[wp-trac] [WordPress Trac] #38505: Single-term API endpoints should use term-specific caps
WordPress Trac
noreply at wordpress.org
Wed Nov 2 03:28:50 UTC 2016
#38505: Single-term API endpoints should use term-specific caps
------------------------------------+---------------------------
Reporter: boonebgorges | Owner: boonebgorges
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.7
Component: REST API | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+---------------------------
Comment (by boonebgorges):
Thank you, @rachelbaker.
[attachment:38505.2.diff] adds the 'assign_term' check for post create and
update. I've centralized some of the logic.
`current_user_can( 'assign_term', $term_id )` will fail if `$term_id`
points to a term that doesn't exist. This poses a problem because the
permission check happens very early in the request, which means that
passing a bad term ID will result in a 403. Current behavior is that the
post is created (200) but the term is not assigned (see
`test_create_post_with_invalid_categories()`). I can see an argument for
returning some variety of 40x in this case, but definitely not 403. I've
added a check to make sure the term exists before doing a cap check on it.
The remaining question is whether we want to introduce this behavior here
even though the 'assign_term' check isn't applied in the Dashboard UI. I
lean yes on this, but I can also appreciate the desire to maintain parity.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38505#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list