Make WordPress Core

Changeset 39464 for trunk


Ignore:
Timestamp:
12/03/2016 05:07:03 AM (7 years ago)
Author:
pento
Message:

REST API: Capability check for editing a single term should use the singular form.

As an extra level of sanity checking, the term ID should be cast as an int in map_meta_cap().

Props johnbillion, nacin, dd32, pento.
See #35614.
Fixes #39012.

Location:
trunk/src/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/capabilities.php

    r39179 r39464  
    428428    case 'delete_term':
    429429    case 'assign_term':
    430         $term_id = $args[0];
     430        $term_id = (int) $args[0];
    431431        $term = get_term( $term_id );
    432432        if ( ! $term || is_wp_error( $term ) ) {
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

    r39460 r39464  
    289289
    290290    /**
    291      * Checks if a request has access to read the specified term.
     291     * Checks if a request has access to read or edit the specified term.
    292292     *
    293293     * @since 4.7.0
     
    302302            return false;
    303303        }
    304         if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->edit_terms ) ) {
    305             return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
     304        if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', (int) $request['id'] ) ) {
     305            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this term.' ), array( 'status' => rest_authorization_required_code() ) );
    306306        }
    307307        return true;
Note: See TracChangeset for help on using the changeset viewer.