WordPress.org

Make WordPress Core


Ignore:
Timestamp:
01/31/2021 07:02:30 PM (3 months ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Introduce fine grained capabilities.

Previously, all permission checks for using app passwords were implemented using edit_user. This commit introduces a series of more fine grained meta capabilities that should be used instead: create_app_password, list_app_passwords, read_app_password, edit_app_password, delete_app_password and delete_app_passwords. These capabilities all map to edit_user by default, but may now be customized by developers.

Props johnbillion, TimothyBlynJacobs.
Fixes #51703.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php

    r50065 r50114  
    191191
    192192        $response = rest_do_request( sprintf( '/wp/v2/users/%d/application-passwords', self::$admin ) );
    193         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     193        $this->assertErrorResponse( 'rest_cannot_list_application_passwords', $response, 403 );
    194194    }
    195195
     
    273273        $uuid     = $item['uuid'];
    274274        $response = rest_do_request( sprintf( '/wp/v2/users/%d/application-passwords/%s', self::$admin, $uuid ) );
    275         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     275        $this->assertErrorResponse( 'rest_cannot_read_application_password', $response, 403 );
    276276    }
    277277
     
    395395        $request->set_body_params( array( 'name' => 'App' ) );
    396396        $response = rest_do_request( $request );
    397         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     397        $this->assertErrorResponse( 'rest_cannot_create_application_passwords', $response, 403 );
    398398    }
    399399
     
    501501        $request->set_body_params( array( 'name' => 'New App' ) );
    502502        $response = rest_do_request( $request );
    503         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     503        $this->assertErrorResponse( 'rest_cannot_edit_application_password', $response, 403 );
    504504    }
    505505
     
    644644        $request  = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d/application-passwords/%s', self::$admin, $uuid ) );
    645645        $response = rest_do_request( $request );
    646         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     646        $this->assertErrorResponse( 'rest_cannot_delete_application_password', $response, 403 );
    647647    }
    648648
     
    748748        $request  = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d/application-passwords', self::$admin ) );
    749749        $response = rest_do_request( $request );
    750         $this->assertErrorResponse( 'rest_cannot_manage_application_passwords', $response, 403 );
     750        $this->assertErrorResponse( 'rest_cannot_delete_application_passwords', $response, 403 );
    751751    }
    752752
Note: See TracChangeset for help on using the changeset viewer.