REST API: Return a `WP_Error` when a user does not have permission to create or update a post with the provided terms.

Add the 'assign_term' check for post create and update.

Props boonebgorges, johnbillion.
Fixes #38505.
Built from https://develop.svn.wordpress.org/trunk@39108


git-svn-id: http://core.svn.wordpress.org/trunk@39050 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Rachel Baker 2016-11-03 03:16:30 +00:00
parent 37318fe73f
commit 8c9f4f812a
2 changed files with 41 additions and 1 deletions

View File

@ -459,6 +459,10 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new posts.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new posts.' ), array( 'status' => rest_authorization_required_code() ) );
} }
if ( ! $this->check_assign_terms_permission( $request ) ) {
return new WP_Error( 'rest_cannot_assign_term', __( 'You do not have permission to assign the provided terms.' ), array( 'status' => rest_authorization_required_code() ) );
}
return true; return true;
} }
@ -592,6 +596,10 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
} }
if ( ! $this->check_assign_terms_permission( $request ) ) {
return new WP_Error( 'rest_cannot_assign_term', __( 'You do not have permission to assign the provided terms.' ), array( 'status' => rest_authorization_required_code() ) );
}
return true; return true;
} }
@ -1205,6 +1213,38 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
} }
} }
/**
* Checks whether current user can assign all terms sent with the current request.
*
* @since 4.7.0
*
* @param WP_REST_Request $request The request object with post and terms data.
* @return bool Whether the current user can assign the provided terms.
*/
protected function check_assign_terms_permission( $request ) {
$taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
foreach ( $taxonomies as $taxonomy ) {
$base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name;
if ( ! isset( $request[ $base ] ) ) {
continue;
}
foreach ( $request[ $base ] as $term_id ) {
// Invalid terms will be rejected later.
if ( ! get_term( $term_id, $taxonomy->name ) ) {
continue;
}
if ( ! current_user_can( 'assign_term', (int) $term_id ) ) {
return false;
}
}
}
return true;
}
/** /**
* Checks if a given post type can be viewed or managed. * Checks if a given post type can be viewed or managed.
* *

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.7-beta1-39107'; $wp_version = '4.7-beta1-39108';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.