REST API: Tweak permission checks for taxonomy and term endpoints
To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing. Merges [43440] to the 4.9 branch. Props danielbachhuber. Fixes #44096. Built from https://develop.svn.wordpress.org/branches/4.9@43443 git-svn-id: http://core.svn.wordpress.org/branches/4.9@43270 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
d802d709c7
commit
547a500699
|
@ -80,7 +80,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
|
||||||
$taxonomies = get_taxonomies( '', 'objects' );
|
$taxonomies = get_taxonomies( '', 'objects' );
|
||||||
}
|
}
|
||||||
foreach ( $taxonomies as $taxonomy ) {
|
foreach ( $taxonomies as $taxonomy ) {
|
||||||
if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->manage_terms ) ) {
|
if ( ! empty( $taxonomy->show_in_rest ) && current_user_can( $taxonomy->cap->assign_terms ) ) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -109,7 +109,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
|
||||||
}
|
}
|
||||||
$data = array();
|
$data = array();
|
||||||
foreach ( $taxonomies as $tax_type => $value ) {
|
foreach ( $taxonomies as $tax_type => $value ) {
|
||||||
if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->manage_terms ) ) ) {
|
if ( empty( $value->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $value->cap->assign_terms ) ) ) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
$tax = $this->prepare_item_for_response( $value, $request );
|
$tax = $this->prepare_item_for_response( $value, $request );
|
||||||
|
@ -141,7 +141,7 @@ class WP_REST_Taxonomies_Controller extends WP_REST_Controller {
|
||||||
if ( empty( $tax_obj->show_in_rest ) ) {
|
if ( empty( $tax_obj->show_in_rest ) ) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->manage_terms ) ) {
|
if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->assign_terms ) ) {
|
||||||
return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
|
return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to manage terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -376,7 +376,10 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
|
||||||
}
|
}
|
||||||
|
|
||||||
$taxonomy_obj = get_taxonomy( $this->taxonomy );
|
$taxonomy_obj = get_taxonomy( $this->taxonomy );
|
||||||
if ( ! current_user_can( $taxonomy_obj->cap->edit_terms ) ) {
|
if ( ( is_taxonomy_hierarchical( $this->taxonomy )
|
||||||
|
&& ! current_user_can( $taxonomy_obj->cap->edit_terms ) )
|
||||||
|
|| ( ! is_taxonomy_hierarchical( $this->taxonomy )
|
||||||
|
&& ! current_user_can( $taxonomy_obj->cap->assign_terms ) ) ) {
|
||||||
return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) );
|
return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new terms.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '4.9.8-alpha-43442';
|
$wp_version = '4.9.8-alpha-43443';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
Loading…
Reference in New Issue