REST API: Lockdown post parameter of the terms endpoint.
Props johnbillion, tykoted, timothyblynjacobs, peterwilsoncc, martinkrcho, ehtis. Built from https://develop.svn.wordpress.org/trunk@54528 git-svn-id: http://core.svn.wordpress.org/trunk@54083 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
audrasjb
parent
566d22260a
commit
8b2ade73a2
|
|
@ -144,6 +144,35 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks if the terms for a post can be read.
|
||||||
|
*
|
||||||
|
* @since 6.0.3
|
||||||
|
*
|
||||||
|
* @param WP_Post $post Post object.
|
||||||
|
* @param WP_REST_Request $request Full details about the request.
|
||||||
|
* @return bool Whether the terms for the post can be read.
|
||||||
|
*/
|
||||||
|
public function check_read_terms_permission_for_post( $post, $request ) {
|
||||||
|
// If the requested post isn't associated with this taxonomy, deny access.
|
||||||
|
if ( ! is_object_in_taxonomy( $post->post_type, $this->taxonomy ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Grant access if the post is publicly viewable.
|
||||||
|
if ( is_post_publicly_viewable( $post ) ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Otherwise grant access if the post is readable by the logged in user.
|
||||||
|
if ( current_user_can( 'read_post', $post->ID ) ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Otherwise, deny access.
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Checks if a request has access to read terms in the specified taxonomy.
|
* Checks if a request has access to read terms in the specified taxonomy.
|
||||||
*
|
*
|
||||||
|
|
@ -167,6 +196,30 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( ! empty( $request['post'] ) ) {
|
||||||
|
$post = get_post( $request['post'] );
|
||||||
|
|
||||||
|
if ( ! $post ) {
|
||||||
|
return new WP_Error(
|
||||||
|
'rest_post_invalid_id',
|
||||||
|
__( 'Invalid post ID.' ),
|
||||||
|
array(
|
||||||
|
'status' => 400,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! $this->check_read_terms_permission_for_post( $post, $request ) ) {
|
||||||
|
return new WP_Error(
|
||||||
|
'rest_forbidden_context',
|
||||||
|
__( 'Sorry, you are not allowed to view terms for this post.' ),
|
||||||
|
array(
|
||||||
|
'status' => rest_authorization_required_code(),
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '6.1-RC1-54527';
|
$wp_version = '6.1-RC1-54528';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue