Make WordPress Core


Ignore:
Timestamp:
05/29/2024 07:19:56 AM (6 months ago)
Author:
youknowriad
Message:

REST API: Allow view access of template endpoint to anyone with the edit_post capability.

In order to render the block template in the locked template preview inside the post editor we need to be able to fetch the contents of any block templates/template parts for any user role that can edit a post.

Props fabiankaegy, youknowriad.
Fixes #61137.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-templates-controller.php

    r58079 r58227  
    237237     *
    238238     * @since 5.8.0
     239     * @since 6.6.0 Allow users with edit_posts capability to read templates.
    239240     *
    240241     * @param WP_REST_Request $request Full details about the request.
     
    242243     */
    243244    public function get_items_permissions_check( $request ) {
    244         return $this->permissions_check( $request );
     245        if ( current_user_can( 'edit_posts' ) ) {
     246            return true;
     247        }
     248        foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) {
     249            if ( current_user_can( $post_type->cap->edit_posts ) ) {
     250                return true;
     251            }
     252        }
     253
     254        return new WP_Error(
     255            'rest_cannot_manage_templates',
     256            __( 'Sorry, you are not allowed to access the templates on this site.', 'default' ),
     257            array(
     258                'status' => rest_authorization_required_code(),
     259            )
     260        );
    245261    }
    246262
     
    278294     *
    279295     * @since 5.8.0
     296     * @since 6.6.0 Allow users with edit_posts capability to read individual templates.
    280297     *
    281298     * @param WP_REST_Request $request Full details about the request.
     
    283300     */
    284301    public function get_item_permissions_check( $request ) {
    285         return $this->permissions_check( $request );
     302        if ( current_user_can( 'edit_posts' ) ) {
     303            return true;
     304        }
     305        foreach ( get_post_types( array( 'show_in_rest' => true ), 'objects' ) as $post_type ) {
     306            if ( current_user_can( $post_type->cap->edit_posts ) ) {
     307                return true;
     308            }
     309        }
     310
     311        return new WP_Error(
     312            'rest_cannot_manage_templates',
     313            __( 'Sorry, you are not allowed to access the templates on this site.', 'default' ),
     314            array(
     315                'status' => rest_authorization_required_code(),
     316            )
     317        );
    286318    }
    287319
Note: See TracChangeset for help on using the changeset viewer.