WordPress.org

Make WordPress Core

Changeset 43440


Ignore:
Timestamp:
07/13/2018 04:23:35 AM (17 months ago)
Author:
pento
Message:

REST API: Tweak permission checks for taxonomy and term endpoints

To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing.

Props danielbachhuber.
Fixes #44096.

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php

    r43087 r43440  
    8585            }
    8686            foreach ( $taxonomies as $taxonomy ) {
    87                 if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->manage_terms ) ) {
     87                if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->assign_terms ) ) {
    8888                    return true;
    8989                }
     
    114114        $data = array();
    115115        foreach ( $taxonomies as $tax_type => $value ) {
    116             if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->manage_terms ) ) ) {
     116            if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->assign_terms ) ) ) {
    117117                continue;
    118118            }
     
    146146                return false;
    147147            }
    148             if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->manage_terms ) ) {
     148            if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->assign_terms ) ) {
    149149                return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
    150150            }
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

    r43087 r43440  
    381381
    382382        $taxonomy_obj = get_taxonomy( $this->taxonomy );
    383         if ( ! current_user_can( $taxonomy_obj->cap->edit_terms ) ) {
     383        if ( ( is_taxonomy_hierarchical( $this->taxonomy )
     384                && ! current_user_can( $taxonomy_obj->cap->edit_terms ) )
     385            || ( ! is_taxonomy_hierarchical( $this->taxonomy )
     386                && ! current_user_can( $taxonomy_obj->cap->assign_terms ) ) ) {
    384387            return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) );
    385388        }
  • trunk/tests/phpunit/tests/rest-api/rest-categories-controller.php

    r43087 r43440  
    1313class WP_Test_REST_Categories_Controller extends WP_Test_REST_Controller_Testcase {
    1414    protected static $administrator;
     15    protected static $contributor;
    1516    protected static $subscriber;
    1617
     
    1920            array(
    2021                'role' => 'administrator',
     22            )
     23        );
     24        self::$contributor   = $factory->user->create(
     25            array(
     26                'role' => 'subscriber',
    2127            )
    2228        );
     
    721727    public function test_create_item_incorrect_permissions() {
    722728        wp_set_current_user( self::$subscriber );
     729        $request = new WP_REST_Request( 'POST', '/wp/v2/categories' );
     730        $request->set_param( 'name', 'Incorrect permissions' );
     731        $response = rest_get_server()->dispatch( $request );
     732        $this->assertErrorResponse( 'rest_cannot_create', $response, 403 );
     733    }
     734
     735    public function test_create_item_incorrect_permissions_contributor() {
     736        wp_set_current_user( self::$contributor );
    723737        $request = new WP_REST_Request( 'POST', '/wp/v2/categories' );
    724738        $request->set_param( 'name', 'Incorrect permissions' );
  • trunk/tests/phpunit/tests/rest-api/rest-tags-controller.php

    r43087 r43440  
    1414    protected static $administrator;
    1515    protected static $editor;
     16    protected static $contributor;
    1617    protected static $subscriber;
    1718
     
    3132            array(
    3233                'role' => 'editor',
     34            )
     35        );
     36        self::$contributor   = $factory->user->create(
     37            array(
     38                'role' => 'contributor',
    3339            )
    3440        );
     
    611617    public function test_create_item() {
    612618        wp_set_current_user( self::$administrator );
     619        $request = new WP_REST_Request( 'POST', '/wp/v2/tags' );
     620        $request->set_param( 'name', 'My Awesome Term' );
     621        $request->set_param( 'description', 'This term is so awesome.' );
     622        $request->set_param( 'slug', 'so-awesome' );
     623        $response = rest_get_server()->dispatch( $request );
     624        $this->assertEquals( 201, $response->get_status() );
     625        $headers = $response->get_headers();
     626        $data    = $response->get_data();
     627        $this->assertContains( '/wp/v2/tags/' . $data['id'], $headers['Location'] );
     628        $this->assertEquals( 'My Awesome Term', $data['name'] );
     629        $this->assertEquals( 'This term is so awesome.', $data['description'] );
     630        $this->assertEquals( 'so-awesome', $data['slug'] );
     631    }
     632
     633    public function test_create_item_contributor() {
     634        wp_set_current_user( self::$contributor );
    613635        $request = new WP_REST_Request( 'POST', '/wp/v2/tags' );
    614636        $request->set_param( 'name', 'My Awesome Term' );
  • trunk/tests/phpunit/tests/rest-api/rest-taxonomies-controller.php

    r43087 r43440  
    5050    public function test_get_items() {
    5151        $request    = new WP_REST_Request( 'GET', '/wp/v2/taxonomies' );
     52        $response   = rest_get_server()->dispatch( $request );
     53        $data       = $response->get_data();
     54        $taxonomies = $this->get_public_taxonomies( get_taxonomies( '', 'objects' ) );
     55        $this->assertEquals( count( $taxonomies ), count( $data ) );
     56        $this->assertEquals( 'Categories', $data['category']['name'] );
     57        $this->assertEquals( 'category', $data['category']['slug'] );
     58        $this->assertEquals( true, $data['category']['hierarchical'] );
     59        $this->assertEquals( 'Tags', $data['post_tag']['name'] );
     60        $this->assertEquals( 'post_tag', $data['post_tag']['slug'] );
     61        $this->assertEquals( false, $data['post_tag']['hierarchical'] );
     62        $this->assertEquals( 'tags', $data['post_tag']['rest_base'] );
     63    }
     64
     65    public function test_get_items_context_edit() {
     66        wp_set_current_user( self::$contributor_id );
     67        $request    = new WP_REST_Request( 'GET', '/wp/v2/taxonomies' );
     68        $request->set_param( 'context', 'edit' );
    5269        $response   = rest_get_server()->dispatch( $request );
    5370        $data       = $response->get_data();
Note: See TracChangeset for help on using the changeset viewer.