Description: Fix permission problem in Press This
 Press This: Do not show Categories & Tags UI for users who cannot assign
 terms to posts anyways.
Author: ocean90@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/39976
Bug-Debian: https://bugs.debian.org/852767
Applied-Upstream: 4.7.2
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2017-01-27
--- a/wp-admin/press-this.php
+++ b/wp-admin/press-this.php
@@ -32,8 +32,25 @@
 	if ( !current_user_can('edit_post', $post_ID) )
 		wp_die(__('You are not allowed to edit this post.'));
 
-	$post['post_category'] = isset($_POST['post_category']) ? $_POST['post_category'] : '';
-	$post['tax_input'] = isset($_POST['tax_input']) ? $_POST['tax_input'] : '';
+	// Only accept categories if the user actually can assign
+	$category_tax = get_taxonomy( 'category' );
+	if ( current_user_can( $category_tax->cap->assign_terms ) ) {
+		$post['post_category'] = ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array();
+	}
+
+	// Only accept taxonomies if the user can actually assign
+	if ( ! empty( $_POST['tax_input'] ) ) {
+		$tax_input = $_POST['tax_input'];
+		foreach ( $tax_input as $tax => $_ti ) {
+			$tax_object = get_taxonomy( $tax );
+			if ( ! $tax_object || ! current_user_can( $tax_object->cap->assign_terms ) ) {
+				unset( $tax_input[ $tax ] );
+			}
+		}
+
+		$post['tax_input'] = $tax_input;
+	}
+
 	$post['post_title'] = isset($_POST['title']) ? $_POST['title'] : '';
 	$content = isset($_POST['content']) ? $_POST['content'] : '';
 
@@ -523,75 +540,81 @@
 				</div>
 			</div>
 
-			<?php $tax = get_taxonomy( 'category' ); ?>
-			<div id="categorydiv" class="postbox">
-				<div class="handlediv" title="<?php esc_attr_e( 'Click to toggle' ); ?>"><br /></div>
-				<h3 class="hndle"><?php _e('Categories') ?></h3>
-				<div class="inside">
-				<div id="taxonomy-category" class="categorydiv">
+			<?php
 
-					<ul id="category-tabs" class="category-tabs">
-						<li class="tabs"><a href="#category-all"><?php echo $tax->labels->all_items; ?></a></li>
-						<li class="hide-if-no-js"><a href="#category-pop"><?php _e( 'Most Used' ); ?></a></li>
-					</ul>
-
-					<div id="category-pop" class="tabs-panel" style="display: none;">
-						<ul id="categorychecklist-pop" class="categorychecklist form-no-clear" >
-							<?php $popular_ids = wp_popular_terms_checklist( 'category' ); ?>
+			$tax = get_taxonomy( 'category' );
+			if ( current_user_can( $tax->cap->assign_terms ) ) :
+				?>
+				<div id="categorydiv" class="postbox">
+					<div class="handlediv" title="<?php esc_attr_e( 'Click to toggle' ); ?>"><br /></div>
+					<h3 class="hndle"><?php _e('Categories') ?></h3>
+					<div class="inside">
+					<div id="taxonomy-category" class="categorydiv">
+
+						<ul id="category-tabs" class="category-tabs">
+							<li class="tabs"><a href="#category-all"><?php echo $tax->labels->all_items; ?></a></li>
+							<li class="hide-if-no-js"><a href="#category-pop"><?php _e( 'Most Used' ); ?></a></li>
 						</ul>
-					</div>
 
-					<div id="category-all" class="tabs-panel">
-						<ul id="categorychecklist" data-wp-lists="list:category" class="categorychecklist form-no-clear">
-							<?php wp_terms_checklist($post_ID, array( 'taxonomy' => 'category', 'popular_cats' => $popular_ids ) ) ?>
-						</ul>
-					</div>
+						<div id="category-pop" class="tabs-panel" style="display: none;">
+							<ul id="categorychecklist-pop" class="categorychecklist form-no-clear" >
+								<?php $popular_ids = wp_popular_terms_checklist( 'category' ); ?>
+							</ul>
+						</div>
 
-					<?php if ( !current_user_can($tax->cap->assign_terms) ) : ?>
-					<p><em><?php _e('You cannot modify this Taxonomy.'); ?></em></p>
-					<?php endif; ?>
-					<?php if ( current_user_can($tax->cap->edit_terms) ) : ?>
-						<div id="category-adder" class="wp-hidden-children">
-							<h4>
-								<a id="category-add-toggle" href="#category-add" class="hide-if-no-js">
-									<?php printf( __( '+ %s' ), $tax->labels->add_new_item ); ?>
-								</a>
-							</h4>
-							<p id="category-add" class="category-add wp-hidden-child">
-								<label class="screen-reader-text" for="newcategory"><?php echo $tax->labels->add_new_item; ?></label>
-								<input type="text" name="newcategory" id="newcategory" class="form-required form-input-tip" value="<?php echo esc_attr( $tax->labels->new_item_name ); ?>" aria-required="true"/>
-								<label class="screen-reader-text" for="newcategory_parent">
-									<?php echo $tax->labels->parent_item_colon; ?>
-								</label>
-								<?php wp_dropdown_categories( array( 'taxonomy' => 'category', 'hide_empty' => 0, 'name' => 'newcategory_parent', 'orderby' => 'name', 'hierarchical' => 1, 'show_option_none' => '&mdash; ' . $tax->labels->parent_item . ' &mdash;' ) ); ?>
-								<input type="button" id="category-add-submit" data-wp-lists="add:categorychecklist:category-add" class="button category-add-submit" value="<?php echo esc_attr( $tax->labels->add_new_item ); ?>" />
-								<?php wp_nonce_field( 'add-category', '_ajax_nonce-add-category', false ); ?>
-								<span id="category-ajax-response"></span>
-							</p>
+						<div id="category-all" class="tabs-panel">
+							<ul id="categorychecklist" data-wp-lists="list:category" class="categorychecklist form-no-clear">
+								<?php wp_terms_checklist($post_ID, array( 'taxonomy' => 'category', 'popular_cats' => $popular_ids ) ) ?>
+							</ul>
 						</div>
-					<?php endif; ?>
-				</div>
+
+						<?php if ( current_user_can($tax->cap->edit_terms) ) : ?>
+							<div id="category-adder" class="wp-hidden-children">
+								<h4>
+									<a id="category-add-toggle" href="#category-add" class="hide-if-no-js">
+										<?php printf( __( '+ %s' ), $tax->labels->add_new_item ); ?>
+									</a>
+								</h4>
+								<p id="category-add" class="category-add wp-hidden-child">
+									<label class="screen-reader-text" for="newcategory"><?php echo $tax->labels->add_new_item; ?></label>
+									<input type="text" name="newcategory" id="newcategory" class="form-required form-input-tip" value="<?php echo esc_attr( $tax->labels->new_item_name ); ?>" aria-required="true"/>
+									<label class="screen-reader-text" for="newcategory_parent">
+										<?php echo $tax->labels->parent_item_colon; ?>
+									</label>
+									<?php wp_dropdown_categories( array( 'taxonomy' => 'category', 'hide_empty' => 0, 'name' => 'newcategory_parent', 'orderby' => 'name', 'hierarchical' => 1, 'show_option_none' => '&mdash; ' . $tax->labels->parent_item . ' &mdash;' ) ); ?>
+									<input type="button" id="category-add-submit" data-wp-lists="add:categorychecklist:category-add" class="button category-add-submit" value="<?php echo esc_attr( $tax->labels->add_new_item ); ?>" />
+									<?php wp_nonce_field( 'add-category', '_ajax_nonce-add-category', false ); ?>
+									<span id="category-ajax-response"></span>
+								</p>
+							</div>
+						<?php endif; ?>
+					</div>
+					</div>
 				</div>
-			</div>
+			<?php endif;
 
-			<div id="tagsdiv-post_tag" class="postbox">
-				<div class="handlediv" title="<?php esc_attr_e( 'Click to toggle' ); ?>"><br /></div>
-				<h3><span><?php _e('Tags'); ?></span></h3>
-				<div class="inside">
-					<div class="tagsdiv" id="post_tag">
-						<div class="jaxtag">
-							<label class="screen-reader-text" for="newtag"><?php _e('Tags'); ?></label>
-							<input type="hidden" name="tax_input[post_tag]" class="the-tags" id="tax-input[post_tag]" value="" />
-							<div class="ajaxtag">
-								<input type="text" name="newtag[post_tag]" class="newtag form-input-tip" size="16" autocomplete="off" value="" />
-								<input type="button" class="button tagadd" value="<?php esc_attr_e('Add'); ?>" />
+			$tax = get_taxonomy( 'post_tag' );
+			if ( current_user_can( $tax->cap->assign_terms ) ) :
+				?>
+				<div id="tagsdiv-post_tag" class="postbox">
+					<div class="handlediv" title="<?php esc_attr_e( 'Click to toggle' ); ?>"><br /></div>
+					<h3><span><?php _e('Tags'); ?></span></h3>
+					<div class="inside">
+						<div class="tagsdiv" id="post_tag">
+							<div class="jaxtag">
+								<label class="screen-reader-text" for="newtag"><?php _e('Tags'); ?></label>
+								<input type="hidden" name="tax_input[post_tag]" class="the-tags" id="tax-input[post_tag]" value="" />
+								<div class="ajaxtag">
+									<input type="text" name="newtag[post_tag]" class="newtag form-input-tip" size="16" autocomplete="off" value="" />
+									<input type="button" class="button tagadd" value="<?php esc_attr_e('Add'); ?>" />
+								</div>
 							</div>
+							<div class="tagchecklist"></div>
 						</div>
-						<div class="tagchecklist"></div>
+						<p class="tagcloud-link"><a href="#titlediv" class="tagcloud-link" id="link-post_tag"><?php _e('Choose from the most used tags'); ?></a></p>
 					</div>
-					<p class="tagcloud-link"><a href="#titlediv" class="tagcloud-link" id="link-post_tag"><?php _e('Choose from the most used tags'); ?></a></p>
 				</div>
-			</div>
+			<?php endif; ?>
 		</div>
 	</div>
 	<div class="posting">
