REST API: Synchronize permission checks in `::get_items_permissions_check()` methods for post types, post statuses, and users:
* Only query post types with `'show_in_rest' => true` instead of looping over all post types and checking the `show_in_rest` property separately. * Return from the `foreach()` loop as soon as the permission check succeeded. Props pbiron, TimothyBlynJacobs, SergeyBiryukov. Fixes #49118. Built from https://develop.svn.wordpress.org/trunk@47034 git-svn-id: http://core.svn.wordpress.org/trunk@46834 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
ba033e96ef
commit
9bec6f1e54
|
@ -89,6 +89,7 @@ class WP_REST_Post_Statuses_Controller extends WP_REST_Controller {
|
|||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return new WP_Error( 'rest_cannot_view', __( 'Sorry, you are not allowed to manage post statuses.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
|
|
|
@ -81,8 +81,10 @@ class WP_REST_Post_Types_Controller extends WP_REST_Controller {
|
|||
*/
|
||||
public function get_items_permissions_check( $request ) {
|
||||
if ( 'edit' === $request['context'] ) {
|
||||
foreach ( get_post_types( array(), 'object' ) as $post_type ) {
|
||||
if ( ! empty( $post_type->show_in_rest ) && current_user_can( $post_type->cap->edit_posts ) ) {
|
||||
$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
|
||||
|
||||
foreach ( $types as $type ) {
|
||||
if ( current_user_can( $type->cap->edit_posts ) ) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
@ -103,14 +105,15 @@ class WP_REST_Post_Types_Controller extends WP_REST_Controller {
|
|||
*/
|
||||
public function get_items( $request ) {
|
||||
$data = array();
|
||||
$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
|
||||
|
||||
foreach ( get_post_types( array(), 'object' ) as $obj ) {
|
||||
if ( empty( $obj->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $obj->cap->edit_posts ) ) ) {
|
||||
foreach ( $types as $type ) {
|
||||
if ( 'edit' === $request['context'] && ! current_user_can( $type->cap->edit_posts ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$post_type = $this->prepare_item_for_response( $obj, $request );
|
||||
$data[ $obj->name ] = $this->prepare_response_for_collection( $post_type );
|
||||
$post_type = $this->prepare_item_for_response( $type, $request );
|
||||
$data[ $type->name ] = $this->prepare_response_for_collection( $post_type );
|
||||
}
|
||||
|
||||
return rest_ensure_response( $data );
|
||||
|
|
|
@ -199,18 +199,17 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
|
|||
}
|
||||
|
||||
if ( 'authors' === $request['who'] ) {
|
||||
$can_view = false;
|
||||
$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
|
||||
|
||||
foreach ( $types as $type ) {
|
||||
if ( post_type_supports( $type->name, 'author' )
|
||||
&& current_user_can( $type->cap->edit_posts ) ) {
|
||||
$can_view = true;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
if ( ! $can_view ) {
|
||||
|
||||
return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '5.4-alpha-47033';
|
||||
$wp_version = '5.4-alpha-47034';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
|
Loading…
Reference in New Issue