WordPress.org

Make WordPress Core

Changeset 43443


Ignore:
Timestamp:
07/13/2018 06:28:29 AM (16 months ago)
Author:
pento
Message:

REST API: Tweak permission checks for taxonomy and term endpoints

To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing.

Merges [43440] to the 4.9 branch.

Props danielbachhuber.
Fixes #44096.

Location:
branches/4.9
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php

    r41731 r43443  
    8181            }
    8282            foreach ( $taxonomies as $taxonomy ) {
    83                 if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->manage_terms ) ) {
     83                if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->assign_terms ) ) {
    8484                    return true;
    8585                }
     
    110110        $data = array();
    111111        foreach ( $taxonomies as $tax_type => $value ) {
    112             if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->manage_terms ) ) ) {
     112            if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->assign_terms ) ) ) {
    113113                continue;
    114114            }
     
    142142                return false;
    143143            }
    144             if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->manage_terms ) ) {
     144            if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->assign_terms ) ) {
    145145                return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
    146146            }
  • branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

    r42578 r43443  
    377377
    378378        $taxonomy_obj = get_taxonomy( $this->taxonomy );
    379         if ( ! current_user_can( $taxonomy_obj->cap->edit_terms ) ) {
     379        if ( ( is_taxonomy_hierarchical( $this->taxonomy )
     380                && ! current_user_can( $taxonomy_obj->cap->edit_terms ) )
     381            || ( ! is_taxonomy_hierarchical( $this->taxonomy )
     382                && ! current_user_can( $taxonomy_obj->cap->assign_terms ) ) ) {
    380383            return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) );
    381384        }
  • branches/4.9/tests/phpunit/tests/rest-api/rest-categories-controller.php

    r42578 r43443  
    1313class WP_Test_REST_Categories_Controller extends WP_Test_REST_Controller_Testcase {
    1414    protected static $administrator;
     15    protected static $contributor;
    1516    protected static $subscriber;
    1617
    1718    public static function wpSetUpBeforeClass( $factory ) {
    18         self::$administrator = $factory->user->create( array(
    19             'role' => 'administrator',
    20         ) );
    21         self::$subscriber = $factory->user->create( array(
    22             'role' => 'subscriber',
    23         ) );
     19        self::$administrator = $factory->user->create(
     20            array(
     21                'role' => 'administrator',
     22            )
     23        );
     24        self::$contributor   = $factory->user->create(
     25            array(
     26                'role' => 'subscriber',
     27            )
     28        );
     29        self::$subscriber    = $factory->user->create(
     30            array(
     31                'role' => 'subscriber',
     32            )
     33        );
    2434    }
    2535
     
    654664    }
    655665
     666    public function test_create_item_incorrect_permissions_contributor() {
     667        wp_set_current_user( self::$contributor );
     668        $request = new WP_REST_Request( 'POST', '/wp/v2/categories' );
     669        $request->set_param( 'name', 'Incorrect permissions' );
     670        $response = rest_get_server()->dispatch( $request );
     671        $this->assertErrorResponse( 'rest_cannot_create', $response, 403 );
     672    }
     673
    656674    public function test_create_item_missing_arguments() {
    657675        wp_set_current_user( self::$administrator );
  • branches/4.9/tests/phpunit/tests/rest-api/rest-tags-controller.php

    r41760 r43443  
    1414    protected static $administrator;
    1515    protected static $editor;
     16    protected static $contributor;
    1617    protected static $subscriber;
    1718
    1819    public static function wpSetUpBeforeClass( $factory ) {
    19         self::$superadmin = $factory->user->create( array(
    20             'role'       => 'administrator',
    21             'user_login' => 'superadmin',
    22         ) );
    23         self::$administrator = $factory->user->create( array(
    24             'role' => 'administrator',
    25         ) );
    26         self::$editor = $factory->user->create( array(
    27             'role' => 'editor',
    28         ) );
    29         self::$subscriber = $factory->user->create( array(
    30             'role' => 'subscriber',
    31         ) );
     20        self::$superadmin    = $factory->user->create(
     21            array(
     22                'role'       => 'administrator',
     23                'user_login' => 'superadmin',
     24            )
     25        );
     26        self::$administrator = $factory->user->create(
     27            array(
     28                'role' => 'administrator',
     29            )
     30        );
     31        self::$editor        = $factory->user->create(
     32            array(
     33                'role' => 'editor',
     34            )
     35        );
     36        self::$contributor   = $factory->user->create(
     37            array(
     38                'role' => 'contributor',
     39            )
     40        );
     41        self::$subscriber    = $factory->user->create(
     42            array(
     43                'role' => 'subscriber',
     44            )
     45        );
    3246        if ( is_multisite() ) {
    3347            update_site_option( 'site_admins', array( 'superadmin' ) );
     
    556570        $headers = $response->get_headers();
    557571        $data = $response->get_data();
     572        $this->assertContains( '/wp/v2/tags/' . $data['id'], $headers['Location'] );
     573        $this->assertEquals( 'My Awesome Term', $data['name'] );
     574        $this->assertEquals( 'This term is so awesome.', $data['description'] );
     575        $this->assertEquals( 'so-awesome', $data['slug'] );
     576    }
     577
     578    public function test_create_item_contributor() {
     579        wp_set_current_user( self::$contributor );
     580        $request = new WP_REST_Request( 'POST', '/wp/v2/tags' );
     581        $request->set_param( 'name', 'My Awesome Term' );
     582        $request->set_param( 'description', 'This term is so awesome.' );
     583        $request->set_param( 'slug', 'so-awesome' );
     584        $response = rest_get_server()->dispatch( $request );
     585        $this->assertEquals( 201, $response->get_status() );
     586        $headers = $response->get_headers();
     587        $data    = $response->get_data();
    558588        $this->assertContains( '/wp/v2/tags/' . $data['id'], $headers['Location'] );
    559589        $this->assertEquals( 'My Awesome Term', $data['name'] );
  • branches/4.9/tests/phpunit/tests/rest-api/rest-taxonomies-controller.php

    r42427 r43443  
    5252        $response = $this->server->dispatch( $request );
    5353        $data = $response->get_data();
     54        $taxonomies = $this->get_public_taxonomies( get_taxonomies( '', 'objects' ) );
     55        $this->assertEquals( count( $taxonomies ), count( $data ) );
     56        $this->assertEquals( 'Categories', $data['category']['name'] );
     57        $this->assertEquals( 'category', $data['category']['slug'] );
     58        $this->assertEquals( true, $data['category']['hierarchical'] );
     59        $this->assertEquals( 'Tags', $data['post_tag']['name'] );
     60        $this->assertEquals( 'post_tag', $data['post_tag']['slug'] );
     61        $this->assertEquals( false, $data['post_tag']['hierarchical'] );
     62        $this->assertEquals( 'tags', $data['post_tag']['rest_base'] );
     63    }
     64
     65    public function test_get_items_context_edit() {
     66        wp_set_current_user( self::$contributor_id );
     67        $request    = new WP_REST_Request( 'GET', '/wp/v2/taxonomies' );
     68        $request->set_param( 'context', 'edit' );
     69        $response   = rest_get_server()->dispatch( $request );
     70        $data       = $response->get_data();
    5471        $taxonomies = $this->get_public_taxonomies( get_taxonomies( '', 'objects' ) );
    5572        $this->assertEquals( count( $taxonomies ), count( $data ) );
Note: See TracChangeset for help on using the changeset viewer.