I have a custom post type with the following capabilities:
$capabilities = array(
'read_post' => 'administrator',
'read_private_posts' => 'administrator',
'publish_posts' => 'administrator',
'edit_post' => 'administrator',
'edit_posts' => 'administrator',
'edit_published_posts' => 'administrator',
'edit_others_posts' => 'administrator',
'edit_private_posts' => 'administrator',
'delete_post' => 'administrator',
'delete_posts' => 'administrator',
'delete_published_posts' => 'administrator',
'delete_others_posts' => 'administrator',
'delete_private_posts' => 'administrator'
);
Do I still need to use something like current_user_can() when saving (via save_post), to validate whether that user has permissions to add or edit a post, or does setting the capabilities take care of that?
Since this is not a custom page in WordPress, but rather a custom post type, do I need to verify the nonce or is this built-in when using a custom post type? I should note that I’m not using any WordPress fields (such as title, body, etc) in that post type. There is one pair of fields that have been added using add_meta_box().
When using
save_postyou are usually add/updating user-inputted data from a metabox into the database. When do this you should check that your metabox’s nonce is valid.You should also check permissions as
save_postis triggered insidewp_insert_post(), and not just when the you create/edit a post admin side.