Context Navigation

← Previous Changeset
Next Changeset →

Changeset 60814

Timestamp:

09/30/2025 03:49:18 PM (8 weeks ago)

Author:

johnbillion

Message:

REST API: Increase the specificity of capability checks for collections when the edit context is in use.

The edit access in now taken into account for each individual post, term, or user in the response.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, rmccue, timothyblynjacobs, vortfu, whyisjake, zieladam.

Location:

trunk

Files:

: 4 edited

src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (1 diff)
src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php (modified) (1 diff)
src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (4 diffs)
tests/phpunit/tests/rest-api/rest-users-controller.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

-                      r60197
+                      r60814
             foreach ( $query_result as $post ) {
+                if ( ! $this->check_read_permission( $post ) ) {
+                if ( 'edit' === $request['context'] ) {
+                    $permission = $this->check_update_permission( $post );
+                } else {
+                    $permission = $this->check_read_permission( $post );
+                }
+                if ( ! $permission ) {
                     continue;
+                }

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

-                      r59970
+                      r60814
             $response = array();
             foreach ( $query_result as $term ) {
+                if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', $term->term_id ) ) {
+                    continue;
+                }
                 $data       = $this->prepare_item_for_response( $term, $request );
                 $response[] = $this->prepare_response_for_collection( $data );

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

-                      r59970
+                      r60814
             return new WP_Error(
                 'rest_forbidden_context',
                 __( 'Sorry, you are not allowed to list users.' ),
+                __( 'Sorry, you are not allowed to edit users.' ),
                 array( 'status' => rest_authorization_required_code() )
             );
 …
             foreach ( $query->get_results() as $user ) {
+                if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+                    continue;
+                }
                 $data    = $this->prepare_item_for_response( $user, $request );
                 $users[] = $this->prepare_response_for_collection( $data );
 …
+        }
         if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
             return new WP_Error(
                 'rest_user_cannot_view',
                 __( 'Sorry, you are not allowed to list users.' ),
+        if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+            return new WP_Error(
+                'rest_forbidden_context',
+                __( 'Sorry, you are not allowed to edit this user.' ),
                 array( 'status' => rest_authorization_required_code() )
             );
+        } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
+        }
+        if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
             return new WP_Error(
                 'rest_user_cannot_view',
 …
+        }
         if ( in_array( 'roles', $fields, true ) ) {
+        if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
             // Defensively call array_values() to ensure an array is returned.
             $data['roles'] = array_values( $user->roles );

trunk/tests/phpunit/tests/rest-api/rest-users-controller.php

r60251	r60814
1314	1314	$request->set_param( 'context', 'edit' );
1315	1315	$response = rest_get_server()->dispatch( $request );
1316		$this->assertErrorResponse( 'rest_~~user_cannot_view~~', $response, 401 );
	1316	$this->assertErrorResponse( 'rest_forbidden_context', $response, 401 );
1317	1317	}
1318	1318

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core