[wp-trac] [WordPress Trac] #48764: RESTI API explicitly checks for publish_posts capability without post ID
WordPress Trac
noreply at wordpress.org
Fri Nov 22 10:18:10 UTC 2019
#48764: RESTI API explicitly checks for publish_posts capability without post ID
--------------------------+-----------------------------
Reporter: djzone | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version:
Severity: normal | Keywords: has-patch
Focuses: rest-api |
--------------------------+-----------------------------
Recently we have developed a custom editorial workflow on the top of the
wp-admin, and we had a feature that only enabled publish if the
post_parent is a certain page.
So basically we had a user with **author** role, that only has
publish_posts capability if the pages's post_parent is a certain page. We
are checking this access with a filter on **user_has_cap**, and there if
the {{{$args['2']}}} is present we check the parent (or actually the whole
ancestor chain) and if the parent is in the chain we grant the access.
This worked pretty well for us, in PHP and in Gutenberg as well up until a
point, where we found out, that the REST API Posts Controller fails to
publish the post and throws a **rest_cannot_post** error, because in the
**handle_status_param()** function **current_user_can** filter explicitly
checks for the **publish_posts** capability without including the page ID,
therefore the capability won't be added to the $allcaps array in
**has_caps** because the ID is not provided.
Of course we've built around that by parsing the REST API url, and at the
end there's the page id, but it's just not elegant, and I beleive this is
a bug in the Posts Controller.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48764>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list