Skip to content

PHPCS: Allowlist custom capabilities instead of disabling the sniff #583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
obenland wants to merge 6 commits into
base: trunk
Choose a base branch
from
Open

PHPCS: Allowlist custom capabilities instead of disabling the sniff #583

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e7b6f47
PHPCS: Allowlist custom capabilities instead of disabling the sniff.
obenland Mar 31, 2026
0502eec
Add missing capabilities to the allowlist and fix additional bugs.
obenland Mar 31, 2026
61daa28
BuddyPress: Add braces around inline control structure.
obenland Mar 31, 2026
97d0f6a
Photo Directory: Use allcaps array instead of user_can in user_has_ca…
obenland Mar 31, 2026
c12f07c
Merge branch 'trunk' into fix/phpcs-custom-capabilities
obenland Apr 1, 2026
6ee71cb
PHPCS: Note that custom capabilities just need documenting in the all…
obenland Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions buddypress.org/public_html/wp-content/plugins/buddypress-org/buddypress-dot-org.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,13 +52,9 @@ function bporg_remove_dashboard_widget( $admin ) {
* @return if user is an admin
*/
function bporg_admin_redirect() {
if ( is_super_admin()
|| current_user_can( 'contributor' )
|| current_user_can( 'author' )
|| current_user_can( 'editor' )
|| current_user_can( 'administrator' )
)
if ( is_super_admin() || current_user_can( 'edit_posts' ) ) {
return;
}

// Allow registered unprivileged admin-ajax.php requests for
// profiles.wordpress.org to pass through.
Expand Down
86 changes: 83 additions & 3 deletions phpcs.xml.dist
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,9 +119,89 @@
<severity>0</severity>
</rule>

<!-- Custom capabilities are valid in the WordPress.org environment. -->
<rule ref="WordPress.WP.Capabilities.Unknown">
<severity>0</severity>
<!-- Custom capabilities used across the WordPress.org environment. -->
<rule ref="WordPress.WP.Capabilities">
Comment on lines +122 to +124
Copy link
Copy Markdown
Member

@dd32 dd32 Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not really a fan of this style of nitty-gritty capability listing.. but I'm not veto'ing this.

Perhaps we can do a middle-ground of warning severity or notice severity, and not error?

Let's also document it here that PRs can update the list as needed, and this isn't a strict requirement, rather just to catch those typos.

Suggested change
<!-- Custom capabilities used across the WordPress.org environment. -->
<rule ref="WordPress.WP.Capabilities">
<!-- Custom capabilities used across the WordPress.org environment. -->
<!-- Please note: Using custom capabilities is allowed, just document them here please! -->
<rule ref="WordPress.WP.Capabilities">

<properties>
<property name="custom_capabilities" type="array">
<!-- Plugin Directory -->
<element value="plugin_add_committer"/>
<element value="plugin_add_support_rep"/>
<element value="plugin_admin_edit"/>
<element value="plugin_admin_view"/>
<element value="plugin_approve"/>
<element value="plugin_close"/>
<element value="plugin_dashboard_access"/>
<element value="plugin_disable"/>
<element value="plugin_edit"/>
<element value="plugin_edit_others"/>
<element value="plugin_edit_pending"/>
<element value="plugin_manage_releases"/>
<element value="plugin_reject"/>
<element value="plugin_remove_committer"/>
<element value="plugin_remove_support_rep"/>
<element value="plugin_review"/>
<element value="plugin_self_close"/>
<element value="plugin_self_transfer"/>
<element value="plugin_set_category"/>
<element value="plugin_set_section"/>
<element value="plugin_toggle_public_preview"/>
<!-- Theme Directory -->
<element value="suspend_theme"/>
<element value="reinstate_theme"/>
<element value="suspend_themes"/>
<element value="reinstate_themes"/>
<element value="theme_configure_categorization_options"/>
<!-- PHPUnit Test Reporter -->
<element value="edit_results"/>
<element value="publish_results"/>
<element value="edit_others_results"/>
<element value="read_private_results"/>
<!-- Translation Events -->
<element value="manage_translation_events"/>
<element value="create_translation_event"/>
<element value="view_translation_event"/>
<element value="edit_translation_event"/>
<element value="trash_translation_event"/>
<element value="delete_translation_event"/>
<element value="edit_translation_event_attendees"/>
<element value="edit_translation_event_title"/>
<element value="edit_translation_event_description"/>
<element value="edit_translation_event_start"/>
<element value="edit_translation_event_end"/>
<element value="edit_translation_event_timezone"/>
<element value="edit_translation_event_attendance_mode"/>
<!-- Support Forums -->
<element value="bbp_forums_admin"/>
<element value="edit_topic"/>
<element value="edit_reply"/>
<element value="read_topic"/>
<element value="keep_gate"/>
<element value="moderate"/>
<element value="throttle"/>
<element value="participate"/>
<element value="spectate"/>
<element value="assign_topic_tags"/>
<!-- Photo Directory -->
<element value="edit_photos"/>
<element value="delete_photos"/>
<element value="delete_others_photos"/>
<element value="publish_photos"/>
<element value="edit_others_photos"/>
<element value="edit_published_photos"/>
<element value="delete_published_photos"/>
<element value="delete_private_photos"/>
<element value="edit_private_photos"/>
<element value="read_private_photos"/>
<element value="manage_photo_tags"/>
<!-- Learn -->
<element value="manage_workshop_internal_notes"/>
<element value="edit_courses"/>
<element value="edit_lessons"/>
<element value="edit_any_learn_content"/>
<!-- HelpHub -->
<element value="manage_helphub"/>
</property>
</properties>
</rule>

<rule ref="WordPress-Extra">
Expand Down
2 changes: 1 addition & 1 deletion wordpress.org/public_html/wp-content/plugins/photo-directory/inc/moderation.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ public static function disable_own_post_editing( $caps, $cap, $args, $user ) {
}

// Bail if user isn't a moderator.
if ( ! user_can( $user->ID, 'photos_moderator' ) ) {
if ( empty( $caps['edit_photos'] ) ) {
Copy link
Copy Markdown
Member

@dd32 dd32 Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this needs a user_can(), because super-admin roles don't have the caps.

Copy link
Copy Markdown
Member

@dd32 dd32 Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm.. actually... this is a user_has_cap filter.. Using user_can and friends in that is discouraged in cap filters.. due to loops..

I think the proper check here would be to be either requiring a cap by appending to $caps, or appending do_not_allow to block.. or.. something.. else...

Copy link
Copy Markdown
Member Author

@obenland obenland Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose it depends on how we want this to behave. It sets edit_photos to false when the photo in question is the moderator's own photo.

If we want super admins to be able to edit their own submissions we'd append a || is_super_admin( $user->ID ) check to bail. Otherwise a && ! is_super_admin( $user->ID ) to apply to them, too?

return $caps;
}

Expand Down
2 changes: 1 addition & 1 deletion wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-customizations.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -819,7 +819,7 @@ public function custom_comment_row_actions( $actions, $comment ) {
if ( 'internal-note' === $comment->comment_type && isset( $_REQUEST['mode'] ) && 'single' === $_REQUEST['mode'] ) {
$allowed_actions = array( 'reply' => true );

if ( current_user_can( 'manage_comments' ) ) {
if ( current_user_can( 'moderate_comments' ) ) {
$allowed_actions['trash'] = true;
$allowed_actions['untrash'] = true;
$allowed_actions['quickedit'] = true;
Expand Down
8 changes: 4 additions & 4 deletions ...ublic_html/wp-content/plugins/plugin-directory/admin/tools/class-elasticsearch-status.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,14 @@ public function add_to_menu() {
'plugin-tools',
'ES Index Status',
'ES Index Status',
'plugin_admin',
'plugin_approve',
'es-index-status',
array( $this, 'render' )
);
}

public function render() {
if ( ! current_user_can( 'plugin_admin' ) ) {
if ( ! current_user_can( 'plugin_approve' ) ) {
return;
}

Expand Down Expand Up @@ -249,7 +249,7 @@ function tick() {
public function ajax_check_batch() {
check_ajax_referer( 'es-index-check-batch' );

if ( ! current_user_can( 'plugin_admin' ) ) {
if ( ! current_user_can( 'plugin_approve' ) ) {
wp_send_json_error( 'Permission denied.' );
}

Expand Down Expand Up @@ -294,7 +294,7 @@ public function ajax_check_batch() {
public function ajax_reindex() {
check_ajax_referer( 'es-index-check-batch' );

if ( ! current_user_can( 'plugin_admin' ) ) {
if ( ! current_user_can( 'plugin_approve' ) ) {
wp_send_json_error( 'Permission denied.' );
}

Expand Down