369] Fix | Delete

}

[370] Fix | Delete

break;

[371] Fix | Delete

case 'publish_post':

[372] Fix | Delete

if ( ! isset( $args[0] ) ) {

[373] Fix | Delete

/* translators: %s: Capability name. */

[374] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific post.' );

[375] Fix | Delete

[376] Fix | Delete

_doing_it_wrong(

[377] Fix | Delete

__FUNCTION__,

[378] Fix | Delete

sprintf( $message, '<code>' . $cap . '</code>' ),

[379] Fix | Delete

'6.1.0'

[380] Fix | Delete

);

[381] Fix | Delete

[382] Fix | Delete

$caps[] = 'do_not_allow';

[383] Fix | Delete

break;

[384] Fix | Delete

}

[385] Fix | Delete

[386] Fix | Delete

$post = get_post( $args[0] );

[387] Fix | Delete

if ( ! $post ) {

[388] Fix | Delete

$caps[] = 'do_not_allow';

[389] Fix | Delete

break;

[390] Fix | Delete

}

[391] Fix | Delete

[392] Fix | Delete

$post_type = get_post_type_object( $post->post_type );

[393] Fix | Delete

if ( ! $post_type ) {

[394] Fix | Delete

/* translators: 1: Post type, 2: Capability name. */

[395] Fix | Delete

$message = __( 'The post type %1$s is not registered, so it may not be reliable to check the capability %2$s against a post of that type.' );

[396] Fix | Delete

[397] Fix | Delete

_doing_it_wrong(

[398] Fix | Delete

__FUNCTION__,

[399] Fix | Delete

sprintf(

[400] Fix | Delete

$message,

[401] Fix | Delete

'<code>' . $post->post_type . '</code>',

[402] Fix | Delete

'<code>' . $cap . '</code>'

[403] Fix | Delete

),

[404] Fix | Delete

'4.4.0'

[405] Fix | Delete

);

[406] Fix | Delete

[407] Fix | Delete

$caps[] = 'edit_others_posts';

[408] Fix | Delete

break;

[409] Fix | Delete

}

[410] Fix | Delete

[411] Fix | Delete

$caps[] = $post_type->cap->publish_posts;

[412] Fix | Delete

break;

[413] Fix | Delete

case 'edit_post_meta':

[414] Fix | Delete

case 'delete_post_meta':

[415] Fix | Delete

case 'add_post_meta':

[416] Fix | Delete

case 'edit_comment_meta':

[417] Fix | Delete

case 'delete_comment_meta':

[418] Fix | Delete

case 'add_comment_meta':

[419] Fix | Delete

case 'edit_term_meta':

[420] Fix | Delete

case 'delete_term_meta':

[421] Fix | Delete

case 'add_term_meta':

[422] Fix | Delete

case 'edit_user_meta':

[423] Fix | Delete

case 'delete_user_meta':

[424] Fix | Delete

case 'add_user_meta':

[425] Fix | Delete

$object_type = explode( '_', $cap )[1];

[426] Fix | Delete

[427] Fix | Delete

if ( ! isset( $args[0] ) ) {

[428] Fix | Delete

if ( 'post' === $object_type ) {

[429] Fix | Delete

/* translators: %s: Capability name. */

[430] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific post.' );

[431] Fix | Delete

} elseif ( 'comment' === $object_type ) {

[432] Fix | Delete

/* translators: %s: Capability name. */

[433] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific comment.' );

[434] Fix | Delete

} elseif ( 'term' === $object_type ) {

[435] Fix | Delete

/* translators: %s: Capability name. */

[436] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific term.' );

[437] Fix | Delete

} else {

[438] Fix | Delete

/* translators: %s: Capability name. */

[439] Fix | Delete

$message = __( 'When checking for the %s capability, you must always check it against a specific user.' );

[440] Fix | Delete

}

[441] Fix | Delete

[442] Fix | Delete

_doing_it_wrong(

[443] Fix | Delete

__FUNCTION__,

[444] Fix | Delete

sprintf( $message, '<code>' . $cap . '</code>' ),

[445] Fix | Delete

'6.1.0'

[446] Fix | Delete

);

[447] Fix | Delete

[448] Fix | Delete

$caps[] = 'do_not_allow';

[449] Fix | Delete

break;

[450] Fix | Delete

}

[451] Fix | Delete

[452] Fix | Delete

$object_id = (int) $args[0];

[453] Fix | Delete

[454] Fix | Delete

$object_subtype = get_object_subtype( $object_type, $object_id );

[455] Fix | Delete

[456] Fix | Delete

if ( empty( $object_subtype ) ) {

[457] Fix | Delete

$caps[] = 'do_not_allow';

[458] Fix | Delete

break;

[459] Fix | Delete

}

[460] Fix | Delete

[461] Fix | Delete

$caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id );

[462] Fix | Delete

[463] Fix | Delete

$meta_key = isset( $args[1] ) ? $args[1] : false;

[464] Fix | Delete

[465] Fix | Delete

if ( $meta_key ) {

[466] Fix | Delete

$allowed = ! is_protected_meta( $meta_key, $object_type );

[467] Fix | Delete

[468] Fix | Delete

if ( ! empty( $object_subtype ) && has_filter( "auth_{$object_type}_meta_{$meta_key}_for_{$object_subtype}" ) ) {

[469] Fix | Delete

[470] Fix | Delete

/**

[471] Fix | Delete

* Filters whether the user is allowed to edit a specific meta key of a specific object type and subtype.

[472] Fix | Delete

*

[473] Fix | Delete

* The dynamic portions of the hook name, `$object_type`, `$meta_key`,

[474] Fix | Delete

* and `$object_subtype`, refer to the metadata object type (comment, post, term or user),

[475] Fix | Delete

* the meta key value, and the object subtype respectively.

[476] Fix | Delete

*

[477] Fix | Delete

* @since 4.9.8

[478] Fix | Delete

*

[479] Fix | Delete

* @param bool $allowed Whether the user can add the object meta. Default false.

[480] Fix | Delete

* @param string $meta_key The meta key.

[481] Fix | Delete

* @param int $object_id Object ID.

[482] Fix | Delete

* @param int $user_id User ID.

[483] Fix | Delete

* @param string $cap Capability name.

[484] Fix | Delete

* @param string[] $caps Array of the user's capabilities.

[485] Fix | Delete

*/

[486] Fix | Delete

$allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}_for_{$object_subtype}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps );

[487] Fix | Delete

} else {

[488] Fix | Delete

[489] Fix | Delete

/**

[490] Fix | Delete

* Filters whether the user is allowed to edit a specific meta key of a specific object type.

[491] Fix | Delete

*

[492] Fix | Delete

* Return true to have the mapped meta caps from `edit_{$object_type}` apply.

[493] Fix | Delete

*

[494] Fix | Delete

* The dynamic portion of the hook name, `$object_type` refers to the object type being filtered.

[495] Fix | Delete

* The dynamic portion of the hook name, `$meta_key`, refers to the meta key passed to map_meta_cap().

[496] Fix | Delete

*

[497] Fix | Delete

* @since 3.3.0 As `auth_post_meta_{$meta_key}`.

[498] Fix | Delete

* @since 4.6.0

[499] Fix | Delete