From 8f2004cf3348793e436914b472afa138adacffb5 Mon Sep 17 00:00:00 2001 From: Paulo Pinto Date: Thu, 18 Apr 2024 16:11:25 +0100 Subject: [PATCH] Check for delete_post instead of manage_options We were checking for manage_options to know whether the user can view the edit page, and for delete_post when handling form submission. We will now standardise on checking for delete_post in all places. --- includes/event/event-capabilities.php | 2 +- tests/event/event-capabilities.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/includes/event/event-capabilities.php b/includes/event/event-capabilities.php index d39e6ad99..766f42aed 100644 --- a/includes/event/event-capabilities.php +++ b/includes/event/event-capabilities.php @@ -130,7 +130,7 @@ private function has_delete( WP_User $user, Event $event ): bool { return false; } - if ( user_can( $user->ID, 'manage_options' ) ) { + if ( user_can( $user->ID, 'delete_post', $event->id() ) ) { return true; } diff --git a/tests/event/event-capabilities.php b/tests/event/event-capabilities.php index 7a484acf8..b8c225de1 100644 --- a/tests/event/event-capabilities.php +++ b/tests/event/event-capabilities.php @@ -105,7 +105,7 @@ public function test_cannot_delete_if_cannot_edit() { $this->assertFalse( user_can( $non_author_user_id, 'delete_translation_event', $event_id ) ); } - public function test_cannot_delete_without_manage_options_capability() { + public function test_cannot_delete_without_delete_post_capability() { $this->set_normal_user_as_current(); $event_id = $this->event_factory->create_active(); @@ -113,7 +113,7 @@ public function test_cannot_delete_without_manage_options_capability() { $this->assertFalse( current_user_can( 'delete_translation_event', $event_id ) ); } - public function test_can_delete_with_manage_options_capability() { + public function test_can_delete_with_delete_post_capability() { $this->set_admin_user_as_current(); $event_id = $this->event_factory->create_active();