Changeset 54570 for branches/5.1/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

Timestamp:

10/17/2022 06:11:58 PM (19 months ago)

Author:

audrasjb

Message:

Grouped backports to the 5.1 branch.

• Media: Refactor search by filename within the admin,
• REST API: Lockdown post parameter of the terms endpoint,
• Customize: Escape blogname option in underscores templates,
• Query: Validate relation in WP_Date_Query,
• Posts, Post types: Apply KSES to post-by-email content,
• General: Validate host on "Are you sure?" screen,
• Posts, Post types: Remove emails from post-by-email logs,
• Pings/trackbacks: Apply KSES to all trackbacks,
• Mail: Reset PHPMailer properties between use,
• Widgets: Escape RSS error messages for display.

Merges [54521-54530] to the 5.1 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, vortfu, davidbaumwald, tykoted, timothyblynjacobs, johnjamesjacoby, ehtis, matveb, talldanwp.

Location:

branches/5.1

Files:

• . (modified) (1 prop)
• src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php (modified) (2 diffs)

branches/5.1/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

@@ -136 +136 @@
 
     /**
+     * Checks if the terms for a post can be read.
+     *
+     * @since 6.0.3
+     *
+     * @param WP_Post         $post    Post object.
+     * @param WP_REST_Request $request Full details about the request.
+     * @return bool Whether the terms for the post can be read.
+     */
+    public function check_read_terms_permission_for_post( $post, $request ) {
+        // If the requested post isn't associated with this taxonomy, deny access.
+        if ( ! is_object_in_taxonomy( $post->post_type, $this->taxonomy ) ) {
+            return false;
+        }
+
+        // Grant access if the post is publicly viewable.
+        if ( is_post_publicly_viewable( $post ) ) {
+            return true;
+        }
+
+        // Otherwise grant access if the post is readable by the logged in user.
+        if ( current_user_can( 'read_post', $post->ID ) ) {
+            return true;
+        }
+
+        // Otherwise, deny access.
+        return false;
+    }
+
+    /**
      * Checks if a request has access to read terms in the specified taxonomy.
      *
@@ -145 +174 @@
     public function get_items_permissions_check( $request ) {
         $tax_obj = get_taxonomy( $this->taxonomy );
+
         if ( ! $tax_obj || ! $this->check_is_taxonomy_allowed( $this->taxonomy ) ) {
             return false;
         }
+
         if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->edit_terms ) ) {
-            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
-        }
+            return new WP_Error(
+                'rest_forbidden_context',
+                __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ),
+                array( 'status' => rest_authorization_required_code() )
+            );
+        }
+
+        if ( ! empty( $request['post'] ) ) {
+            $post = get_post( $request['post'] );
+
+            if ( ! $post ) {
+                return new WP_Error(
+                    'rest_post_invalid_id',
+                    __( 'Invalid post ID.' ),
+                    array(
+                        'status' => 400,
+                    )
+                );
+            }
+
+            if ( ! $this->check_read_terms_permission_for_post( $post, $request ) ) {
+                return new WP_Error(
+                    'rest_forbidden_context',
+                    __( 'Sorry, you are not allowed to view terms for this post.' ),
+                    array(
+                        'status' => rest_authorization_required_code(),
+                    )
+                );
+            }
+        }
+
         return true;
     }