Changeset 43443 for branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php

Timestamp:

07/13/2018 06:28:29 AM (7 years ago)

Author:

pento

Message:

REST API: Tweak permission checks for taxonomy and term endpoints

To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing.

Merges [43440] to the 4.9 branch.

Props danielbachhuber.
Fixes #44096.

Location:

branches/4.9

Files:

• . (modified) (1 prop)
• src/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php (modified) (3 diffs)

branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php

@@ -81 +81 @@
             }
             foreach ( $taxonomies as $taxonomy ) {
-                if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->manage_terms ) ) {
+                if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->assign_terms ) ) {
                     return true;
                 }
@@ -110 +110 @@
         $data = array();
         foreach ( $taxonomies as $tax_type => $value ) {
-            if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->manage_terms ) ) ) {
+            if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->assign_terms ) ) ) {
                 continue;
             }
@@ -142 +142 @@
                 return false;
             }
-            if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->manage_terms ) ) {
+            if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->assign_terms ) ) {
                 return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
             }