Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-11-14 22:56:19 +01:00
Code Issues Projects Releases Wiki Activity

REST API: Tweak permission checks for taxonomy and term endpoints

Browse Source 
To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing.

Props danielbachhuber.
Fixes #44096.


Built from https://develop.svn.wordpress.org/trunk@43440


git-svn-id: http://core.svn.wordpress.org/trunk@43267 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2018-07-13 04:24:25 +00:00
parent 2f803422fa
commit fd6f50e86f
3 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php
View File

@ -84,7 +84,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
$taxonomies = get_taxonomies( '', 'objects' ); $taxonomies = get_taxonomies( '', 'objects' );
} }
foreach ( $taxonomies as $taxonomy ) { foreach ( $taxonomies as $taxonomy ) {
if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->manage_terms ) ) { if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->assign_terms ) ) {
return true; return true;
} }
} }
@ -113,7 +113,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
} }
$data = array(); $data = array();
foreach ( $taxonomies as $tax_type => $value ) { foreach ( $taxonomies as $tax_type => $value ) {
if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->manage_terms ) ) ) { if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->assign_terms ) ) ) {
continue; continue;
} }
$tax = $this->prepare_item_for_response( $value, $request ); $tax = $this->prepare_item_for_response( $value, $request );
@ -145,7 +145,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
if ( empty( $tax_obj->show_in_rest ) ) { if ( empty( $tax_obj->show_in_rest ) ) {
return false; return false;
} }
if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->manage_terms ) ) { if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->assign_terms ) ) {
return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
} }
} }

5
wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
View File

@ -380,7 +380,10 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
} }
$taxonomy_obj = get_taxonomy( $this->taxonomy ); $taxonomy_obj = get_taxonomy( $this->taxonomy );
if ( ! current_user_can( $taxonomy_obj->cap->edit_terms ) ) { if ( ( is_taxonomy_hierarchical( $this->taxonomy )
&& ! current_user_can( $taxonomy_obj->cap->edit_terms ) )
|| ( ! is_taxonomy_hierarchical( $this->taxonomy )
&& ! current_user_can( $taxonomy_obj->cap->assign_terms ) ) ) {
return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) );
} }

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.0-alpha-43439'; $wp_version = '5.0-alpha-43440';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.