Changeset 59718

Timestamp:

01/28/2025 04:07:07 AM (5 months ago)

Author:

spacedmonkey

Message:

REST API: Introduce filter for controlling menu read access.

The menu, menu item, and menu location endpoints were added to the REST API in [52079]. In that commit, menu data was treated as private and restricted to logged-in users with the edit_theme_options capability. However, in many cases, this data can be considered public. Previously, there was no simple way for developers to allow this data to be exposed via the REST API.

This commit introduces the rest_menu_read_access filter, enabling developers to control read access to menus, menu items, and menu locations in the REST API. The same filter is applied across all three REST API classes, simplifying the process of opting into exposing this data.

Each instance of the filter provides the current request and the relevant class instance as context, allowing developers to selectively or globally enable access to the data.

Props spacedmonkey, antonvlasenko, kadamwhite, julianmar, masteradhoc.
Fixes #54304.

Location:

trunk

Files:

• src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php (modified) (1 diff)
• src/wp-includes/rest-api/endpoints/class-wp-rest-menu-locations-controller.php (modified) (2 diffs)
• src/wp-includes/rest-api/endpoints/class-wp-rest-menus-controller.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/wpRestMenuItemsController.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/wpRestMenuLocationsController.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/wpRestMenusController.php (modified) (1 diff)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php

@@ -81 +81 @@
      */
     protected function check_has_read_only_access( $request ) {
+        /**
+         * Filters whether the current user has read access to menu items via the REST API.
+         *
+         * @since 6.8.0
+         * @param $read_only_access bool Whether the current user has read access to menu items via the REST API.
+         * @param $request WP_REST_Request Full details about the request.
+         * @param $this WP_REST_Controller The current instance of the controller.
+         */
+        $read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+        if ( $read_only_access ) {
+            return true;
+        }
+
         if ( current_user_can( 'edit_theme_options' ) ) {
             return true;

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-locations-controller.php

@@ -81 +81 @@
      */
     public function get_items_permissions_check( $request ) {
+        return $this->check_has_read_only_access( $request );
+    }
+
+    /**
+     * Retrieves all menu locations, depending on user context.
+     *
+     * @since 5.9.0
+     *
+     * @param WP_REST_Request $request Full details about the request.
+     * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
+     */
+    public function get_items( $request ) {
+        $data = array();
+
+        foreach ( get_registered_nav_menus() as $name => $description ) {
+            $location              = new stdClass();
+            $location->name        = $name;
+            $location->description = $description;
+
+            $location      = $this->prepare_item_for_response( $location, $request );
+            $data[ $name ] = $this->prepare_response_for_collection( $location );
+        }
+
+        return rest_ensure_response( $data );
+    }
+
+    /**
+     * Checks if a given request has access to read a menu location.
+     *
+     * @since 5.9.0
+     *
+     * @param WP_REST_Request $request Full details about the request.
+     * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
+     */
+    public function get_item_permissions_check( $request ) {
+        return $this->check_has_read_only_access( $request );
+    }
+
+    /**
+     * Retrieves a specific menu location.
+     *
+     * @since 5.9.0
+     *
+     * @param WP_REST_Request $request Full details about the request.
+     * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
+     */
+    public function get_item( $request ) {
+        $registered_menus = get_registered_nav_menus();
+        if ( ! array_key_exists( $request['location'], $registered_menus ) ) {
+            return new WP_Error( 'rest_menu_location_invalid', __( 'Invalid menu location.' ), array( 'status' => 404 ) );
+        }
+
+        $location              = new stdClass();
+        $location->name        = $request['location'];
+        $location->description = $registered_menus[ $location->name ];
+
+        $data = $this->prepare_item_for_response( $location, $request );
+
+        return rest_ensure_response( $data );
+    }
+
+    /**
+     * Checks whether the current user has read permission for the endpoint.
+     *
+     * @since 6.8.0
+     *
+     * @param WP_REST_Request $request Full details about the request.
+     * @return true|WP_Error True if the current user has permission, WP_Error object otherwise.
+     */
+    protected function check_has_read_only_access( $request ) {
+        /** This filter is documented in wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php */
+        $read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+        if ( $read_only_access ) {
+            return true;
+        }
+
         if ( ! current_user_can( 'edit_theme_options' ) ) {
             return new WP_Error(
@@ -90 +166 @@
 
         return true;
-    }
-
-    /**
-     * Retrieves all menu locations, depending on user context.
-     *
-     * @since 5.9.0
-     *
-     * @param WP_REST_Request $request Full details about the request.
-     * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
-     */
-    public function get_items( $request ) {
-        $data = array();
-
-        foreach ( get_registered_nav_menus() as $name => $description ) {
-            $location              = new stdClass();
-            $location->name        = $name;
-            $location->description = $description;
-
-            $location      = $this->prepare_item_for_response( $location, $request );
-            $data[ $name ] = $this->prepare_response_for_collection( $location );
-        }
-
-        return rest_ensure_response( $data );
-    }
-
-    /**
-     * Checks if a given request has access to read a menu location.
-     *
-     * @since 5.9.0
-     *
-     * @param WP_REST_Request $request Full details about the request.
-     * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
-     */
-    public function get_item_permissions_check( $request ) {
-        if ( ! current_user_can( 'edit_theme_options' ) ) {
-            return new WP_Error(
-                'rest_cannot_view',
-                __( 'Sorry, you are not allowed to view menu locations.' ),
-                array( 'status' => rest_authorization_required_code() )
-            );
-        }
-
-        return true;
-    }
-
-    /**
-     * Retrieves a specific menu location.
-     *
-     * @since 5.9.0
-     *
-     * @param WP_REST_Request $request Full details about the request.
-     * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
-     */
-    public function get_item( $request ) {
-        $registered_menus = get_registered_nav_menus();
-        if ( ! array_key_exists( $request['location'], $registered_menus ) ) {
-            return new WP_Error( 'rest_menu_location_invalid', __( 'Invalid menu location.' ), array( 'status' => 404 ) );
-        }
-
-        $location              = new stdClass();
-        $location->name        = $request['location'];
-        $location->description = $registered_menus[ $location->name ];
-
-        $data = $this->prepare_item_for_response( $location, $request );
-
-        return rest_ensure_response( $data );
     }
 

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-menus-controller.php

@@ -85 +85 @@
      */
     protected function check_has_read_only_access( $request ) {
+        /** This filter is documented in wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php */
+        $read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+        if ( $read_only_access ) {
+            return true;
+        }
+
         if ( current_user_can( 'edit_theme_options' ) ) {
             return true;

trunk/tests/phpunit/tests/rest-api/wpRestMenuItemsController.php

@@ -178 +178 @@
     public function test_get_item() {
         wp_set_current_user( self::$admin_id );
+        $request  = new WP_REST_Request( 'GET', sprintf( '/wp/v2/menu-items/%d', $this->menu_item_id ) );
+        $response = rest_get_server()->dispatch( $request );
+
+        $this->check_get_menu_item_response( $response, 'view' );
+    }
+
+    /**
+     * @ticket 54304
+     * @covers ::get_items
+     */
+    public function test_get_items_filter() {
+        add_filter( 'rest_menu_read_access', '__return_true' );
+        $request  = new WP_REST_Request( 'GET', '/wp/v2/menu-items' );
+        $response = rest_get_server()->dispatch( $request );
+
+        $this->check_get_menu_items_response( $response );
+    }
+
+    /**
+     * @ticket 54304
+     * @covers ::get_item
+     */
+    public function test_get_item_filter() {
+        add_filter( 'rest_menu_read_access', '__return_true' );
         $request  = new WP_REST_Request( 'GET', sprintf( '/wp/v2/menu-items/%d', $this->menu_item_id ) );
         $response = rest_get_server()->dispatch( $request );

trunk/tests/phpunit/tests/rest-api/wpRestMenuLocationsController.php

@@ -122 +122 @@
 
     /**
+     * @ticket 54304
+     * @covers ::get_items
+     */
+    public function test_get_items_filter() {
+        $menus = array( 'primary', 'secondary' );
+        $this->register_nav_menu_locations( array( 'primary', 'secondary' ) );
+        add_filter( 'rest_menu_read_access', '__return_true' );
+
+        $request  = new WP_REST_Request( 'GET', '/wp/v2/menu-locations' );
+        $response = rest_get_server()->dispatch( $request );
+        $data     = $response->get_data();
+        $data     = array_values( $data );
+        $this->assertCount( 2, $data, 'Number of menu location are not 2' );
+
+        $names        = wp_list_pluck( $data, 'name' );
+        $descriptions = wp_list_pluck( $data, 'description' );
+        $this->assertSame( $menus, $names );
+        $menu_descriptions = array_map( 'ucfirst', $names );
+
+        $this->assertSame( $menu_descriptions, $descriptions, 'Menu descriptions do not match' );
+    }
+
+    /**
+     * @ticket 54304
+     * @covers ::get_item
+     */
+    public function test_get_item_filter() {
+        $menu = 'primary';
+        $this->register_nav_menu_locations( array( $menu ) );
+
+        add_filter( 'rest_menu_read_access', '__return_true' );
+        $request  = new WP_REST_Request( 'GET', '/wp/v2/menu-locations/' . $menu );
+        $response = rest_get_server()->dispatch( $request );
+        $data     = $response->get_data();
+
+        $this->assertSame( $menu, $data['name'] );
+    }
+
+    /**
      * @ticket 40878
      * @covers ::get_item

trunk/tests/phpunit/tests/rest-api/wpRestMenusController.php

@@ -209 +209 @@
     }
 
+
+    /**
+     * @ticket 54304
+     * @covers ::get_items
+     */
+    public function test_get_items_filter() {
+        add_filter( 'rest_menu_read_access', '__return_true' );
+        wp_update_nav_menu_object(
+            0,
+            array(
+                'description' => 'Test get',
+                'menu-name'   => 'test Name get',
+            )
+        );
+        $request = new WP_REST_Request( 'GET', '/wp/v2/menus' );
+        $request->set_param( 'per_page', self::$per_page );
+        $response = rest_get_server()->dispatch( $request );
+        $this->check_get_taxonomy_terms_response( $response );
+    }
+
+    /**
+     * @ticket 54304
+     * @covers ::get_item
+     */
+    public function test_get_item_filter() {
+        add_filter( 'rest_menu_read_access', '__return_true' );
+        $nav_menu_id = wp_update_nav_menu_object(
+            0,
+            array(
+                'description' => 'Test menu',
+                'menu-name'   => 'test Name',
+            )
+        );
+
+        $this->register_nav_menu_locations( array( 'primary' ) );
+        set_theme_mod( 'nav_menu_locations', array( 'primary' => $nav_menu_id ) );
+
+        $request  = new WP_REST_Request( 'GET', '/wp/v2/menus/' . $nav_menu_id );
+        $response = rest_get_server()->dispatch( $request );
+        $this->check_get_taxonomy_term_response( $response, $nav_menu_id );
+    }
+
     /**
      * @ticket 40878