diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php index 19e399f55e..3812d28a1b 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php @@ -463,7 +463,13 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { } foreach ( $query_result as $post ) { - if ( ! $this->check_read_permission( $post ) ) { + if ( 'edit' === $request['context'] ) { + $permission = $this->check_update_permission( $post ); + } else { + $permission = $this->check_read_permission( $post ); + } + + if ( ! $permission ) { continue; } diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php index 72632fa96a..1f7d676dfa 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php @@ -365,6 +365,10 @@ class WP_REST_Terms_Controller extends WP_REST_Controller { if ( ! $is_head_request ) { $response = array(); foreach ( $query_result as $term ) { + if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', $term->term_id ) ) { + continue; + } + $data = $this->prepare_item_for_response( $term, $request ); $response[] = $this->prepare_response_for_collection( $data ); } diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php index 78e1b38b1b..dc9dfc81aa 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php @@ -220,7 +220,7 @@ class WP_REST_Users_Controller extends WP_REST_Controller { if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) { return new WP_Error( 'rest_forbidden_context', - __( 'Sorry, you are not allowed to list users.' ), + __( 'Sorry, you are not allowed to edit users.' ), array( 'status' => rest_authorization_required_code() ) ); } @@ -379,6 +379,10 @@ class WP_REST_Users_Controller extends WP_REST_Controller { $users = array(); foreach ( $query->get_results() as $user ) { + if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) { + continue; + } + $data = $this->prepare_item_for_response( $user, $request ); $users[] = $this->prepare_response_for_collection( $data ); } @@ -479,13 +483,15 @@ class WP_REST_Users_Controller extends WP_REST_Controller { return true; } - if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) { + if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) { return new WP_Error( - 'rest_user_cannot_view', - __( 'Sorry, you are not allowed to list users.' ), + 'rest_forbidden_context', + __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); - } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) { + } + + if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) { return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), @@ -1086,7 +1092,7 @@ class WP_REST_Users_Controller extends WP_REST_Controller { $data['slug'] = $user->user_nicename; } - if ( in_array( 'roles', $fields, true ) ) { + if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) { // Defensively call array_values() to ensure an array is returned. $data['roles'] = array_values( $user->roles ); } diff --git a/wp-includes/version.php b/wp-includes/version.php index 0eafda0814..52ebbe4e08 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.8.3-alpha-60773'; +$wp_version = '6.8.3-alpha-60817'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.