Context Navigation

← Previous Change
Next Change →

Changeset 43440 for trunk

Timestamp:

07/13/2018 04:23:35 AM (7 years ago)

Author:

pento

Message:

REST API: Tweak permission checks for taxonomy and term endpoints

To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing.

Props danielbachhuber.
Fixes #44096.

Location:

trunk

Files:

: 5 edited

src/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php (modified) (3 diffs)
src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php (modified) (1 diff)
tests/phpunit/tests/rest-api/rest-categories-controller.php (modified) (3 diffs)
tests/phpunit/tests/rest-api/rest-tags-controller.php (modified) (3 diffs)
tests/phpunit/tests/rest-api/rest-taxonomies-controller.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php

r43087	r43440
85	85	}
86	86	foreach ( $taxonomies as $taxonomy ) {
87		if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->~~manage~~_terms ) ) {
	87	if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->assign_terms ) ) {
88	88	return true;
89	89	}
…	…
114	114	$data = array();
115	115	foreach ( $taxonomies as $tax_type => $value ) {
116		if ( empty( $value->show_in_rest ) \|\| ( 'edit' === $request['context'] && ! current_user_can( $value->cap->~~manage~~_terms ) ) ) {
	116	if ( empty( $value->show_in_rest ) \|\| ( 'edit' === $request['context'] && ! current_user_can( $value->cap->assign_terms ) ) ) {
117	117	continue;
118	118	}
…	…
146	146	return false;
147	147	}
148		if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->~~manage~~_terms ) ) {
	148	if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->assign_terms ) ) {
149	149	return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
150	150	}

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

-                      r43087
+                      r43440
         $taxonomy_obj = get_taxonomy( $this->taxonomy );
+        if ( ! current_user_can( $taxonomy_obj->cap->edit_terms ) ) {
+        if ( ( is_taxonomy_hierarchical( $this->taxonomy )
+                && ! current_user_can( $taxonomy_obj->cap->edit_terms ) )
+            || ( ! is_taxonomy_hierarchical( $this->taxonomy )
+                && ! current_user_can( $taxonomy_obj->cap->assign_terms ) ) ) {
             return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) );
+        }

trunk/tests/phpunit/tests/rest-api/rest-categories-controller.php

-                      r43087
+                      r43440
 class WP_Test_REST_Categories_Controller extends WP_Test_REST_Controller_Testcase {
     protected static $administrator;
+    protected static $contributor;
     protected static $subscriber;
 …
             array(
                 'role' => 'administrator',
+            )
+        );
+        self::$contributor   = $factory->user->create(
+            array(
+                'role' => 'subscriber',
+            )
         );
 …
     public function test_create_item_incorrect_permissions() {
         wp_set_current_user( self::$subscriber );
+        $request = new WP_REST_Request( 'POST', '/wp/v2/categories' );
+        $request->set_param( 'name', 'Incorrect permissions' );
+        $response = rest_get_server()->dispatch( $request );
+        $this->assertErrorResponse( 'rest_cannot_create', $response, 403 );
+    }
+    public function test_create_item_incorrect_permissions_contributor() {
+        wp_set_current_user( self::$contributor );
         $request = new WP_REST_Request( 'POST', '/wp/v2/categories' );
         $request->set_param( 'name', 'Incorrect permissions' );

trunk/tests/phpunit/tests/rest-api/rest-tags-controller.php

-                      r43087
+                      r43440
     protected static $administrator;
     protected static $editor;
+    protected static $contributor;
     protected static $subscriber;
 …
             array(
                 'role' => 'editor',
+            )
+        );
+        self::$contributor   = $factory->user->create(
+            array(
+                'role' => 'contributor',
+            )
         );
 …
     public function test_create_item() {
         wp_set_current_user( self::$administrator );
+        $request = new WP_REST_Request( 'POST', '/wp/v2/tags' );
+        $request->set_param( 'name', 'My Awesome Term' );
+        $request->set_param( 'description', 'This term is so awesome.' );
+        $request->set_param( 'slug', 'so-awesome' );
+        $response = rest_get_server()->dispatch( $request );
+        $this->assertEquals( 201, $response->get_status() );
+        $headers = $response->get_headers();
+        $data    = $response->get_data();
+        $this->assertContains( '/wp/v2/tags/' . $data['id'], $headers['Location'] );
+        $this->assertEquals( 'My Awesome Term', $data['name'] );
+        $this->assertEquals( 'This term is so awesome.', $data['description'] );
+        $this->assertEquals( 'so-awesome', $data['slug'] );
+    }
+    public function test_create_item_contributor() {
+        wp_set_current_user( self::$contributor );
         $request = new WP_REST_Request( 'POST', '/wp/v2/tags' );
         $request->set_param( 'name', 'My Awesome Term' );

trunk/tests/phpunit/tests/rest-api/rest-taxonomies-controller.php

-                      r43087
+                      r43440
     public function test_get_items() {
         $request    = new WP_REST_Request( 'GET', '/wp/v2/taxonomies' );
+        $response   = rest_get_server()->dispatch( $request );
+        $data       = $response->get_data();
+        $taxonomies = $this->get_public_taxonomies( get_taxonomies( '', 'objects' ) );
+        $this->assertEquals( count( $taxonomies ), count( $data ) );
+        $this->assertEquals( 'Categories', $data['category']['name'] );
+        $this->assertEquals( 'category', $data['category']['slug'] );
+        $this->assertEquals( true, $data['category']['hierarchical'] );
+        $this->assertEquals( 'Tags', $data['post_tag']['name'] );
+        $this->assertEquals( 'post_tag', $data['post_tag']['slug'] );
+        $this->assertEquals( false, $data['post_tag']['hierarchical'] );
+        $this->assertEquals( 'tags', $data['post_tag']['rest_base'] );
+    }
+    public function test_get_items_context_edit() {
+        wp_set_current_user( self::$contributor_id );
+        $request    = new WP_REST_Request( 'GET', '/wp/v2/taxonomies' );
+        $request->set_param( 'context', 'edit' );
         $response   = rest_get_server()->dispatch( $request );
         $data       = $response->get_data();

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core