REST API: Increase the specificity of capability checks for collections when the edit context is in use.

The edit access in now taken into account for each individual post, term, or user in the response.

Merges [60814] into the 6.8 branch.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, rmccue, timothyblynjacobs, vortfu, whyisjake, zieladam.
Built from https://develop.svn.wordpress.org/branches/6.8@60817


git-svn-id: http://core.svn.wordpress.org/branches/6.8@60153 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -463,7 +463,13 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			}
 
 			foreach ( $query_result as $post ) {
-				if ( ! $this->check_read_permission( $post ) ) {
+				if ( 'edit' === $request['context'] ) {
+					$permission = $this->check_update_permission( $post );
+				} else {
+					$permission = $this->check_read_permission( $post );
+				}
+
+				if ( ! $permission ) {
 					continue;
 				}
 

wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

@@ -365,6 +365,10 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
 		if ( ! $is_head_request ) {
 			$response = array();
 			foreach ( $query_result as $term ) {
+				if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', $term->term_id ) ) {
+					continue;
+				}
+
 				$data       = $this->prepare_item_for_response( $term, $request );
 				$response[] = $this->prepare_response_for_collection( $data );
 			}

wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -220,7 +220,7 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 		if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
 			return new WP_Error(
 				'rest_forbidden_context',
-				__( 'Sorry, you are not allowed to list users.' ),
+				__( 'Sorry, you are not allowed to edit users.' ),
 				array( 'status' => rest_authorization_required_code() )
 			);
 		}
@@ -379,6 +379,10 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 			$users = array();
 
 			foreach ( $query->get_results() as $user ) {
+				if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+					continue;
+				}
+
 				$data    = $this->prepare_item_for_response( $user, $request );
 				$users[] = $this->prepare_response_for_collection( $data );
 			}
@@ -479,13 +483,15 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 			return true;
 		}
 
-		if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
+		if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
 			return new WP_Error(
-				'rest_user_cannot_view',
-				__( 'Sorry, you are not allowed to list users.' ),
+				'rest_forbidden_context',
+				__( 'Sorry, you are not allowed to edit this user.' ),
 				array( 'status' => rest_authorization_required_code() )
 			);
-		} elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
+		}
+
+		if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
 			return new WP_Error(
 				'rest_user_cannot_view',
 				__( 'Sorry, you are not allowed to list users.' ),
@@ -1086,7 +1092,7 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 			$data['slug'] = $user->user_nicename;
 		}
 
-		if ( in_array( 'roles', $fields, true ) ) {
+		if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
 			// Defensively call array_values() to ensure an array is returned.
 			$data['roles'] = array_values( $user->roles );
 		}

wp-includes/version.php

@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.8.3-alpha-60773';
+$wp_version = '6.8.3-alpha-60817';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.