@@ -119,10 +119,28 @@ public function save_post() {
119119 'post_type ' => 'post ' ,
120120 'post_status ' => 'draft ' ,
121121 'post_format ' => ( ! empty ( $ _POST ['post_format ' ] ) ) ? sanitize_text_field ( $ _POST ['post_format ' ] ) : '' ,
122- 'tax_input ' => ( ! empty ( $ _POST ['tax_input ' ] ) ) ? $ _POST ['tax_input ' ] : array (),
123- 'post_category ' => ( ! empty ( $ _POST ['post_category ' ] ) ) ? $ _POST ['post_category ' ] : array (),
124122 );
125123
124+ // Only accept categories if the user actually can assign
125+ $ category_tax = get_taxonomy ( 'category ' );
126+ if ( current_user_can ( $ category_tax ->cap ->assign_terms ) ) {
127+ $ post_data ['post_category ' ] = ( ! empty ( $ _POST ['post_category ' ] ) ) ? $ _POST ['post_category ' ] : array ();
128+ }
129+
130+ // Only accept taxonomies if the user can actually assign
131+ if ( ! empty ( $ _POST ['tax_input ' ] ) ) {
132+ $ tax_input = $ _POST ['tax_input ' ];
133+ foreach ( $ tax_input as $ tax => $ _ti ) {
134+ $ tax_object = get_taxonomy ( $ tax );
135+ if ( ! $ tax_object || ! current_user_can ( $ tax_object ->cap ->assign_terms ) ) {
136+ unset( $ tax_input [ $ tax ] );
137+ }
138+ }
139+
140+ $ post_data ['tax_input ' ] = $ tax_input ;
141+ }
142+
143+ // Toggle status to pending if user cannot actually publish
126144 if ( ! empty ( $ _POST ['post_status ' ] ) && 'publish ' === $ _POST ['post_status ' ] ) {
127145 if ( current_user_can ( 'publish_posts ' ) ) {
128146 $ post_data ['post_status ' ] = 'publish ' ;
@@ -453,7 +471,7 @@ private function _limit_img( $src ) {
453471 * @since 4.2.0
454472 *
455473 * @param string $src Embed source URL.
456- * @return string If not from a supported provider, an empty string. Otherwise, a reformattd embed URL.
474+ * @return string If not from a supported provider, an empty string. Otherwise, a reformatted embed URL.
457475 */
458476 private function _limit_embed ( $ src ) {
459477 $ src = $ this ->_limit_url ( $ src );
@@ -853,6 +871,12 @@ public function post_formats_html( $post ) {
853871 public function categories_html ( $ post ) {
854872 $ taxonomy = get_taxonomy ( 'category ' );
855873
874+ // Bail if user cannot assign terms
875+ if ( ! current_user_can ( $ taxonomy ->cap ->assign_terms ) ) {
876+ return ;
877+ }
878+
879+ // Only show "add" if user can edit terms
856880 if ( current_user_can ( $ taxonomy ->cap ->edit_terms ) ) {
857881 ?>
858882 <button type="button" class="add-cat-toggle button-link" aria-expanded="false">
@@ -1272,6 +1296,12 @@ public function html() {
12721296 wp_enqueue_script ( 'json2 ' );
12731297 wp_enqueue_script ( 'editor ' );
12741298
1299+ $ categories_tax = get_taxonomy ( 'category ' );
1300+ $ show_categories = current_user_can ( $ categories_tax ->cap ->assign_terms ) || current_user_can ( $ categories_tax ->cap ->edit_terms );
1301+
1302+ $ tag_tax = get_taxonomy ( 'post_tag ' );
1303+ $ show_tags = current_user_can ( $ tag_tax ->cap ->assign_terms );
1304+
12751305 $ supports_formats = false ;
12761306 $ post_format = 0 ;
12771307
@@ -1423,17 +1453,21 @@ public function html() {
14231453 </button>
14241454 <?php endif ; ?>
14251455
1426- <button type="button" class="button-link post-option">
1427- <span class="dashicons dashicons-category"></span>
1428- <span class="post-option-title"><?php _e ( 'Categories ' ); ?> </span>
1429- <span class="dashicons post-option-forward"></span>
1430- </button>
1431-
1432- <button type="button" class="button-link post-option">
1433- <span class="dashicons dashicons-tag"></span>
1434- <span class="post-option-title"><?php _e ( 'Tags ' ); ?> </span>
1435- <span class="dashicons post-option-forward"></span>
1436- </button>
1456+ <?php if ( $ show_categories ) : ?>
1457+ <button type="button" class="button-link post-option">
1458+ <span class="dashicons dashicons-category"></span>
1459+ <span class="post-option-title"><?php _e ( 'Categories ' ); ?> </span>
1460+ <span class="dashicons post-option-forward"></span>
1461+ </button>
1462+ <?php endif ; ?>
1463+
1464+ <?php if ( $ show_tags ) : ?>
1465+ <button type="button" class="button-link post-option">
1466+ <span class="dashicons dashicons-tag"></span>
1467+ <span class="post-option-title"><?php _e ( 'Tags ' ); ?> </span>
1468+ <span class="dashicons post-option-forward"></span>
1469+ </button>
1470+ <?php endif ; ?>
14371471 </div>
14381472
14391473 <?php if ( $ supports_formats ) : ?>
@@ -1447,23 +1481,27 @@ public function html() {
14471481 </div>
14481482 <?php endif ; ?>
14491483
1450- <div class="setting-modal is-off-screen is-hidden">
1451- <button type="button" class="button-link modal-close">
1452- <span class="dashicons post-option-back"></span>
1453- <span class="setting-title" aria-hidden="true"><?php _e ( 'Categories ' ); ?> </span>
1454- <span class="screen-reader-text"><?php _e ( 'Back to post options ' ) ?> </span>
1455- </button>
1456- <?php $ this ->categories_html ( $ post ); ?>
1457- </div>
1484+ <?php if ( $ show_categories ) : ?>
1485+ <div class="setting-modal is-off-screen is-hidden">
1486+ <button type="button" class="button-link modal-close">
1487+ <span class="dashicons post-option-back"></span>
1488+ <span class="setting-title" aria-hidden="true"><?php _e ( 'Categories ' ); ?> </span>
1489+ <span class="screen-reader-text"><?php _e ( 'Back to post options ' ) ?> </span>
1490+ </button>
1491+ <?php $ this ->categories_html ( $ post ); ?>
1492+ </div>
1493+ <?php endif ; ?>
14581494
1459- <div class="setting-modal tags is-off-screen is-hidden">
1460- <button type="button" class="button-link modal-close">
1461- <span class="dashicons post-option-back"></span>
1462- <span class="setting-title" aria-hidden="true"><?php _e ( 'Tags ' ); ?> </span>
1463- <span class="screen-reader-text"><?php _e ( 'Back to post options ' ) ?> </span>
1464- </button>
1465- <?php $ this ->tags_html ( $ post ); ?>
1466- </div>
1495+ <?php if ( $ show_tags ) : ?>
1496+ <div class="setting-modal tags is-off-screen is-hidden">
1497+ <button type="button" class="button-link modal-close">
1498+ <span class="dashicons post-option-back"></span>
1499+ <span class="setting-title" aria-hidden="true"><?php _e ( 'Tags ' ); ?> </span>
1500+ <span class="screen-reader-text"><?php _e ( 'Back to post options ' ) ?> </span>
1501+ </button>
1502+ <?php $ this ->tags_html ( $ post ); ?>
1503+ </div>
1504+ <?php endif ; ?>
14671505 </div><!-- .options-panel -->
14681506 </div><!-- .wrapper -->
14691507
0 commit comments