[wp-trac] [WordPress Trac] #43701: Make the "read_only" cap truly accessible over the REST API

WordPress Trac noreply at wordpress.org
Thu Apr 5 16:02:22 UTC 2018


#43701: Make the "read_only" cap truly accessible over the REST API
--------------------------+-----------------------------
 Reporter:  twoelevenjay  |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  REST API      |    Version:  4.9.5
 Severity:  normal        |   Keywords:
  Focuses:  rest-api      |
--------------------------+-----------------------------
 When it comes to the "private" status of a post type, WordPress has a
 separate capability for editing post types and reading private post types.
 It so happens that default user roles and capabilities do not include one
 user who can only read a private post type without also having the ability
 to edit the post type.

 When adding the "status" parameter to a rest route, the
 `WP_REST_Posts_Controller` checks to see if the current user can edit the
 private post type. If s user role is set to view a private post type but
 not edit the post type then a rest route intended to return a private post
 type on GET for read only purposes will fail.

 I propose amending `/wp-includes/rest-api/endpoints/class-wp-rest-posts-
 controller.php` line `2286`.

 Changing:

 {{{
 if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
 }}}

 to:

 {{{
 if ( current_user_can( $post_type_obj->cap->edit_posts ) ||
 current_user_can( $post_type_obj->cap->read_private_posts ) ) {
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/43701>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list