WordPress.org

Make WordPress Core


Ignore:
Timestamp:
02/25/2020 03:18:19 PM (9 months ago)
Author:
kadamwhite
Message:

REST API: Permit access to the themes controller if user can edit any post type.

Check a more exhaustive list of post type editing caps beyond "edit_post" to ensure custom user roles with access to to specific post types may still use block editor functionality depending on theme features.

Props miyauchi, TimothyBlynJacobs.
Fixes #46723.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/rest-api/rest-themes-controller.php

    r47258 r47361  
    157157
    158158    /**
     159     * @ticket 46723
     160     */
     161    public function test_get_items_logged_out() {
     162        wp_set_current_user( 0 );
     163        $response = self::perform_active_theme_request();
     164        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
     165    }
     166
     167    /**
    159168     * An error should be returned when the user does not have the edit_posts capability.
    160169     *
     
    165174        $response = self::perform_active_theme_request();
    166175        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 );
     176    }
     177
     178    /**
     179     * @ticket 46723
     180     */
     181    public function test_get_item_single_post_type_cap() {
     182        $user = self::factory()->user->create_and_get();
     183        $user->add_cap( 'edit_pages' );
     184        wp_set_current_user( $user->ID );
     185
     186        $response = self::perform_active_theme_request();
     187        $this->assertEquals( 200, $response->get_status() );
    167188    }
    168189
Note: See TracChangeset for help on using the changeset viewer.