REST API: Introduce filter for controlling menu read access.

The menu, menu item, and menu location endpoints were added to the REST API in [52079]. In that commit, menu data was treated as private and restricted to logged-in users with the edit_theme_options capability. However, in many cases, this data can be considered public. Previously, there was no simple way for developers to allow this data to be exposed via the REST API. This commit introduces the rest_menu_read_access filter, enabling developers to control read access to menus, menu items, and menu locations in the REST API. The same filter is applied across all three REST API classes, simplifying the process of opting into exposing this data. Each instance of the filter provides the current request and the relevant class instance as context, allowing developers to selectively or globally enable access to the data. Props spacedmonkey, antonvlasenko, kadamwhite, julianmar, masteradhoc. Fixes #54304. Built from https://develop.svn.wordpress.org/trunk@59718 git-svn-id: http://core.svn.wordpress.org/trunk@59060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2025-01-28 04:09:22 +00:00
parent 1b151183d5
commit 12a2275de7
4 changed files with 48 additions and 19 deletions
--- a/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php
@@ -80,6 +80,19 @@ class WP_REST_Menu_Items_Controller extends WP_REST_Posts_Controller {
 	 * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
 	 */
 	protected function check_has_read_only_access( $request ) {
+		/**
+		 * Filters whether the current user has read access to menu items via the REST API.
+		 *
+		 * @since 6.8.0
+		 * @param $read_only_access bool Whether the current user has read access to menu items via the REST API.
+		 * @param $request WP_REST_Request Full details about the request.
+		 * @param $this WP_REST_Controller The current instance of the controller.
+		 */
+		$read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+		if ( $read_only_access ) {
+			return true;
+		}
+
 		if ( current_user_can( 'edit_theme_options' ) ) {
 			return true;
 		}
--- a/wp-includes/rest-api/endpoints/class-wp-rest-menu-locations-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-menu-locations-controller.php
@@ -80,15 +80,7 @@ class WP_REST_Menu_Locations_Controller extends WP_REST_Controller {
 	 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
 	 */
 	public function get_items_permissions_check( $request ) {
-		if ( ! current_user_can( 'edit_theme_options' ) ) {
-			return new WP_Error(
-				'rest_cannot_view',
-				__( 'Sorry, you are not allowed to view menu locations.' ),
-				array( 'status' => rest_authorization_required_code() )
-			);
-		}
-
-		return true;
+		return $this->check_has_read_only_access( $request );
 	}

 	/**
@@ -123,15 +115,7 @@ class WP_REST_Menu_Locations_Controller extends WP_REST_Controller {
 	 * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
 	 */
 	public function get_item_permissions_check( $request ) {
-		if ( ! current_user_can( 'edit_theme_options' ) ) {
-			return new WP_Error(
-				'rest_cannot_view',
-				__( 'Sorry, you are not allowed to view menu locations.' ),
-				array( 'status' => rest_authorization_required_code() )
-			);
-		}
-
-		return true;
+		return $this->check_has_read_only_access( $request );
 	}

 	/**
@@ -157,6 +141,32 @@ class WP_REST_Menu_Locations_Controller extends WP_REST_Controller {
 		return rest_ensure_response( $data );
 	}

+	/**
+	 * Checks whether the current user has read permission for the endpoint.
+	 *
+	 * @since 6.8.0
+	 *
+	 * @param WP_REST_Request $request Full details about the request.
+	 * @return true|WP_Error True if the current user has permission, WP_Error object otherwise.
+	 */
+	protected function check_has_read_only_access( $request ) {
+		/** This filter is documented in wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php */
+		$read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+		if ( $read_only_access ) {
+			return true;
+		}
+
+		if ( ! current_user_can( 'edit_theme_options' ) ) {
+			return new WP_Error(
+				'rest_cannot_view',
+				__( 'Sorry, you are not allowed to view menu locations.' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+
+		return true;
+	}
+
 	/**
 	 * Prepares a menu location object for serialization.
 	 *
--- a/wp-includes/rest-api/endpoints/class-wp-rest-menus-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-menus-controller.php
@@ -84,6 +84,12 @@ class WP_REST_Menus_Controller extends WP_REST_Terms_Controller {
 	 * @return true|WP_Error True if the current user has permission, WP_Error object otherwise.
 	 */
 	protected function check_has_read_only_access( $request ) {
+		/** This filter is documented in wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php */
+		$read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+		if ( $read_only_access ) {
+			return true;
+		}
+
 		if ( current_user_can( 'edit_theme_options' ) ) {
 			return true;
 		}
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.8-alpha-59717';
+$wp_version = '6.8-alpha-59718';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.