Correctly call current_user_can()

WordPress · Apr 18, 2024 · a9fced4 · a9fced4
1 parent 91c8136
commit a9fced4
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/includes/event/event-form-handler.php b/includes/event/event-form-handler.php
@@ -25,13 +25,15 @@ public function handle( array $form_data ): void {
 			wp_send_json_error( esc_html__( 'Invalid form name.', 'gp-translation-events' ), 403 );
 		}
 
+		$event_id = isset( $form_data['event_id'] ) ? sanitize_text_field( wp_unslash( $form_data['event_id'] ) ) : 0;
+
 		if ( 'create_event' === $action && ( ! current_user_can( 'create_translation_event' ) ) ) {
 			wp_send_json_error( esc_html__( 'You do not have permissions to create events.', 'gp-translation-events' ), 403 );
 		}
-		if ( 'edit_event' === $action && ( ! current_user_can( 'edit_translation_event' ) ) ) {
+		if ( 'edit_event' === $action && ( ! current_user_can( 'edit_translation_event', $event_id ) ) ) {
 			wp_send_json_error( esc_html__( 'You do not have permissions to edit this event.', 'gp-translation-events' ), 403 );
 		}
-		if ( 'delete_event' === $action && ( ! current_user_can( 'delete_translation_event' ) ) ) {
+		if ( 'delete_event' === $action && ( ! current_user_can( 'delete_translation_event', $event_id ) ) ) {
 			wp_send_json_error( esc_html__( 'You do not have permissions to delete this event.', 'gp-translation-events' ), 403 );
 		}
 

diff --git a/includes/routes/user/host-event.php b/includes/routes/user/host-event.php
@@ -39,7 +39,7 @@ public function handle( int $event_id, int $user_id ): void {
 			$this->die_with_error( esc_html__( "Only logged-in users can manage the event's hosts.", 'gp-translation-events' ), 403 );
 		}
 
-		if ( ! current_user_can( 'edit_translation_event' ) ) {
+		if ( ! current_user_can( 'edit_translation_event', $event_id ) ) {
 			$this->die_with_error( esc_html__( "You do not have permissions to manage the event's hosts.", 'gp-translation-events' ), 403 );
 		}
 

diff --git a/templates/event.php b/templates/event.php
@@ -59,7 +59,7 @@
 								<span class="first-time-contributor-tada" title="<?php esc_html_e( 'New Translation Contributor', 'gp-translation-events' ); ?>"></span>
 							<?php endif; ?>
 							<?php
-							if ( current_user_can( 'edit_translation_event' ) ) :
+							if ( current_user_can( 'edit_translation_event', $event->id() ) ) :
 								$_attendee = $attendee_repo->get_attendee( $event_id, $contributor->ID );
 								if ( $_attendee instanceof Attendee ) :
 									echo '<form class="add-remove-user-as-host" method="post" action="' . esc_url( gp_url( "/events/host/$event_id/$contributor->ID" ) ) . '">';
@@ -79,7 +79,7 @@
 				</ul>
 			</div>
 		<?php endif; ?>
-		<?php if ( ! empty( $attendees ) && current_user_can( 'edit_translation_event' ) ) : ?>
+		<?php if ( ! empty( $attendees ) && current_user_can( 'edit_translation_event', $event->id() ) ) : ?>
 			<div class="event-attendees">
 				<h2>
 				<?php