REST API: Tweak permission checks for taxonomy and term endpoints

To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing.

Props danielbachhuber.
Fixes #44096.


Built from https://develop.svn.wordpress.org/trunk@43440


git-svn-id: http://core.svn.wordpress.org/trunk@43267 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2018-07-13 04:24:25 +00:00
parent 2f803422fa
commit fd6f50e86f
3 changed files with 8 additions and 5 deletions

View File

@ -84,7 +84,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
$taxonomies = get_taxonomies( '', 'objects' ); $taxonomies = get_taxonomies( '', 'objects' );
} }
foreach ( $taxonomies as $taxonomy ) { foreach ( $taxonomies as $taxonomy ) {
if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->manage_terms ) ) { if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->assign_terms ) ) {
return true; return true;
} }
} }
@ -113,7 +113,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
} }
$data = array(); $data = array();
foreach ( $taxonomies as $tax_type => $value ) { foreach ( $taxonomies as $tax_type => $value ) {
if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->manage_terms ) ) ) { if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->assign_terms ) ) ) {
continue; continue;
} }
$tax = $this->prepare_item_for_response( $value, $request ); $tax = $this->prepare_item_for_response( $value, $request );
@ -145,7 +145,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
if ( empty( $tax_obj->show_in_rest ) ) { if ( empty( $tax_obj->show_in_rest ) ) {
return false; return false;
} }
if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->manage_terms ) ) { if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->assign_terms ) ) {
return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
} }
} }

View File

@ -380,7 +380,10 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
} }
$taxonomy_obj = get_taxonomy( $this->taxonomy ); $taxonomy_obj = get_taxonomy( $this->taxonomy );
if ( ! current_user_can( $taxonomy_obj->cap->edit_terms ) ) { if ( ( is_taxonomy_hierarchical( $this->taxonomy )
&& ! current_user_can( $taxonomy_obj->cap->edit_terms ) )
|| ( ! is_taxonomy_hierarchical( $this->taxonomy )
&& ! current_user_can( $taxonomy_obj->cap->assign_terms ) ) ) {
return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) );
} }

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.0-alpha-43439'; $wp_version = '5.0-alpha-43440';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.