WordPress.org

Make WordPress Core


Ignore:
Timestamp:
02/25/2020 03:18:19 PM (9 months ago)
Author:
kadamwhite
Message:

REST API: Permit access to the themes controller if user can edit any post type.

Check a more exhaustive list of post type editing caps beyond "edit_post" to ensure custom user roles with access to to specific post types may still use block editor functionality depending on theme features.

Props miyauchi, TimothyBlynJacobs.
Fixes #46723.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php

    r47258 r47361  
    5959     */
    6060    public function get_items_permissions_check( $request ) {
    61         if ( ! is_user_logged_in() || ! current_user_can( 'edit_posts' ) ) {
    62             return new WP_Error(
    63                 'rest_user_cannot_view',
    64                 __( 'Sorry, you are not allowed to view themes.' ),
    65                 array( 'status' => rest_authorization_required_code() )
    66             );
     61        if ( current_user_can( 'edit_posts' ) ) {
     62            return true;
    6763        }
    6864
    69         return true;
     65        foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) {
     66            if ( current_user_can( $post_type->cap->edit_posts ) ) {
     67                return true;
     68            }
     69        }
     70
     71        return new WP_Error(
     72            'rest_user_cannot_view',
     73            __( 'Sorry, you are not allowed to view themes.' ),
     74            array( 'status' => rest_authorization_required_code() )
     75        );
    7076    }
    7177
Note: See TracChangeset for help on using the changeset viewer.