[wp-trac] [WordPress Trac] #38505: Single-term API endpoints should use term-specific caps
WordPress Trac
noreply at wordpress.org
Tue Nov 1 19:41:01 UTC 2016
#38505: Single-term API endpoints should use term-specific caps
------------------------------------+---------------------------
Reporter: boonebgorges | Owner: boonebgorges
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.7
Component: REST API | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+---------------------------
Comment (by rachelbaker):
Replying to [comment:3 boonebgorges]:
Yes, this does fit our pattern for permission checks.
> 'assign_term' is trickier. Terms are assigned to posts in the
`/{post_type}/` create and update endpoints. So I suppose the proper
approach is to add a check to `create_item_permissions_check()` and
`update_item_permissions_check()` that looks like this:
>
> {{{
> $taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type,
'objects' ), array( 'show_in_rest' => true ) );
> foreach ( $taxonomies as $taxonomy ) {
> $base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base :
$taxonomy->name;
>
> if ( ! isset( $request[ $base ] ) ) {
> continue;
> }
>
> foreach ( $request[ $base ] as $term_id ) {
> if ( ! current_user_can( 'assign_term', (int) $term_id ) ) {
> return new WP_Error( 'rest_cannot_assign_term', __( 'You
are not allowed to assign this term as this user.' ), array( 'status' =>
rest_authorization_required_code() ) );
> }
> }
> }
> }}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38505#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list