Ticket #38692: 38692.diff
| File 38692.diff, 6.2 KB (added by , 5 years ago) |
|---|
-
src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
108 108 foreach ( (array) $request['post'] as $post_id ) { 109 109 $post = get_post( $post_id ); 110 110 111 if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post ) ) {111 if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post, $request ) ) { 112 112 return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 113 113 } elseif ( 0 === $post_id && ! current_user_can( 'moderate_comments' ) ) { 114 114 return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read comments without a post.' ), array( 'status' => rest_authorization_required_code() ) ); … … 242 242 $comments = array(); 243 243 244 244 foreach ( $query_result as $comment ) { 245 if ( ! $this->check_read_permission( $comment ) ) {245 if ( ! $this->check_read_permission( $comment, $request ) ) { 246 246 continue; 247 247 } 248 248 … … 309 309 return true; 310 310 } 311 311 312 if ( ! $this->check_read_permission( $comment) ) {313 return new WP_Error( 'rest_ cannot_read', __( 'Sorry, you are not allowed to read this comment.' ), array( 'status' => rest_authorization_required_code() ) );312 if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'moderate_comments' ) ) { 313 return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit comments.' ), array( 'status' => rest_authorization_required_code() ) ); 314 314 } 315 315 316 316 $post = get_post( $comment->comment_post_ID ); 317 317 318 if ( $post && ! $this->check_read_post_permission( $post ) ) {319 return new WP_Error( 'rest_cannot_read _post', __( 'Sorry, you are not allowed to read the post forthis comment.' ), array( 'status' => rest_authorization_required_code() ) );318 if ( ! $this->check_read_permission( $comment, $request ) ) { 319 return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 320 320 } 321 321 322 if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'moderate_comments') ) {323 return new WP_Error( 'rest_ forbidden_context', __( 'Sorry, you are not allowed to edit comments.' ), array( 'status' => rest_authorization_required_code() ) );322 if ( $post && ! $this->check_read_post_permission( $post, $request ) ) { 323 return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 324 324 } 325 325 326 326 return true; … … 433 433 return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); 434 434 } 435 435 436 if ( ! $this->check_read_post_permission( $post ) ) {436 if ( ! $this->check_read_post_permission( $post, $request ) ) { 437 437 return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 438 438 } 439 439 … … 1488 1488 * @since 4.7.0 1489 1489 * @access protected 1490 1490 * 1491 * @param WP_Post $post Post Object. 1491 * @param WP_Post $post Post object. 1492 * @param WP_REST_Request $request Request data to check. 1492 1493 * @return bool Whether post can be read. 1493 1494 */ 1494 protected function check_read_post_permission( $post ) {1495 protected function check_read_post_permission( $post, $request ) { 1495 1496 $posts_controller = new WP_REST_Posts_Controller( $post->post_type ); 1496 1497 $post_type = get_post_type_object( $post->post_type ); 1497 1498 1499 $has_password_filter = false; 1500 1501 if ( $posts_controller->can_access_password_content( $post, $request ) ) { 1502 add_filter( 'post_password_required', '__return_false' ); 1503 1504 $has_password_filter = true; 1505 } 1506 1498 1507 if ( post_password_required( $post ) ) { 1499 return current_user_can( $post_type->cap->edit_post, $post->ID ); 1508 $result = current_user_can( $post_type->cap->edit_post, $post->ID ); 1509 } else { 1510 $result = $posts_controller->check_read_permission( $post ); 1500 1511 } 1501 1512 1502 return $posts_controller->check_read_permission( $post ); 1513 if ( $has_password_filter ) { 1514 remove_filter( 'post_password_required', '__return_false' ); 1515 } 1516 1517 return $result; 1503 1518 } 1504 1519 1505 1520 /** … … 1508 1523 * @since 4.7.0 1509 1524 * @access protected 1510 1525 * 1511 * @param WP_Comment $comment Comment object. 1526 * @param WP_Comment $comment Comment object. 1527 * @param WP_REST_Request $request Request data to check. 1512 1528 * @return bool Whether the comment can be read. 1513 1529 */ 1514 protected function check_read_permission( $comment ) {1530 protected function check_read_permission( $comment, $request ) { 1515 1531 if ( ! empty( $comment->comment_post_ID ) ) { 1516 1532 $post = get_post( $comment->comment_post_ID ); 1517 1533 if ( $post ) { 1518 if ( $this->check_read_post_permission( $post ) && 1 === (int) $comment->comment_approved ) {1534 if ( $this->check_read_post_permission( $post, $request ) && 1 === (int) $comment->comment_approved ) { 1519 1535 return true; 1520 1536 } 1521 1537 } -
src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
383 383 * check in core with a filter. 384 384 * 385 385 * @since 4.7.0 386 * @access p rotected386 * @access public 387 387 * 388 388 * @param WP_Post $post Post to check against. 389 389 * @param WP_REST_Request $request Request data to check. 390 390 * @return bool True if the user can access password-protected content, otherwise false. 391 391 */ 392 p rotectedfunction can_access_password_content( $post, $request ) {392 public function can_access_password_content( $post, $request ) { 393 393 if ( empty( $post->post_password ) ) { 394 394 // No filter required. 395 395 return false;