Changeset 60814 for trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

Timestamp:

09/30/2025 03:49:18 PM (4 months ago)

Author:

johnbillion

Message:

REST API: Increase the specificity of capability checks for collections when the edit context is in use.

The edit access in now taken into account for each individual post, term, or user in the response.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, rmccue, timothyblynjacobs, vortfu, whyisjake, zieladam.

File:

• trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (1 diff)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -464 +464 @@
 
             foreach ( $query_result as $post ) {
-                if ( ! $this->check_read_permission( $post ) ) {
+                if ( 'edit' === $request['context'] ) {
+                    $permission = $this->check_update_permission( $post );
+                } else {
+                    $permission = $this->check_read_permission( $post );
+                }
+
+                if ( ! $permission ) {
                     continue;
                 }