WordPress.org

Make WordPress Core

Opened 2 months ago

Last modified 2 months ago

#43701 new defect (bug)

Make the "read_private” cap accessible over the REST API

Reported by: twoelevenjay Owned by:
Milestone: 5.0 Priority: normal
Severity: normal Version: 4.9.5
Component: REST API Keywords: has-patch has-unit-tests
Focuses: rest-api Cc:

Description

When it comes to the "private" status of a post type, WordPress has a separate capability for editing post types and reading private post types. It so happens that default user roles and capabilities do not include one user who can only read a private post type without also having the ability to edit the post type.

When adding the "status" parameter to a rest route, the WP_REST_Posts_Controller checks to see if the current user can edit the private post type. If s user role is set to view a private post type but not edit the post type then a rest route intended to return a private post type on GET for read only purposes will fail.

I propose amending /wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php line 2286.

Changing:

if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {

to:

if ( current_user_can( $post_type_obj->cap->edit_posts ) || current_user_can( $post_type_obj->cap->read_private_posts ) ) {

Attachments (2)

0001-Make-the-read_private-cap-accessible-over-the-REST-A.patch (1.3 KB) - added by twoelevenjay 2 months ago.
Amends /wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php line 2286 to allow reading of private post types when current user caps only allow reading the private post type but not editing it.
43701.diff (2.2 KB) - added by soulseekah 2 months ago.
tests + fix

Download all attachments as: .zip

Change History (5)

#1 @twoelevenjay
2 months ago

  • Summary changed from Make the "read_only" cap truly accessible over the REST API to Make the "read_private” cap accessible over the REST API

@twoelevenjay
2 months ago

Amends /wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php line 2286 to allow reading of private post types when current user caps only allow reading the private post type but not editing it.

@soulseekah
2 months ago

tests + fix

#2 @soulseekah
2 months ago

  • Keywords has-patch has-unit-tests added

Hey, Leon! Welcome to Trac! :)

This does seem to be a valid bug. I was able to reproduce this in the following theoretical use-case:

  1. Create a user role, called Paid Subscriber, inherits all capabilities from Subscriber, but also gets read_private_posts cap.
  2. Try to access a private post on the frontend. Works.
  3. Try to access a private post via the REST API. Works.
  4. Try to get a list of private posts via the REST API. Doesn't work.

0001-Make-the-read_private-cap-accessible-over-the-REST-A.patch, although formatted incorrectly, solves the issue.

43701.diff includes a test for the scenario, and the 0001-Make-the-read_private-cap-accessible-over-the-REST-A.patch fix.

#3 @SergeyBiryukov
2 months ago

  • Milestone changed from Awaiting Review to 5.0
Note: See TracTickets for help on using tickets.