- Timestamp:
- 11/23/2016 04:14:08 PM (7 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
r39348 r39349 70 70 'args' => array( 71 71 'context' => $this->get_context_param( array( 'default' => 'view' ) ), 72 'password' => array( 73 'description' => __( 'The password for the post if it is password protected.' ), 74 'type' => 'string', 75 ), 72 76 ), 73 77 ), … … 88 92 'description' => __( 'Whether to bypass trash and force deletion.' ), 89 93 ), 94 'password' => array( 95 'description' => __( 'The password for the post if it is password protected.' ), 96 'type' => 'string', 97 ), 90 98 ), 91 99 ), … … 109 117 $post = get_post( $post_id ); 110 118 111 if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post ) ) {119 if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post, $request ) ) { 112 120 return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 113 121 } elseif ( 0 === $post_id && ! current_user_can( 'moderate_comments' ) ) { … … 243 251 244 252 foreach ( $query_result as $comment ) { 245 if ( ! $this->check_read_permission( $comment ) ) {253 if ( ! $this->check_read_permission( $comment, $request ) ) { 246 254 continue; 247 255 } … … 310 318 } 311 319 312 if ( ! $this->check_read_permission( $comment ) ) {313 return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read this comment.' ), array( 'status' => rest_authorization_required_code() ) );314 }315 316 $post = get_post( $comment->comment_post_ID );317 318 if ( $post && ! $this->check_read_post_permission( $post ) ) {319 return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );320 }321 322 320 if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'moderate_comments' ) ) { 323 321 return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit comments.' ), array( 'status' => rest_authorization_required_code() ) ); 322 } 323 324 $post = get_post( $comment->comment_post_ID ); 325 326 if ( ! $this->check_read_permission( $comment, $request ) ) { 327 return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 328 } 329 330 if ( $post && ! $this->check_read_post_permission( $post, $request ) ) { 331 return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 324 332 } 325 333 … … 434 442 } 435 443 436 if ( ! $this->check_read_post_permission( $post ) ) {444 if ( ! $this->check_read_post_permission( $post, $request ) ) { 437 445 return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 438 446 } … … 1411 1419 'type' => 'string', 1412 1420 'validate_callback' => 'rest_validate_request_arg', 1421 ); 1422 1423 $query_params['password'] = array( 1424 'description' => __( 'The password for the post if it is password protected.' ), 1425 'type' => 'string', 1413 1426 ); 1414 1427 … … 1482 1495 * @access protected 1483 1496 * 1484 * @param WP_Post $post Post Object. 1497 * @param WP_Post $post Post object. 1498 * @param WP_REST_Request $request Request data to check. 1485 1499 * @return bool Whether post can be read. 1486 1500 */ 1487 protected function check_read_post_permission( $post ) {1501 protected function check_read_post_permission( $post, $request ) { 1488 1502 $posts_controller = new WP_REST_Posts_Controller( $post->post_type ); 1489 1503 $post_type = get_post_type_object( $post->post_type ); 1490 1504 1505 $has_password_filter = false; 1506 1507 // Only check password if a specific post was queried for or a single comment 1508 $requested_post = ! empty( $request['post'] ) && 1 === count( $request['post'] ); 1509 $requested_comment = ! empty( $request['id'] ); 1510 if ( ( $requested_post || $requested_comment ) && $posts_controller->can_access_password_content( $post, $request ) ) { 1511 add_filter( 'post_password_required', '__return_false' ); 1512 1513 $has_password_filter = true; 1514 } 1515 1491 1516 if ( post_password_required( $post ) ) { 1492 return current_user_can( $post_type->cap->edit_post, $post->ID ); 1493 } 1494 1495 return $posts_controller->check_read_permission( $post ); 1517 $result = current_user_can( $post_type->cap->edit_post, $post->ID ); 1518 } else { 1519 $result = $posts_controller->check_read_permission( $post ); 1520 } 1521 1522 if ( $has_password_filter ) { 1523 remove_filter( 'post_password_required', '__return_false' ); 1524 } 1525 1526 return $result; 1496 1527 } 1497 1528 … … 1502 1533 * @access protected 1503 1534 * 1504 * @param WP_Comment $comment Comment object. 1535 * @param WP_Comment $comment Comment object. 1536 * @param WP_REST_Request $request Request data to check. 1505 1537 * @return bool Whether the comment can be read. 1506 1538 */ 1507 protected function check_read_permission( $comment ) {1539 protected function check_read_permission( $comment, $request ) { 1508 1540 if ( ! empty( $comment->comment_post_ID ) ) { 1509 1541 $post = get_post( $comment->comment_post_ID ); 1510 1542 if ( $post ) { 1511 if ( $this->check_read_post_permission( $post ) && 1 === (int) $comment->comment_approved ) {1543 if ( $this->check_read_post_permission( $post, $request ) && 1 === (int) $comment->comment_approved ) { 1512 1544 return true; 1513 1545 }
Note: See TracChangeset
for help on using the changeset viewer.