diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php index 52ad18d184..4ef48fa366 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php @@ -144,6 +144,35 @@ class WP_REST_Terms_Controller extends WP_REST_Controller { ); } + /** + * Checks if the terms for a post can be read. + * + * @since 6.0.3 + * + * @param WP_Post $post Post object. + * @param WP_REST_Request $request Full details about the request. + * @return bool Whether the terms for the post can be read. + */ + public function check_read_terms_permission_for_post( $post, $request ) { + // If the requested post isn't associated with this taxonomy, deny access. + if ( ! is_object_in_taxonomy( $post->post_type, $this->taxonomy ) ) { + return false; + } + + // Grant access if the post is publicly viewable. + if ( is_post_publicly_viewable( $post ) ) { + return true; + } + + // Otherwise grant access if the post is readable by the logged in user. + if ( current_user_can( 'read_post', $post->ID ) ) { + return true; + } + + // Otherwise, deny access. + return false; + } + /** * Checks if a request has access to read terms in the specified taxonomy. * @@ -167,6 +196,30 @@ class WP_REST_Terms_Controller extends WP_REST_Controller { ); } + if ( ! empty( $request['post'] ) ) { + $post = get_post( $request['post'] ); + + if ( ! $post ) { + return new WP_Error( + 'rest_post_invalid_id', + __( 'Invalid post ID.' ), + array( + 'status' => 400, + ) + ); + } + + if ( ! $this->check_read_terms_permission_for_post( $post, $request ) ) { + return new WP_Error( + 'rest_forbidden_context', + __( 'Sorry, you are not allowed to view terms for this post.' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + } + } + return true; } diff --git a/wp-includes/version.php b/wp-includes/version.php index 1ea3f15c2f..b5b989964a 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.1-RC1-54527'; +$wp_version = '6.1-RC1-54528'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.