From e441ff033812402537ed6bfcae56377adb58c394 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Tue, 30 Sep 2025 16:52:31 +0000
Subject: [PATCH] REST API: Increase the specificity of capability checks for
 collections when the edit context is in use.

The edit access in now taken into account for each individual post, term, or user in the response.

Merges [60814] into the 6.8 branch.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, rmccue, timothyblynjacobs, vortfu, whyisjake, zieladam.
Built from https://develop.svn.wordpress.org/branches/6.8@60817


git-svn-id: http://core.svn.wordpress.org/branches/6.8@60153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 .../class-wp-rest-posts-controller.php         |  8 +++++++-
 .../class-wp-rest-terms-controller.php         |  4 ++++
 .../class-wp-rest-users-controller.php         | 18 ++++++++++++------
 wp-includes/version.php                        |  2 +-
 4 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index 19e399f55e..3812d28a1b 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -463,7 +463,13 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			}
 
 			foreach ( $query_result as $post ) {
-				if ( ! $this->check_read_permission( $post ) ) {
+				if ( 'edit' === $request['context'] ) {
+					$permission = $this->check_update_permission( $post );
+				} else {
+					$permission = $this->check_read_permission( $post );
+				}
+
+				if ( ! $permission ) {
 					continue;
 				}
 
diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
index 72632fa96a..1f7d676dfa 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
@@ -365,6 +365,10 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
 		if ( ! $is_head_request ) {
 			$response = array();
 			foreach ( $query_result as $term ) {
+				if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', $term->term_id ) ) {
+					continue;
+				}
+
 				$data       = $this->prepare_item_for_response( $term, $request );
 				$response[] = $this->prepare_response_for_collection( $data );
 			}
diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
index 78e1b38b1b..dc9dfc81aa 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
@@ -220,7 +220,7 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 		if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
 			return new WP_Error(
 				'rest_forbidden_context',
-				__( 'Sorry, you are not allowed to list users.' ),
+				__( 'Sorry, you are not allowed to edit users.' ),
 				array( 'status' => rest_authorization_required_code() )
 			);
 		}
@@ -379,6 +379,10 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 			$users = array();
 
 			foreach ( $query->get_results() as $user ) {
+				if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+					continue;
+				}
+
 				$data    = $this->prepare_item_for_response( $user, $request );
 				$users[] = $this->prepare_response_for_collection( $data );
 			}
@@ -479,13 +483,15 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 			return true;
 		}
 
-		if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
+		if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
 			return new WP_Error(
-				'rest_user_cannot_view',
-				__( 'Sorry, you are not allowed to list users.' ),
+				'rest_forbidden_context',
+				__( 'Sorry, you are not allowed to edit this user.' ),
 				array( 'status' => rest_authorization_required_code() )
 			);
-		} elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
+		}
+
+		if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
 			return new WP_Error(
 				'rest_user_cannot_view',
 				__( 'Sorry, you are not allowed to list users.' ),
@@ -1086,7 +1092,7 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 			$data['slug'] = $user->user_nicename;
 		}
 
-		if ( in_array( 'roles', $fields, true ) ) {
+		if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
 			// Defensively call array_values() to ensure an array is returned.
 			$data['roles'] = array_values( $user->roles );
 		}
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 0eafda0814..52ebbe4e08 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.8.3-alpha-60773';
+$wp_version = '6.8.3-alpha-60817';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.