From 8c9f4f812a06babce363bed70b2ee0a08389cdd1 Mon Sep 17 00:00:00 2001 From: Rachel Baker Date: Thu, 3 Nov 2016 03:16:30 +0000 Subject: [PATCH] REST API: Return a `WP_Error` when a user does not have permission to create or update a post with the provided terms. Add the 'assign_term' check for post create and update. Props boonebgorges, johnbillion. Fixes #38505. Built from https://develop.svn.wordpress.org/trunk@39108 git-svn-id: http://core.svn.wordpress.org/trunk@39050 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../class-wp-rest-posts-controller.php | 40 +++++++++++++++++++ wp-includes/version.php | 2 +- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php index dfa4b4e7b5..ce5d3d91b8 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php @@ -459,6 +459,10 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new posts.' ), array( 'status' => rest_authorization_required_code() ) ); } + if ( ! $this->check_assign_terms_permission( $request ) ) { + return new WP_Error( 'rest_cannot_assign_term', __( 'You do not have permission to assign the provided terms.' ), array( 'status' => rest_authorization_required_code() ) ); + } + return true; } @@ -592,6 +596,10 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) ); } + if ( ! $this->check_assign_terms_permission( $request ) ) { + return new WP_Error( 'rest_cannot_assign_term', __( 'You do not have permission to assign the provided terms.' ), array( 'status' => rest_authorization_required_code() ) ); + } + return true; } @@ -1205,6 +1213,38 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { } } + /** + * Checks whether current user can assign all terms sent with the current request. + * + * @since 4.7.0 + * + * @param WP_REST_Request $request The request object with post and terms data. + * @return bool Whether the current user can assign the provided terms. + */ + protected function check_assign_terms_permission( $request ) { + $taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) ); + foreach ( $taxonomies as $taxonomy ) { + $base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name; + + if ( ! isset( $request[ $base ] ) ) { + continue; + } + + foreach ( $request[ $base ] as $term_id ) { + // Invalid terms will be rejected later. + if ( ! get_term( $term_id, $taxonomy->name ) ) { + continue; + } + + if ( ! current_user_can( 'assign_term', (int) $term_id ) ) { + return false; + } + } + } + + return true; + } + /** * Checks if a given post type can be viewed or managed. * diff --git a/wp-includes/version.php b/wp-includes/version.php index 55fc21ff35..e4192092aa 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta1-39107'; +$wp_version = '4.7-beta1-39108'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.