WordPress.org

Make WordPress Core

Opened 5 months ago

Closed 5 months ago

Last modified 5 months ago

#38958 closed defect (bug) (fixed)

REST API: Capability check for creating terms differs from wp-admin

Reported by: johnbillion Owned by: rachelbaker
Milestone: 4.7 Priority: normal
Severity: normal Version: 4.7
Component: Taxonomy Keywords: has-patch commit dev-reviewed
Focuses: rest-api Cc:

Description

The capability check used in WP_REST_Terms_Controller when attempting to create a new term is manage_terms, but it should be edit_terms.

Refs:

In #33975 we'll hopefully change this to create_terms.

Attachments (1)

38958.diff (706 bytes) - added by johnbillion 5 months ago.

Download all attachments as: .zip

Change History (15)

@johnbillion
5 months ago

#1 @johnbillion
5 months ago

  • Keywords has-patch added; needs-patch removed

#2 @johnbillion
5 months ago

  • Milestone changed from 4.8 to 4.7

#3 @rmccue
5 months ago

  • Keywords commit added

It appears the capability is actually both manage_terms and edit_terms in the admin; edit-tags.php has an earlier check for manage_terms.

XML-RPC was updated in [38698], see also #35614; makes sense to update to match the new caps.

Patch looks good. WP_REST_Taxonomies_Controller still contains 3 instances of manage_terms, but seems like those uses haven't changed?

#4 @rachelbaker
5 months ago

38958.diff Approved for commit (Ryan already added the commit keyword).

Last edited 5 months ago by rachelbaker (previous) (diff)

This ticket was mentioned in Slack in #core by helen. View the logs.


5 months ago

#6 @helen
5 months ago

  • Keywords dev-reviewed added

#7 @jorbin
5 months ago

  • Keywords dev-reviewed removed
  • Owner set to jorbin
  • Status changed from new to assigned

#8 @jorbin
5 months ago

  • Keywords dev-reviewed added

#9 follow-up: @SergeyBiryukov
5 months ago

It would be great to document the difference (if there is any) between edit_terms and manage_terms at some point, they appear to be used somewhat interchangeably in core.

I could not find any documentation at the moment (as mentioned in comment:6:ticket:38857).

#10 @rachelbaker
5 months ago

  • Owner changed from jorbin to rachelbaker

#11 @rachelbaker
5 months ago

  • Keywords needs-unit-tests removed

#12 @rachelbaker
5 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 39402:

REST API: Fix incorrect capability check on term create.

Change the capability check used in WP_REST_Terms_Controller when creating a new term is attempted, from manage_terms to edit_terms. This matches the behavior within the WordPress admin. See #35614.

Props johnbillion, rmccue, rachelbaker, helen, jorbin, SergeyBiryukov.

Fixes #38958.

#13 in reply to: ↑ 9 @rachelbaker
5 months ago

Replying to SergeyBiryukov:

It would be great to document the difference (if there is any) between edit_terms and manage_terms at some point, they appear to be used somewhat interchangeably in core.

I could not find any documentation at the moment (as mentioned in comment:6:ticket:38857).

Makes sense, I know I am not 100% clear on the intended difference. I was also not clear on the next action or directed target of your comment (perhaps @johnbillion ?), but I did not interpret it is a blocker for commit. Please let me know if I assumed incorrectly.

#14 @rachelbaker
5 months ago

In 39403:

REST API: Fix incorrect capability check on term create.

Change the capability check used in WP_REST_Terms_Controller when creating a new term is attempted, from manage_terms to edit_terms. This matches the behavior within the WordPress admin. See #35614.

Props johnbillion, rmccue, rachelbaker, helen, jorbin, SergeyBiryukov.

Merges [39402] to the 4.7 branch.
Fixes #38958 for 4.7.

Note: See TracTickets for help on using tickets.