user_has_cap filter allows edit but will not allow save

Problem

I’m working on a website where we need to be able to put a username in the custom field of a custom post type, and allow the user specified to make changes to that post and only that post. I thought user_has_cap would be the filter hook to use but weirdly it doesn’t seem to be allowing a user to update the post.

The user can see the edit screen for the post and only that post which implies my filter is working correctly, but clicking update gives the error You are not allowed to edit posts as this user. which contradicts this.

Read More

The post type has capability_type => post so I feel that shouldn’t be the issue.

Code

function event_cap_filter($all, $cap, $args) {
    // if not requesting edit post then return caps
    if('edit_post' != $args[0]) return $all;
    // if user can already edit others posts then return caps
    if($all['edit_others_posts']) return $all;

    // if user is the post author then return caps
    $post = get_post($args[2]);
    if($args[1] == $post->post_author) return $all;

    // query to find user in custom field
    // and therefore if they are allowed to edit this post

    if($can_edit) {
        foreach($cap as $c) {
            $all[$c] = true;
        }
    }

    return $all;
}
add_filter('user_has_cap', 'event_cap_filter', 10, 3);

Question

If my user can edit the post where he is specified in the custom field I check for, why can he not save his changes? Am I overlooking something?

Related posts

3 comments

  1. I think you are encountering a bug in _wp_translate_postdata() that makes it check edit_others_posts without providing any context for map_meta_cap and other filters to use in situations like yours (where you want a user to be able to edit specific posts that aren’t theirs):

    https://core.trac.wordpress.org/ticket/30452#comment:5

    It specifically has the effect that the affected user will be able to log into the post editor (implying it worked) but attempts to save changes will fail completely (which sounds like your problem).

    The ticket includes a solution from Daniel Bachuber that others can likely convert for their own purposes.

    Hopefully the bug is fixed soon.

  2. I’ve been struggling with the same problem…when args[0] is publish, args[2] is not populated. You have to get it from the url.

    if(substr($args[0],0,7)=="publish"){
        $postid=$_GET["post"];
        if(!isset($postid))return $allcaps;
    }
    else $postid=$args[2];
    
  3. I had a similar problem, needed to have a custom field to give specific people permission to edit some posts, pages and custom post types created by other users. I have an acf array field with users. Solved it getting the post id using $_POST[‘post_ID’] and the code below:

    function author_cap_filter( $allcaps, $cap, $args ) 
        {    
    
            if(isset($_POST['post_ID']))
            {
                $post_id = $_POST['post_ID'];
                $users = get_post_meta($post_id, 'add_people', TRUE);
    
                if(is_array($users) && in_array(wp_get_current_user()->ID,$users))
                    $allcaps['edit_others_posts']=TRUE;
    
            }
    
            return $allcaps;
        }   
    
    add_filter( 'user_has_cap', 'author_cap_filter', 10, 3 ); 
    

Comments are closed.