From 547a5006993bbd8181fb11ad26f141eb53365f24 Mon Sep 17 00:00:00 2001 From: Gary Pendergast Date: Fri, 13 Jul 2018 06:29:25 +0000 Subject: [PATCH] REST API: Tweak permission checks for taxonomy and term endpoints To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing. Merges [43440] to the 4.9 branch. Props danielbachhuber. Fixes #44096. Built from https://develop.svn.wordpress.org/branches/4.9@43443 git-svn-id: http://core.svn.wordpress.org/branches/4.9@43270 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../endpoints/class-wp-rest-taxonomies-controller.php | 6 +++--- .../rest-api/endpoints/class-wp-rest-terms-controller.php | 5 ++++- wp-includes/version.php | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php index 9720a20945..0af4ec4e97 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php @@ -80,7 +80,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller { $taxonomies = get_taxonomies( '', 'objects' ); } foreach ( $taxonomies as $taxonomy ) { - if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->manage_terms ) ) { + if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->assign_terms ) ) { return true; } } @@ -109,7 +109,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller { } $data = array(); foreach ( $taxonomies as $tax_type => $value ) { - if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->manage_terms ) ) ) { + if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->assign_terms ) ) ) { continue; } $tax = $this->prepare_item_for_response( $value, $request ); @@ -141,7 +141,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller { if ( empty( $tax_obj->show_in_rest ) ) { return false; } - if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->manage_terms ) ) { + if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->assign_terms ) ) { return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) ); } } diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php index 477df8ba48..3342742b93 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php @@ -376,7 +376,10 @@ class WP_REST_Terms_Controller extends WP_REST_Controller { } $taxonomy_obj = get_taxonomy( $this->taxonomy ); - if ( ! current_user_can( $taxonomy_obj->cap->edit_terms ) ) { + if ( ( is_taxonomy_hierarchical( $this->taxonomy ) + && ! current_user_can( $taxonomy_obj->cap->edit_terms ) ) + || ( ! is_taxonomy_hierarchical( $this->taxonomy ) + && ! current_user_can( $taxonomy_obj->cap->assign_terms ) ) ) { return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) ); } diff --git a/wp-includes/version.php b/wp-includes/version.php index ad72c1e2a9..d259ef2283 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.9.8-alpha-43442'; +$wp_version = '4.9.8-alpha-43443'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.