REST API: Return a `WP_Error` when a user does not have permission to create or update a post with the provided terms.
Add the 'assign_term' check for post create and update. Props boonebgorges, johnbillion. Fixes #38505. Built from https://develop.svn.wordpress.org/trunk@39108 git-svn-id: http://core.svn.wordpress.org/trunk@39050 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
37318fe73f
commit
8c9f4f812a
|
@ -459,6 +459,10 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||||
return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new posts.' ), array( 'status' => rest_authorization_required_code() ) );
|
return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create new posts.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( ! $this->check_assign_terms_permission( $request ) ) {
|
||||||
|
return new WP_Error( 'rest_cannot_assign_term', __( 'You do not have permission to assign the provided terms.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||||
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -592,6 +596,10 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||||
return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
|
return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( ! $this->check_assign_terms_permission( $request ) ) {
|
||||||
|
return new WP_Error( 'rest_cannot_assign_term', __( 'You do not have permission to assign the provided terms.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||||
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1205,6 +1213,38 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks whether current user can assign all terms sent with the current request.
|
||||||
|
*
|
||||||
|
* @since 4.7.0
|
||||||
|
*
|
||||||
|
* @param WP_REST_Request $request The request object with post and terms data.
|
||||||
|
* @return bool Whether the current user can assign the provided terms.
|
||||||
|
*/
|
||||||
|
protected function check_assign_terms_permission( $request ) {
|
||||||
|
$taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
|
||||||
|
foreach ( $taxonomies as $taxonomy ) {
|
||||||
|
$base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name;
|
||||||
|
|
||||||
|
if ( ! isset( $request[ $base ] ) ) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach ( $request[ $base ] as $term_id ) {
|
||||||
|
// Invalid terms will be rejected later.
|
||||||
|
if ( ! get_term( $term_id, $taxonomy->name ) ) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! current_user_can( 'assign_term', (int) $term_id ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Checks if a given post type can be viewed or managed.
|
* Checks if a given post type can be viewed or managed.
|
||||||
*
|
*
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '4.7-beta1-39107';
|
$wp_version = '4.7-beta1-39108';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
Loading…
Reference in New Issue