#43701 closed defect (bug) (fixed)
Make the "read_private” cap accessible over the REST API
Reported by: | twoelevenjay | Owned by: | danielbachhuber |
---|---|---|---|
Milestone: | 5.0 | Priority: | normal |
Severity: | normal | Version: | 4.9.5 |
Component: | REST API | Keywords: | has-patch has-unit-tests |
Focuses: | rest-api | Cc: |
Description
When it comes to the "private" status of a post type, WordPress has a separate capability for editing post types and reading private post types. It so happens that default user roles and capabilities do not include one user who can only read a private post type without also having the ability to edit the post type.
When adding the "status" parameter to a rest route, the WP_REST_Posts_Controller
checks to see if the current user can edit the private post type. If s user role is set to view a private post type but not edit the post type then a rest route intended to return a private post type on GET for read only purposes will fail.
I propose amending /wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
line 2286
.
Changing:
if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
to:
if ( current_user_can( $post_type_obj->cap->edit_posts ) || current_user_can( $post_type_obj->cap->read_private_posts ) ) {
Attachments (4)
Change History (15)
#1
@
7 years ago
- Summary changed from Make the "read_only" cap truly accessible over the REST API to Make the "read_private” cap accessible over the REST API
#2
@
7 years ago
- Keywords has-patch has-unit-tests added
Hey, Leon! Welcome to Trac! :)
This does seem to be a valid bug. I was able to reproduce this in the following theoretical use-case:
- Create a user role, called Paid Subscriber, inherits all capabilities from Subscriber, but also gets
read_private_posts
cap. - Try to access a private post on the frontend. Works.
- Try to access a private post via the REST API. Works.
- Try to get a list of private posts via the REST API. Doesn't work.
0001-Make-the-read_private-cap-accessible-over-the-REST-A.patch, although formatted incorrectly, solves the issue.
43701.diff includes a test for the scenario, and the 0001-Make-the-read_private-cap-accessible-over-the-REST-A.patch fix.
@
6 years ago
Only allow users with the read_private_posts
cap to view private posts, not drafts or other non-public statuses. Adds more tests.
#4
@
6 years ago
- Keywords commit added
43701.2.diff is a refresh of @soulseekah's earlier patch. It limits allowing users with the edit_private_posts
to viewing only 'private' posts.
If possible, I would like to get another set of eyes since this is dealing with user capabilities. I did add more tests though so I am feeling fairly good about this as is.
#6
@
6 years ago
+1 to 43701.2.diff
although I think it needs a refresh.
I grepped core to see if there was prior art for this exact conditional, but I wasn't able to find an example. However, with this being said, the visibility of a Post is also asserted with WP_REST_Posts_Controller->check_read_permission()
, so I feel reasonably confident in this change.
This ticket was mentioned in Slack in #core-committers by danielbachhuber. View the logs.
6 years ago
#8
@
6 years ago
- Owner set to danielbachhuber
- Resolution set to fixed
- Status changed from new to closed
In 43694:
Amends /wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php line 2286 to allow reading of private post types when current user caps only allow reading the private post type but not editing it.