Changeset 39108

Timestamp:

11/03/2016 03:15:28 AM (8 years ago)

Author:

rachelbaker

Message:

REST API: Return a WP_Error when a user does not have permission to create or update a post with the provided terms.

Add the 'assign_term' check for post create and update.

Props boonebgorges, johnbillion.
Fixes #38505.

Location:

trunk

Files:

• src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (3 diffs)
• tests/phpunit/tests/rest-api/rest-posts-controller.php (modified) (3 diffs)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -460 +460 @@
         }
 
+        if ( ! $this->check_assign_terms_permission( $request ) ) {
+            return new WP_Error( 'rest_cannot_assign_term', __( 'You do not have permission to assign the provided terms.' ), array( 'status' => rest_authorization_required_code() ) );
+        }
+
         return true;
     }
@@ -591 +595 @@
         if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
             return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
+        }
+
+        if ( ! $this->check_assign_terms_permission( $request ) ) {
+            return new WP_Error( 'rest_cannot_assign_term', __( 'You do not have permission to assign the provided terms.' ), array( 'status' => rest_authorization_required_code() ) );
         }
 
@@ -1204 +1212 @@
             }
         }
+    }
+
+    /**
+     * Checks whether current user can assign all terms sent with the current request.
+     *
+     * @since 4.7.0
+     *
+     * @param WP_REST_Request $request The request object with post and terms data.
+     * @return bool Whether the current user can assign the provided terms.
+     */
+    protected function check_assign_terms_permission( $request ) {
+        $taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
+        foreach ( $taxonomies as $taxonomy ) {
+            $base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name;
+
+            if ( ! isset( $request[ $base ] ) ) {
+                continue;
+            }
+
+            foreach ( $request[ $base ] as $term_id ) {
+                // Invalid terms will be rejected later.
+                if ( ! get_term( $term_id, $taxonomy->name ) ) {
+                    continue;
+                }
+
+                if ( ! current_user_can( 'assign_term', (int) $term_id ) ) {
+                    return false;
+                }
+            }
+        }
+
+        return true;
     }
 

trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php

@@ -18 +18 @@
 
     protected static $supported_formats;
+
+    protected $forbidden_cat;
 
     public static function wpSetUpBeforeClass( $factory ) {
@@ -1505 +1507 @@
     }
 
+    /**
+     * @ticket 38505
+     */
+    public function test_create_post_with_categories_that_cannot_be_assigned_by_current_user() {
+        $cats = self::factory()->category->create_many( 2 );
+        $this->forbidden_cat = $cats[1];
+
+        wp_set_current_user( self::$editor_id );
+        $request = new WP_REST_Request( 'POST', '/wp/v2/posts' );
+        $params = $this->set_post_data( array(
+            'password'   => 'testing',
+            'categories' => $cats,
+        ) );
+        $request->set_body_params( $params );
+
+        add_filter( 'map_meta_cap', array( $this, 'revoke_assign_term' ), 10, 4 );
+        $response = $this->server->dispatch( $request );
+        remove_filter( 'map_meta_cap', array( $this, 'revoke_assign_term' ), 10, 4 );
+
+        $this->assertErrorResponse( 'rest_cannot_assign_term', $response, 403 );
+    }
+
+    public function revoke_assign_term( $caps, $cap, $user_id, $args ) {
+        if ( 'assign_term' === $cap && isset( $args[0] ) && $this->forbidden_cat == $args[0] ) {
+            $caps = array( 'do_not_allow' );
+        }
+        return $caps;
+    }
+
     public function test_update_item() {
         wp_set_current_user( self::$editor_id );
@@ -1949 +1980 @@
         $new_data = $response->get_data();
         $this->assertEquals( array(), $new_data['categories'] );
+    }
+
+    /**
+     * @ticket 38505
+     */
+    public function test_update_post_with_categories_that_cannot_be_assigned_by_current_user() {
+        $cats = self::factory()->category->create_many( 2 );
+        $this->forbidden_cat = $cats[1];
+
+        wp_set_current_user( self::$editor_id );
+        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+        $params = $this->set_post_data( array(
+            'password'   => 'testing',
+            'categories' => $cats,
+        ) );
+        $request->set_body_params( $params );
+
+        add_filter( 'map_meta_cap', array( $this, 'revoke_assign_term' ), 10, 4 );
+        $response = $this->server->dispatch( $request );
+        remove_filter( 'map_meta_cap', array( $this, 'revoke_assign_term' ), 10, 4 );
+
+        $this->assertErrorResponse( 'rest_cannot_assign_term', $response, 403 );
     }