Make WordPress Core


Ignore:
Timestamp:
01/03/2020 02:26:36 AM (5 years ago)
Author:
SergeyBiryukov
Message:

REST API: Synchronize permission checks in ::get_items_permissions_check() methods for post types, post statuses, and users:

  • Only query post types with 'show_in_rest' => true instead of looping over all post types and checking the show_in_rest property separately.
  • Return from the foreach() loop as soon as the permission check succeeded.

Props pbiron, TimothyBlynJacobs, SergeyBiryukov.
Fixes #49118.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r46823 r47034  
    200200
    201201        if ( 'authors' === $request['who'] ) {
    202             $can_view = false;
    203             $types    = get_post_types( array( 'show_in_rest' => true ), 'objects' );
     202            $types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
     203
    204204            foreach ( $types as $type ) {
    205205                if ( post_type_supports( $type->name, 'author' )
    206206                    && current_user_can( $type->cap->edit_posts ) ) {
    207                     $can_view = true;
     207                    return true;
    208208                }
    209209            }
    210             if ( ! $can_view ) {
    211                 return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
    212             }
     210
     211            return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
    213212        }
    214213
Note: See TracChangeset for help on using the changeset viewer.