diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php index 318f6c1a43..ccb44b7b80 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php @@ -89,6 +89,7 @@ class WP_REST_Post_Statuses_Controller extends WP_REST_Controller { return true; } } + return new WP_Error( 'rest_cannot_view', __( 'Sorry, you are not allowed to manage post statuses.' ), array( 'status' => rest_authorization_required_code() ) ); } diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php index 75cd522a1e..9b079fbf0c 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php @@ -81,8 +81,10 @@ class WP_REST_Post_Types_Controller extends WP_REST_Controller { */ public function get_items_permissions_check( $request ) { if ( 'edit' === $request['context'] ) { - foreach ( get_post_types( array(), 'object' ) as $post_type ) { - if ( ! empty( $post_type->show_in_rest ) && current_user_can( $post_type->cap->edit_posts ) ) { + $types = get_post_types( array( 'show_in_rest' => true ), 'objects' ); + + foreach ( $types as $type ) { + if ( current_user_can( $type->cap->edit_posts ) ) { return true; } } @@ -102,15 +104,16 @@ class WP_REST_Post_Types_Controller extends WP_REST_Controller { * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. */ public function get_items( $request ) { - $data = array(); + $data = array(); + $types = get_post_types( array( 'show_in_rest' => true ), 'objects' ); - foreach ( get_post_types( array(), 'object' ) as $obj ) { - if ( empty( $obj->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $obj->cap->edit_posts ) ) ) { + foreach ( $types as $type ) { + if ( 'edit' === $request['context'] && ! current_user_can( $type->cap->edit_posts ) ) { continue; } - $post_type = $this->prepare_item_for_response( $obj, $request ); - $data[ $obj->name ] = $this->prepare_response_for_collection( $post_type ); + $post_type = $this->prepare_item_for_response( $type, $request ); + $data[ $type->name ] = $this->prepare_response_for_collection( $post_type ); } return rest_ensure_response( $data ); diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php index a83a91b640..60604f55de 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php @@ -199,17 +199,16 @@ class WP_REST_Users_Controller extends WP_REST_Controller { } if ( 'authors' === $request['who'] ) { - $can_view = false; - $types = get_post_types( array( 'show_in_rest' => true ), 'objects' ); + $types = get_post_types( array( 'show_in_rest' => true ), 'objects' ); + foreach ( $types as $type ) { if ( post_type_supports( $type->name, 'author' ) && current_user_can( $type->cap->edit_posts ) ) { - $can_view = true; + return true; } } - if ( ! $can_view ) { - return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) ); - } + + return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) ); } return true; diff --git a/wp-includes/version.php b/wp-includes/version.php index 04b694ce05..f2d021708d 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.4-alpha-47033'; +$wp_version = '5.4-alpha-47034'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.