REST API: Tweak permission checks for taxonomy and term endpoints

To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing.

Merges [43440] to the 4.9 branch.

Props danielbachhuber.
Fixes #44096.


Built from https://develop.svn.wordpress.org/branches/4.9@43443


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43270 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2018-07-13 06:29:25 +00:00
parent d802d709c7
commit 547a500699
3 changed files with 8 additions and 5 deletions

View File

@ -80,7 +80,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
$taxonomies = get_taxonomies( '', 'objects' ); $taxonomies = get_taxonomies( '', 'objects' );
} }
foreach ( $taxonomies as $taxonomy ) { foreach ( $taxonomies as $taxonomy ) {
if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->manage_terms ) ) { if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->assign_terms ) ) {
return true; return true;
} }
} }
@ -109,7 +109,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
} }
$data = array(); $data = array();
foreach ( $taxonomies as $tax_type => $value ) { foreach ( $taxonomies as $tax_type => $value ) {
if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->manage_terms ) ) ) { if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->assign_terms ) ) ) {
continue; continue;
} }
$tax = $this->prepare_item_for_response( $value, $request ); $tax = $this->prepare_item_for_response( $value, $request );
@ -141,7 +141,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
if ( empty( $tax_obj->show_in_rest ) ) { if ( empty( $tax_obj->show_in_rest ) ) {
return false; return false;
} }
if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->manage_terms ) ) { if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->assign_terms ) ) {
return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
} }
} }

View File

@ -376,7 +376,10 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
} }
$taxonomy_obj = get_taxonomy( $this->taxonomy ); $taxonomy_obj = get_taxonomy( $this->taxonomy );
if ( ! current_user_can( $taxonomy_obj->cap->edit_terms ) ) { if ( ( is_taxonomy_hierarchical( $this->taxonomy )
&& ! current_user_can( $taxonomy_obj->cap->edit_terms ) )
|| ( ! is_taxonomy_hierarchical( $this->taxonomy )
&& ! current_user_can( $taxonomy_obj->cap->assign_terms ) ) ) {
return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) );
} }

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.9.8-alpha-43442'; $wp_version = '4.9.8-alpha-43443';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.