[wp-trac] [WordPress Trac] #38505: Single-term API endpoints should use term-specific caps

WordPress Trac noreply at wordpress.org
Wed Oct 26 02:42:48 UTC 2016 

#38505: Single-term API endpoints should use term-specific caps
------------------------------------+---------------------------
 Reporter:  boonebgorges            |       Owner:  boonebgorges
     Type:  defect (bug)            |      Status:  assigned
 Priority:  normal                  |   Milestone:  4.7
Component:  REST API                |     Version:  trunk
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch dev-feedback  |     Focuses:
------------------------------------+---------------------------
Changes (by boonebgorges):

 * keywords:  needs-patch => has-patch dev-feedback


Comment:

 [attachment:38505.diff] implements 'edit_term' and 'delete_term' in the
 respective term endpoints. @johnbillion As the shepherd of #35614, I'd
 appreciate a sanity check on the approach (especially the hackish tests).

 'assign_term' is trickier. Terms are assigned to posts in the
 `/{post_type}/` create and update endpoints. So I suppose the proper
 approach is to add a check to `create_item_permissions_check()` and
 `update_item_permissions_check()` that looks like this:

 {{{
 $taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type,
 'objects' ), array( 'show_in_rest' => true ) );
 foreach ( $taxonomies as $taxonomy ) {
         $base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base :
 $taxonomy->name;

         if ( ! isset( $request[ $base ] ) ) {
                 continue;
         }

         foreach ( $request[ $base ] as $term_id ) {
             if ( ! current_user_can( 'assign_term', (int) $term_id ) ) {
                 return new WP_Error( 'rest_cannot_assign_term', __( 'You
 are not allowed to assign this term as this user.' ), array( 'status' =>
 rest_authorization_required_code() ) );
             }
         }
 }
 }}}

 API team - does this seem like the right pattern?

 I hesitate because #35614 doesn't do a similar sort of implementation for
 native WP UIs. The only place where 'assign_term' is implemented is in an
 XML-RPC endpoint. The post edit interface doesn't do any sort of check
 like this. @johnbillion Was this an intentional oversight? It seems like a
 bug to me, but maybe there's a reason behind it.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38505#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list