Changeset 47361 for trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php

Timestamp:

02/25/2020 03:18:19 PM (4 years ago)

Author:

kadamwhite

Message:

REST API: Permit access to the themes controller if user can edit any post type.

Check a more exhaustive list of post type editing caps beyond "edit_post" to ensure custom user roles with access to to specific post types may still use block editor functionality depending on theme features.

Props miyauchi, TimothyBlynJacobs.
Fixes #46723.

File:

• trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php (modified) (1 diff)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-themes-controller.php

@@ -59 +59 @@
      */
     public function get_items_permissions_check( $request ) {
-        if ( ! is_user_logged_in() || ! current_user_can( 'edit_posts' ) ) {
-            return new WP_Error(
-                'rest_user_cannot_view',
-                __( 'Sorry, you are not allowed to view themes.' ),
-                array( 'status' => rest_authorization_required_code() )
-            );
+        if ( current_user_can( 'edit_posts' ) ) {
+            return true;
         }
 
-        return true;
+        foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) {
+            if ( current_user_can( $post_type->cap->edit_posts ) ) {
+                return true;
+            }
+        }
+
+        return new WP_Error(
+            'rest_user_cannot_view',
+            __( 'Sorry, you are not allowed to view themes.' ),
+            array( 'status' => rest_authorization_required_code() )
+        );
     }