Ensure capabilities are checked in metabox saves

[westonruter]

• For each metabox registered with add_meta_box, flag if the save callback does not contain a cap check.

If the callback is a method like array( $obj, 'method' ), it will be to difficult to check programatically. However, if the method is for $this or if a bare global function name or closure is used, then it should be straightforward to locate the function in the same file.

PHPUnit would be a better way to check if a function calls current_user_can, as a test could run and then check to see if the map_meta_cap hook ran during the function's execution.

Per the VIP code review guidelines:

Capability checks need to validate that users can take the requested actions.

[westonruter]

@paulgibbs what do you think about this one? What is meant by action and what tests would make sense? It may not be feasible to check with PHP_CodeSniffer.

[paulgibbs]

Examples tend to be like an implementation of a custom metabox in the backend, in the save() function; we'd expect a capability check to confirm that a particular user has the appropriate rights to change an option, for example.

Another example is for an AJAX endpoint handler used on a custom screen in the backend; a capability check here ensures that the requester has appropriate capabilities to be requesting the information.

Action is meant in the general sense of "when something occurs", rather than the sense of actions/filters.

Mightn't be practically code snifferable.

[westonruter]

I've updated the description with a path for how this could be implemented. It is similar now to #73.

Description was:

This may not be feasible to check programmatically, but whenever an action is performed we should check to see if current_user_can() is used in the action's function. Here action is interpreted to mean a hook; it would certainly not be possible to check for other “actions”. This check would likely generate a lot of noise, as many actions could be performed without needing any capability, and so adding the current_user_can() check would be just noise.