[wp-trac] [WordPress Trac] #38505: Single-term API endpoints should use term-specific caps
WordPress Trac
noreply at wordpress.org
Wed Oct 26 14:59:23 UTC 2016
#38505: Single-term API endpoints should use term-specific caps
------------------------------------+---------------------------
Reporter: boonebgorges | Owner: boonebgorges
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.7
Component: REST API | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+---------------------------
Comment (by boonebgorges):
Thanks for the eyeballs, @johnbillion. I've added the suggested tests as
part of [38960].
The 'assign_term' question still stands. Three thoughts:
1. The fact that 'assign_term' isn't actually implemented in the UI
severely limits how useful it'll be to developers. I can imagine this
behavior leading to unexpected security issues.
2. If 'assign_term' is not going to be implemented in the UI for 4.7,
maybe we don't bother implementing in the API either (ie, we continue to
use taxonomy caps)? We're generally going for feature parity between the
two, right?
3. The cap-check pattern [comment:3 I proposed above] requires a bit more
code duplication than simply putting the check in the `hangle_terms()`
method. But (a) I assume that if we can't perform part of the request
(assigning a term) we don't want to perform *any* of the request? (Though
this is not how it currently works - the post will be created, but you'll
get an error object from the API.) And (b) keeping permissions checks
together seems more maintainable and readable.
1 and 2 are questions for @johnbillion, 3 is an architecture question for
the APi team.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38505#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list