Index: src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
===================================================================
--- src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php	(revision 46755)
+++ src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php	(working copy)
@@ -1013,7 +1013,7 @@
 
 		// Post status.
 		if ( ! empty( $schema['properties']['status'] ) && isset( $request['status'] ) ) {
-			$status = $this->handle_status_param( $request['status'], $post_type );
+			$status = $this->handle_status_param( $request['status'], $post_type, $request['id'] );
 
 			if ( is_wp_error( $status ) ) {
 				return $status;
@@ -1147,9 +1147,10 @@
 	 *
 	 * @param string $post_status Post status.
 	 * @param object $post_type   Post type.
+	 * @param int 	 $post_id     Post ID.
 	 * @return string|WP_Error Post status or WP_Error if lacking the proper permission.
 	 */
-	protected function handle_status_param( $post_status, $post_type ) {
+	protected function handle_status_param( $post_status, $post_type, $post_id ) {
 
 		switch ( $post_status ) {
 			case 'draft':
@@ -1156,13 +1157,13 @@
 			case 'pending':
 				break;
 			case 'private':
-				if ( ! current_user_can( $post_type->cap->publish_posts ) ) {
+				if ( ! current_user_can( $post_type->cap->publish_posts, $post_id ) ) {
 					return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create private posts in this post type.' ), array( 'status' => rest_authorization_required_code() ) );
 				}
 				break;
 			case 'publish':
 			case 'future':
-				if ( ! current_user_can( $post_type->cap->publish_posts ) ) {
+				if ( ! current_user_can( $post_type->cap->publish_posts, $post_id ) ) {
 					return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to publish posts in this post type.' ), array( 'status' => rest_authorization_required_code() ) );
 				}
 				break;