Make WordPress Core


Ignore:
Timestamp:
05/23/2020 03:22:53 PM (4 years ago)
Author:
ocean90
Message:

Role/Capability: Use meta caps edit_post, read_post, and delete_post directly.

Rather than consulting the post type object, let map_meta_cap() handle that for us.

Props peterwilsoncc, ocean90.
Fixes #50128.
See #23226.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

    r47391 r47850  
    110110
    111111        // Attaching media to a post requires ability to edit said post.
    112         if ( ! empty( $request['post'] ) ) {
    113             $parent           = get_post( (int) $request['post'] );
    114             $post_parent_type = get_post_type_object( $parent->post_type );
    115 
    116             if ( ! current_user_can( $post_parent_type->cap->edit_post, $request['post'] ) ) {
    117                 return new WP_Error(
    118                     'rest_cannot_edit',
    119                     __( 'Sorry, you are not allowed to upload media to this post.' ),
    120                     array( 'status' => rest_authorization_required_code() )
    121                 );
    122             }
     112        if ( ! empty( $request['post'] ) && ! current_user_can( 'edit_post', (int) $request['post'] ) ) {
     113            return new WP_Error(
     114                'rest_cannot_edit',
     115                __( 'Sorry, you are not allowed to upload media to this post.' ),
     116                array( 'status' => rest_authorization_required_code() )
     117            );
    123118        }
    124119
Note: See TracChangeset for help on using the changeset viewer.