From c27ab74ca92ed444bb568fae670b93aa2a2fc2a4 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Fri, 3 Jan 2020 02:26:36 +0000
Subject: [PATCH] REST API: Synchronize permission checks in
 `::get_items_permissions_check()` methods for post types, post statuses, and
 users:

* Only query post types with `'show_in_rest' => true` instead of looping over all post types and checking the `show_in_rest` property separately.
* Return from the `foreach()` loop as soon as the permission check succeeded.

Props pbiron, TimothyBlynJacobs, SergeyBiryukov.
Fixes #49118.

git-svn-id: https://develop.svn.wordpress.org/trunk@47034 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../class-wp-rest-post-statuses-controller.php  |  1 +
 .../class-wp-rest-post-types-controller.php     | 17 ++++++++++-------
 .../class-wp-rest-users-controller.php          | 11 +++++------
 3 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php
index 318f6c1a43aa0..ccb44b7b80313 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php
@@ -89,6 +89,7 @@ public function get_items_permissions_check( $request ) {
 					return true;
 				}
 			}
+
 			return new WP_Error( 'rest_cannot_view', __( 'Sorry, you are not allowed to manage post statuses.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php
index 75cd522a1e70c..9b079fbf0cf7d 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php
@@ -81,8 +81,10 @@ public function register_routes() {
 	 */
 	public function get_items_permissions_check( $request ) {
 		if ( 'edit' === $request['context'] ) {
-			foreach ( get_post_types( array(), 'object' ) as $post_type ) {
-				if ( ! empty( $post_type->show_in_rest ) && current_user_can( $post_type->cap->edit_posts ) ) {
+			$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
+
+			foreach ( $types as $type ) {
+				if ( current_user_can( $type->cap->edit_posts ) ) {
 					return true;
 				}
 			}
@@ -102,15 +104,16 @@ public function get_items_permissions_check( $request ) {
 	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
 	 */
 	public function get_items( $request ) {
-		$data = array();
+		$data  = array();
+		$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
 
-		foreach ( get_post_types( array(), 'object' ) as $obj ) {
-			if ( empty( $obj->show_in_rest ) || ( 'edit' === $request['context'] && ! current_user_can( $obj->cap->edit_posts ) ) ) {
+		foreach ( $types as $type ) {
+			if ( 'edit' === $request['context'] && ! current_user_can( $type->cap->edit_posts ) ) {
 				continue;
 			}
 
-			$post_type          = $this->prepare_item_for_response( $obj, $request );
-			$data[ $obj->name ] = $this->prepare_response_for_collection( $post_type );
+			$post_type           = $this->prepare_item_for_response( $type, $request );
+			$data[ $type->name ] = $this->prepare_response_for_collection( $post_type );
 		}
 
 		return rest_ensure_response( $data );
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
index a83a91b64058f..60604f55de828 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
@@ -199,17 +199,16 @@ public function get_items_permissions_check( $request ) {
 		}
 
 		if ( 'authors' === $request['who'] ) {
-			$can_view = false;
-			$types    = get_post_types( array( 'show_in_rest' => true ), 'objects' );
+			$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
+
 			foreach ( $types as $type ) {
 				if ( post_type_supports( $type->name, 'author' )
 					&& current_user_can( $type->cap->edit_posts ) ) {
-					$can_view = true;
+					return true;
 				}
 			}
-			if ( ! $can_view ) {
-				return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
-			}
+
+			return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;