WordPress.org

Make WordPress Core

Changeset 39464


Ignore:
Timestamp:
12/03/16 05:07:03 (9 months ago)
Author:
pento
Message:

REST API: Capability check for editing a single term should use the singular form.

As an extra level of sanity checking, the term ID should be cast as an int in map_meta_cap().

Props johnbillion, nacin, dd32, pento.
See #35614.
Fixes #39012.

Location:
trunk/src/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/capabilities.php

    r39179 r39464  
    428428    case 'delete_term': 
    429429    case 'assign_term': 
    430         $term_id = $args[0]; 
     430        $term_id = (int) $args[0]; 
    431431        $term = get_term( $term_id ); 
    432432        if ( ! $term || is_wp_error( $term ) ) { 
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

    r39460 r39464  
    289289 
    290290    /** 
    291      * Checks if a request has access to read the specified term. 
     291     * Checks if a request has access to read or edit the specified term. 
    292292     * 
    293293     * @since 4.7.0 
     
    302302            return false; 
    303303        } 
    304         if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->edit_terms ) ) { 
    305             return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) ); 
     304        if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', (int) $request['id'] ) ) { 
     305            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this term.' ), array( 'status' => rest_authorization_required_code() ) ); 
    306306        } 
    307307        return true; 
Note: See TracChangeset for help on using the changeset viewer.