WordPress.org

Make WordPress Core

Changeset 47034


Ignore:
Timestamp:
01/03/2020 02:26:36 AM (9 months ago)
Author:
SergeyBiryukov
Message:

REST API: Synchronize permission checks in ::get_items_permissions_check() methods for post types, post statuses, and users:

  • Only query post types with 'show_in_rest' => true instead of looping over all post types and checking the show_in_rest property separately.
  • Return from the foreach() loop as soon as the permission check succeeded.

Props pbiron, TimothyBlynJacobs, SergeyBiryukov.
Fixes #49118.

Location:
trunk/src/wp-includes/rest-api/endpoints
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php

    r46696 r47034  
    9090                }
    9191            }
     92
    9293            return new WP_Error( 'rest_cannot_view', __( 'Sorry, you are not allowed to manage post statuses.' ), array( 'status' => rest_authorization_required_code() ) );
    9394        }
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php

    r46823 r47034  
    8282    public function get_items_permissions_check( $request ) {
    8383        if ( 'edit' === $request['context'] ) {
    84             foreach ( get_post_types( array(), 'object' ) as $post_type ) {
    85                 if ( ! empty( $post_type->show_in_rest ) && current_user_can( $post_type->cap->edit_posts ) ) {
     84            $types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
     85
     86            foreach ( $types as $type ) {
     87                if ( current_user_can( $type->cap->edit_posts ) ) {
    8688                    return true;
    8789                }
     
    103105     */
    104106    public function get_items( $request ) {
    105         $data = array();
    106 
    107         foreach ( get_post_types( array(), 'object' ) as $obj ) {
    108             if ( empty( $obj->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $obj->cap->edit_posts ) ) ) {
     107        $data  = array();
     108        $types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
     109
     110        foreach ( $types as $type ) {
     111            if ( 'edit' === $request['context'] && ! current_user_can( $type->cap->edit_posts ) ) {
    109112                continue;
    110113            }
    111114
    112             $post_type          = $this->prepare_item_for_response( $obj, $request );
    113             $data[ $obj->name ] = $this->prepare_response_for_collection( $post_type );
     115            $post_type           = $this->prepare_item_for_response( $type, $request );
     116            $data[ $type->name ] = $this->prepare_response_for_collection( $post_type );
    114117        }
    115118
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r46823 r47034  
    200200
    201201        if ( 'authors' === $request['who'] ) {
    202             $can_view = false;
    203             $types    = get_post_types( array( 'show_in_rest' => true ), 'objects' );
     202            $types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
     203
    204204            foreach ( $types as $type ) {
    205205                if ( post_type_supports( $type->name, 'author' )
    206206                    && current_user_can( $type->cap->edit_posts ) ) {
    207                     $can_view = true;
     207                    return true;
    208208                }
    209209            }
    210             if ( ! $can_view ) {
    211                 return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
    212             }
     210
     211            return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
    213212        }
    214213
Note: See TracChangeset for help on using the changeset viewer.