diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php
index 87051db58e..b62f6f55a8 100644
|
a
|
b
|
class WP_REST_Themes_Controller extends WP_REST_Controller { |
| 58 | 58 | * @return true|WP_Error True if the request has read access for the item, otherwise WP_Error object. |
| 59 | 59 | */ |
| 60 | 60 | public function get_items_permissions_check( $request ) { |
| 61 | | if ( ! is_user_logged_in() || ! current_user_can( 'edit_posts' ) ) { |
| 62 | | return new WP_Error( |
| 63 | | 'rest_user_cannot_view', |
| 64 | | __( 'Sorry, you are not allowed to view themes.' ), |
| 65 | | array( 'status' => rest_authorization_required_code() ) |
| 66 | | ); |
| | 61 | if ( current_user_can( 'edit_posts' ) ) { |
| | 62 | return true; |
| 67 | 63 | } |
| 68 | 64 | |
| 69 | | return true; |
| | 65 | foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) { |
| | 66 | if ( current_user_can( $post_type->cap->edit_posts ) ) { |
| | 67 | return true; |
| | 68 | } |
| | 69 | } |
| | 70 | |
| | 71 | return new WP_Error( |
| | 72 | 'rest_user_cannot_view', |
| | 73 | __( 'Sorry, you are not allowed to view themes.' ), |
| | 74 | array( 'status' => rest_authorization_required_code() ) |
| | 75 | ); |
| 70 | 76 | } |
| 71 | 77 | |
| 72 | 78 | /** |
diff --git a/tests/phpunit/tests/rest-api/rest-themes-controller.php b/tests/phpunit/tests/rest-api/rest-themes-controller.php
index 931b479572..0da8553ad9 100644
|
a
|
b
|
class WP_Test_REST_Themes_Controller extends WP_Test_REST_Controller_Testcase { |
| 155 | 155 | $this->assertEqualSets( $fields, array_keys( $data[0] ) ); |
| 156 | 156 | } |
| 157 | 157 | |
| | 158 | /** |
| | 159 | * @ticket 46723 |
| | 160 | */ |
| | 161 | public function test_get_items_logged_out() { |
| | 162 | wp_set_current_user( 0 ); |
| | 163 | $response = self::perform_active_theme_request(); |
| | 164 | $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 ); |
| | 165 | } |
| | 166 | |
| 158 | 167 | /** |
| 159 | 168 | * An error should be returned when the user does not have the edit_posts capability. |
| 160 | 169 | * |
| … |
… |
class WP_Test_REST_Themes_Controller extends WP_Test_REST_Controller_Testcase { |
| 166 | 175 | $this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 ); |
| 167 | 176 | } |
| 168 | 177 | |
| | 178 | /** |
| | 179 | * @ticket 46723 |
| | 180 | */ |
| | 181 | public function test_get_item_single_post_type_cap() { |
| | 182 | $user = self::factory()->user->create_and_get(); |
| | 183 | $user->add_cap( 'edit_pages' ); |
| | 184 | wp_set_current_user( $user->ID ); |
| | 185 | |
| | 186 | $response = self::perform_active_theme_request(); |
| | 187 | $this->assertEquals( 200, $response->get_status() ); |
| | 188 | } |
| | 189 | |
| 169 | 190 | /** |
| 170 | 191 | * Test an item is prepared for the response. |
| 171 | 192 | * |