WordPress.org

Make WordPress Core

Changeset 50114


Ignore:
Timestamp:
01/31/2021 07:02:30 PM (8 months ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Introduce fine grained capabilities.

Previously, all permission checks for using app passwords were implemented using edit_user. This commit introduces a series of more fine grained meta capabilities that should be used instead: create_app_password, list_app_passwords, read_app_password, edit_app_password, delete_app_password and delete_app_passwords. These capabilities all map to edit_user by default, but may now be customized by developers.

Props johnbillion, TimothyBlynJacobs.
Fixes #51703.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/capabilities.php

    r49936 r50114  
    593593            $caps[] = is_multisite() ? 'manage_network' : 'manage_options';
    594594            break;
     595        case 'create_app_password':
     596        case 'list_app_passwords':
     597        case 'read_app_password':
     598        case 'edit_app_password':
     599        case 'delete_app_passwords':
     600        case 'delete_app_password':
     601            $caps = map_meta_cap( 'edit_user', $user_id, $args[0] );
     602            break;
    595603        default:
    596604            // Handle meta capabilities for custom post types.
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php

    r50065 r50114  
    111111     */
    112112    public function get_items_permissions_check( $request ) {
    113         return $this->do_permissions_check( $request );
     113        $user = $this->get_user( $request );
     114
     115        if ( is_wp_error( $user ) ) {
     116            return $user;
     117        }
     118
     119        if ( ! current_user_can( 'list_app_passwords', $user->ID ) ) {
     120            return new WP_Error(
     121                'rest_cannot_list_application_passwords',
     122                __( 'Sorry, you are not allowed to list application passwords for this user.' ),
     123                array( 'status' => rest_authorization_required_code() )
     124            );
     125        }
     126
     127        return true;
    114128    }
    115129
     
    150164     */
    151165    public function get_item_permissions_check( $request ) {
    152         return $this->do_permissions_check( $request );
     166        $user = $this->get_user( $request );
     167
     168        if ( is_wp_error( $user ) ) {
     169            return $user;
     170        }
     171
     172        if ( ! current_user_can( 'read_app_password', $user->ID, $request['uuid'] ) ) {
     173            return new WP_Error(
     174                'rest_cannot_read_application_password',
     175                __( 'Sorry, you are not allowed to read this application password.' ),
     176                array( 'status' => rest_authorization_required_code() )
     177            );
     178        }
     179
     180        return true;
    153181    }
    154182
     
    180208     */
    181209    public function create_item_permissions_check( $request ) {
    182         return $this->do_permissions_check( $request );
     210        $user = $this->get_user( $request );
     211
     212        if ( is_wp_error( $user ) ) {
     213            return $user;
     214        }
     215
     216        if ( ! current_user_can( 'create_app_password', $user->ID ) ) {
     217            return new WP_Error(
     218                'rest_cannot_create_application_passwords',
     219                __( 'Sorry, you are not allowed to create application passwords for this user.' ),
     220                array( 'status' => rest_authorization_required_code() )
     221            );
     222        }
     223
     224        return true;
    183225    }
    184226
     
    249291     */
    250292    public function update_item_permissions_check( $request ) {
    251         return $this->do_permissions_check( $request );
     293        $user = $this->get_user( $request );
     294
     295        if ( is_wp_error( $user ) ) {
     296            return $user;
     297        }
     298
     299        if ( ! current_user_can( 'edit_app_password', $user->ID, $request['uuid'] ) ) {
     300            return new WP_Error(
     301                'rest_cannot_edit_application_password',
     302                __( 'Sorry, you are not allowed to edit this application password.' ),
     303                array( 'status' => rest_authorization_required_code() )
     304            );
     305        }
     306
     307        return true;
    252308    }
    253309
     
    309365     */
    310366    public function delete_items_permissions_check( $request ) {
    311         return $this->do_permissions_check( $request );
     367        $user = $this->get_user( $request );
     368
     369        if ( is_wp_error( $user ) ) {
     370            return $user;
     371        }
     372
     373        if ( ! current_user_can( 'delete_app_passwords', $user->ID ) ) {
     374            return new WP_Error(
     375                'rest_cannot_delete_application_passwords',
     376                __( 'Sorry, you are not allowed to delete application passwords for this user.' ),
     377                array( 'status' => rest_authorization_required_code() )
     378            );
     379        }
     380
     381        return true;
    312382    }
    313383
     
    350420     */
    351421    public function delete_item_permissions_check( $request ) {
    352         return $this->do_permissions_check( $request );
     422        $user = $this->get_user( $request );
     423
     424        if ( is_wp_error( $user ) ) {
     425            return $user;
     426        }
     427
     428        if ( ! current_user_can( 'delete_app_password', $user->ID, $request['uuid'] ) ) {
     429            return new WP_Error(
     430                'rest_cannot_delete_application_password',
     431                __( 'Sorry, you are not allowed to delete this application password.' ),
     432                array( 'status' => rest_authorization_required_code() )
     433            );
     434        }
     435
     436        return true;
    353437    }
    354438
     
    458542     *
    459543     * @since 5.6.0
     544     * @deprecated 5.7.0 Use `edit_user` directly or one of the specific meta capabilities introduced in 5.7.0.
    460545     *
    461546     * @param WP_REST_Request $request
     
    463548     */
    464549    protected function do_permissions_check( $request ) {
     550        _deprecated_function( __METHOD__, '5.7.0' );
     551
    465552        $user = $this->get_user( $request );
    466553
  • trunk/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php

    r50065 r50114  
    191191
    192192        $response = rest_do_request( sprintf( '/wp/v2/users/%d/application-passwords', self::$admin ) );
    193         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     193        $this->assertErrorResponse( 'rest_cannot_list_application_passwords', $response, 403 );
    194194    }
    195195
     
    273273        $uuid     = $item['uuid'];
    274274        $response = rest_do_request( sprintf( '/wp/v2/users/%d/application-passwords/%s', self::$admin, $uuid ) );
    275         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     275        $this->assertErrorResponse( 'rest_cannot_read_application_password', $response, 403 );
    276276    }
    277277
     
    395395        $request->set_body_params( array( 'name' => 'App' ) );
    396396        $response = rest_do_request( $request );
    397         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     397        $this->assertErrorResponse( 'rest_cannot_create_application_passwords', $response, 403 );
    398398    }
    399399
     
    501501        $request->set_body_params( array( 'name' => 'New App' ) );
    502502        $response = rest_do_request( $request );
    503         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     503        $this->assertErrorResponse( 'rest_cannot_edit_application_password', $response, 403 );
    504504    }
    505505
     
    644644        $request  = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d/application-passwords/%s', self::$admin, $uuid ) );
    645645        $response = rest_do_request( $request );
    646         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     646        $this->assertErrorResponse( 'rest_cannot_delete_application_password', $response, 403 );
    647647    }
    648648
     
    748748        $request  = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d/application-passwords', self::$admin ) );
    749749        $response = rest_do_request( $request );
    750         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     750        $this->assertErrorResponse( 'rest_cannot_delete_application_passwords', $response, 403 );
    751751    }
    752752
  • trunk/tests/phpunit/tests/user/capabilities.php

    r49932 r50114  
    523523            $expected['edit_user_meta'],
    524524            $expected['delete_user_meta'],
    525             $expected['add_user_meta']
     525            $expected['add_user_meta'],
     526            $expected['create_app_password'],
     527            $expected['list_app_passwords'],
     528            $expected['read_app_password'],
     529            $expected['edit_app_password'],
     530            $expected['delete_app_passwords'],
     531            $expected['delete_app_password']
    526532        );
    527533
Note: See TracChangeset for help on using the changeset viewer.