Skip to content

Commit

Permalink
REST API: Synchronize permission checks in `::get_items_permissions_c…
Browse files Browse the repository at this point in the history 
…heck()` methods for post types, post statuses, and users:

* Only query post types with `'show_in_rest' => true` instead of looping over all post types and checking the `show_in_rest` property separately.
* Return from the `foreach()` loop as soon as the permission check succeeded.

Props pbiron, TimothyBlynJacobs, SergeyBiryukov.
Fixes #49118.

git-svn-id: https://develop.svn.wordpress.org/trunk@47034 602fd350-edb4-49c9-b593-d223f7449a82
  • Loading branch information
@SergeyBiryukov
SergeyBiryukov committed Jan 3, 2020
1 parent adb9483 commit c27ab74
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 13 deletions.
1 change: 1 addition & 0 deletions src/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ public function get_items_permissions_check( $request ) {
return true;
}
}

return new WP_Error( 'rest_cannot_view', __( 'Sorry, you are not allowed to manage post statuses.' ), array( 'status' => rest_authorization_required_code() ) );
}

Expand Down
17 changes: 10 additions & 7 deletions src/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,8 +81,10 @@ public function register_routes() {
*/
public function get_items_permissions_check( $request ) {
if ( 'edit' === $request['context'] ) {
foreach ( get_post_types( array(), 'object' ) as $post_type ) {
if ( ! empty( $post_type->show_in_rest ) && current_user_can( $post_type->cap->edit_posts ) ) {
$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );

foreach ( $types as $type ) {
if ( current_user_can( $type->cap->edit_posts ) ) {
return true;
}
}
Expand All @@ -102,15 +104,16 @@ public function get_items_permissions_check( $request ) {
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
*/
public function get_items( $request ) {
$data = array();
$data = array();
$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );

foreach ( get_post_types( array(), 'object' ) as $obj ) {
if ( empty( $obj->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $obj->cap->edit_posts ) ) ) {
foreach ( $types as $type ) {
if ( 'edit' === $request['context'] && ! current_user_can( $type->cap->edit_posts ) ) {
continue;
}

$post_type = $this->prepare_item_for_response( $obj, $request );
$data[ $obj->name ] = $this->prepare_response_for_collection( $post_type );
$post_type = $this->prepare_item_for_response( $type, $request );
$data[ $type->name ] = $this->prepare_response_for_collection( $post_type );
}

return rest_ensure_response( $data );
Expand Down
11 changes: 5 additions & 6 deletions src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,17 +199,16 @@ public function get_items_permissions_check( $request ) {
}

if ( 'authors' === $request['who'] ) {
$can_view = false;
$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );

foreach ( $types as $type ) {
if ( post_type_supports( $type->name, 'author' )
&& current_user_can( $type->cap->edit_posts ) ) {
$can_view = true;
return true;
}
}
if ( ! $can_view ) {
return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
}

return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
}

return true;
Expand Down

0 comments on commit c27ab74

Please sign in to comment.