[wp-trac] [WordPress Trac] #43701: Make the "read_only" cap truly accessible over the REST API
WordPress Trac
noreply at wordpress.org
Thu Apr 5 16:02:22 UTC 2018
#43701: Make the "read_only" cap truly accessible over the REST API
--------------------------+-----------------------------
Reporter: twoelevenjay | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 4.9.5
Severity: normal | Keywords:
Focuses: rest-api |
--------------------------+-----------------------------
When it comes to the "private" status of a post type, WordPress has a
separate capability for editing post types and reading private post types.
It so happens that default user roles and capabilities do not include one
user who can only read a private post type without also having the ability
to edit the post type.
When adding the "status" parameter to a rest route, the
`WP_REST_Posts_Controller` checks to see if the current user can edit the
private post type. If s user role is set to view a private post type but
not edit the post type then a rest route intended to return a private post
type on GET for read only purposes will fail.
I propose amending `/wp-includes/rest-api/endpoints/class-wp-rest-posts-
controller.php` line `2286`.
Changing:
{{{
if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
}}}
to:
{{{
if ( current_user_can( $post_type_obj->cap->edit_posts ) ||
current_user_can( $post_type_obj->cap->read_private_posts ) ) {
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43701>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list