Make WordPress Core

Changeset 47361


Ignore:
Timestamp:
02/25/2020 03:18:19 PM (5 years ago)
Author:
kadamwhite
Message:

REST API: Permit access to the themes controller if user can edit any post type.

Check a more exhaustive list of post type editing caps beyond "edit_post" to ensure custom user roles with access to to specific post types may still use block editor functionality depending on theme features.

Props miyauchi, TimothyBlynJacobs.
Fixes #46723.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php

    r47258 r47361  
    5959     */
    6060    public function get_items_permissions_check( $request ) {
    61         if ( ! is_user_logged_in() || ! current_user_can( 'edit_posts' ) ) {
    62             return new WP_Error(
    63                 'rest_user_cannot_view',
    64                 __( 'Sorry, you are not allowed to view themes.' ),
    65                 array( 'status' => rest_authorization_required_code() )
    66             );
     61        if ( current_user_can( 'edit_posts' ) ) {
     62            return true;
    6763        }
    6864
    69         return true;
     65        foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) {
     66            if ( current_user_can( $post_type->cap->edit_posts ) ) {
     67                return true;
     68            }
     69        }
     70
     71        return new WP_Error(
     72            'rest_user_cannot_view',
     73            __( 'Sorry, you are not allowed to view themes.' ),
     74            array( 'status' => rest_authorization_required_code() )
     75        );
    7076    }
    7177
  • trunk/tests/phpunit/tests/rest-api/rest-themes-controller.php

    r47258 r47361  
    157157
    158158    /**
     159     * @ticket 46723
     160     */
     161    public function test_get_items_logged_out() {
     162        wp_set_current_user( 0 );
     163        $response = self::perform_active_theme_request();
     164        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
     165    }
     166
     167    /**
    159168     * An error should be returned when the user does not have the edit_posts capability.
    160169     *
     
    165174        $response = self::perform_active_theme_request();
    166175        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 );
     176    }
     177
     178    /**
     179     * @ticket 46723
     180     */
     181    public function test_get_item_single_post_type_cap() {
     182        $user = self::factory()->user->create_and_get();
     183        $user->add_cap( 'edit_pages' );
     184        wp_set_current_user( $user->ID );
     185
     186        $response = self::perform_active_theme_request();
     187        $this->assertEquals( 200, $response->get_status() );
    167188    }
    168189
Note: See TracChangeset for help on using the changeset viewer.