HostForge-Systems/wordpress
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

REST API: Increase the specificity of capability checks for collections when the edit context is in use.

Browse Source 
The edit access in now taken into account for each individual post, term, or user in the response.

Merges [60814] into the 6.8 branch.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, rmccue, timothyblynjacobs, vortfu, whyisjake, zieladam.
Built from https://develop.svn.wordpress.org/branches/6.8@60817


git-svn-id: http://core.svn.wordpress.org/branches/6.8@60153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
John Blackbourn
2025-09-30 16:52:31 +00:00
parent 2231a1345d
commit e441ff0338
4 changed files with 24 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
View File

@@ -463,7 +463,13 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
} }
foreach ( $query_result as $post ) { foreach ( $query_result as $post ) {
if ( ! $this->check_read_permission( $post ) ) { if ( 'edit' === $request['context'] ) {
$permission = $this->check_update_permission( $post );
} else {
$permission = $this->check_read_permission( $post );
}
if ( ! $permission ) {
continue; continue;
} }

4
wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
View File

@@ -365,6 +365,10 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
if ( ! $is_head_request ) { if ( ! $is_head_request ) {
$response = array(); $response = array();
foreach ( $query_result as $term ) { foreach ( $query_result as $term ) {
if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', $term->term_id ) ) {
continue;
}
$data = $this->prepare_item_for_response( $term, $request ); $data = $this->prepare_item_for_response( $term, $request );
$response[] = $this->prepare_response_for_collection( $data ); $response[] = $this->prepare_response_for_collection( $data );
} }

18
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
View File

@@ -220,7 +220,7 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) { if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
return new WP_Error( return new WP_Error(
'rest_forbidden_context', 'rest_forbidden_context',
__( 'Sorry, you are not allowed to list users.' ), __( 'Sorry, you are not allowed to edit users.' ),
array( 'status' => rest_authorization_required_code() ) array( 'status' => rest_authorization_required_code() )
); );
} }
@@ -379,6 +379,10 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
$users = array(); $users = array();
foreach ( $query->get_results() as $user ) { foreach ( $query->get_results() as $user ) {
if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
continue;
}
$data = $this->prepare_item_for_response( $user, $request ); $data = $this->prepare_item_for_response( $user, $request );
$users[] = $this->prepare_response_for_collection( $data ); $users[] = $this->prepare_response_for_collection( $data );
} }
@@ -479,13 +483,15 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
return true; return true;
} }
if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) { if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
return new WP_Error( return new WP_Error(
'rest_user_cannot_view', 'rest_forbidden_context',
__( 'Sorry, you are not allowed to list users.' ), __( 'Sorry, you are not allowed to edit this user.' ),
array( 'status' => rest_authorization_required_code() ) array( 'status' => rest_authorization_required_code() )
); );
} elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) { }
if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
return new WP_Error( return new WP_Error(
'rest_user_cannot_view', 'rest_user_cannot_view',
__( 'Sorry, you are not allowed to list users.' ), __( 'Sorry, you are not allowed to list users.' ),
@@ -1086,7 +1092,7 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
$data['slug'] = $user->user_nicename; $data['slug'] = $user->user_nicename;
} }
if ( in_array( 'roles', $fields, true ) ) { if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
// Defensively call array_values() to ensure an array is returned. // Defensively call array_values() to ensure an array is returned.
$data['roles'] = array_values( $user->roles ); $data['roles'] = array_values( $user->roles );
} }

2
wp-includes/version.php
View File

@@ -16,7 +16,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '6.8.3-alpha-60773'; $wp_version = '6.8.3-alpha-60817';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.