Ticket #46723: 46723.diff

src/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php

@@ -58 +58 @@
          * @return true|WP_Error True if the request has read access for the item, otherwise WP_Error object.
          */
         public function get_items_permissions_check( $request ) {
-                if ( ! is_user_logged_in() || ! current_user_can( 'edit_posts' ) ) {
+                if ( ! current_user_can( 'edit_posts' ) && ! current_user_can( 'upload_files' ) ) {
                         return new WP_Error(
                                 'rest_user_cannot_view',
                                 __( 'Sorry, you are not allowed to view themes.' ),

tests/phpunit/tests/rest-api/rest-themes-controller.php

@@ -155 +155 @@
                 $this->assertEqualSets( $fields, array_keys( $data[0] ) );
         }
 
+        /**
+         * @ticket 46723
+         */
+        public function test_get_items_logged_out() {
+                wp_set_current_user( 0 );
+                $response = self::perform_active_theme_request();
+                $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
+        }
+
         /**
          * An error should be returned when the user does not have the edit_posts capability.
          *
@@ -166 +175 @@
                 $this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 );
         }
 
+        /**
+         * @ticket 46723
+         */
+        public function test_get_item_upload_files() {
+                $user = self::factory()->user->create_and_get();
+                $user->add_cap( 'upload_files' );
+                wp_set_current_user( $user->ID );
+
+                $response = self::perform_active_theme_request();
+                $this->assertEquals( 200, $response->get_status() );
+        }
+
         /**
          * Test an item is prepared for the response.
          *