<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[60814] trunk: REST API: Increase the specificity of capability checks for collections when the `edit` context is in use.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/60814">60814</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/60814","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>johnbillion</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2025-09-30 15:49:18 +0000 (Tue, 30 Sep 2025)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>REST API: Increase the specificity of capability checks for collections when the `edit` context is in use.
The edit access in now taken into account for each individual post, term, or user in the response.
Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, rmccue, timothyblynjacobs, vortfu, whyisjake, zieladam.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludesrestapiendpointsclasswprestpostscontrollerphp">trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php</a></li>
<li><a href="#trunksrcwpincludesrestapiendpointsclasswpresttermscontrollerphp">trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php</a></li>
<li><a href="#trunksrcwpincludesrestapiendpointsclasswprestuserscontrollerphp">trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php</a></li>
<li><a href="#trunktestsphpunittestsrestapirestuserscontrollerphp">trunk/tests/phpunit/tests/rest-api/rest-users-controller.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludesrestapiendpointsclasswprestpostscontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php 2025-09-30 12:46:53 UTC (rev 60813)
+++ trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php 2025-09-30 15:49:18 UTC (rev 60814)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -463,7 +463,13 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> foreach ( $query_result as $post ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! $this->check_read_permission( $post ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( 'edit' === $request['context'] ) {
+ $permission = $this->check_update_permission( $post );
+ } else {
+ $permission = $this->check_read_permission( $post );
+ }
+
+ if ( ! $permission ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> continue;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span></span></pre></div>
<a id="trunksrcwpincludesrestapiendpointsclasswpresttermscontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php 2025-09-30 12:46:53 UTC (rev 60813)
+++ trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php 2025-09-30 15:49:18 UTC (rev 60814)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -365,6 +365,10 @@
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! $is_head_request ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $response = array();
</span><span class="cx" style="display: block; padding: 0 10px"> foreach ( $query_result as $term ) {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', $term->term_id ) ) {
+ continue;
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $data = $this->prepare_item_for_response( $term, $request );
</span><span class="cx" style="display: block; padding: 0 10px"> $response[] = $this->prepare_response_for_collection( $data );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="trunksrcwpincludesrestapiendpointsclasswprestuserscontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php 2025-09-30 12:46:53 UTC (rev 60813)
+++ trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php 2025-09-30 15:49:18 UTC (rev 60814)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -220,7 +220,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px"> 'rest_forbidden_context',
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- __( 'Sorry, you are not allowed to list users.' ),
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ __( 'Sorry, you are not allowed to edit users.' ),
</ins><span class="cx" style="display: block; padding: 0 10px"> array( 'status' => rest_authorization_required_code() )
</span><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -379,6 +379,10 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $users = array();
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> foreach ( $query->get_results() as $user ) {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+ continue;
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $data = $this->prepare_item_for_response( $user, $request );
</span><span class="cx" style="display: block; padding: 0 10px"> $users[] = $this->prepare_response_for_collection( $data );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -479,13 +483,15 @@
</span><span class="cx" style="display: block; padding: 0 10px"> return true;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- 'rest_user_cannot_view',
- __( 'Sorry, you are not allowed to list users.' ),
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ 'rest_forbidden_context',
+ __( 'Sorry, you are not allowed to edit this user.' ),
</ins><span class="cx" style="display: block; padding: 0 10px"> array( 'status' => rest_authorization_required_code() )
</span><span class="cx" style="display: block; padding: 0 10px"> );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ }
+
+ if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px"> 'rest_user_cannot_view',
</span><span class="cx" style="display: block; padding: 0 10px"> __( 'Sorry, you are not allowed to list users.' ),
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1086,7 +1092,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $data['slug'] = $user->user_nicename;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( in_array( 'roles', $fields, true ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> // Defensively call array_values() to ensure an array is returned.
</span><span class="cx" style="display: block; padding: 0 10px"> $data['roles'] = array_values( $user->roles );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="trunktestsphpunittestsrestapirestuserscontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/rest-api/rest-users-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/rest-api/rest-users-controller.php 2025-09-30 12:46:53 UTC (rev 60813)
+++ trunk/tests/phpunit/tests/rest-api/rest-users-controller.php 2025-09-30 15:49:18 UTC (rev 60814)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1313,7 +1313,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', $author_id ) );
</span><span class="cx" style="display: block; padding: 0 10px"> $request->set_param( 'context', 'edit' );
</span><span class="cx" style="display: block; padding: 0 10px"> $response = rest_get_server()->dispatch( $request );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertErrorResponse( 'rest_forbidden_context', $response, 401 );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span></span></pre>
</div>
</div>
</body>
</html>