REST API: Use term-specific caps for permission checks in term update and delete endpoints.

See #38505.
Built from https://develop.svn.wordpress.org/trunk@38960


git-svn-id: http://core.svn.wordpress.org/trunk@38903 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

@@ -451,8 +451,7 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
 			return new WP_Error( 'rest_term_invalid', __( "Resource doesn't exist." ), array( 'status' => 404 ) );
 		}
 
-		$taxonomy_obj = get_taxonomy( $this->taxonomy );
-		if ( ! current_user_can( $taxonomy_obj->cap->edit_terms ) ) {
+		if ( ! current_user_can( 'edit_term', $term->term_id ) ) {
 			return new WP_Error( 'rest_cannot_update', __( 'Sorry, you cannot update resource.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
@@ -527,8 +526,8 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
 		if ( ! $term ) {
 			return new WP_Error( 'rest_term_invalid', __( "Resource doesn't exist." ), array( 'status' => 404 ) );
 		}
-		$taxonomy_obj = get_taxonomy( $this->taxonomy );
-		if ( ! current_user_can( $taxonomy_obj->cap->delete_terms ) ) {
+
+		if ( ! current_user_can( 'delete_term', $term->term_id ) ) {
 			return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you cannot delete resource.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 		return true;

wp-includes/version.php

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.7-alpha-38959';
+$wp_version = '4.7-alpha-38960';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.