From f37a28858d662135bffff7a2f77d52408595da91 Mon Sep 17 00:00:00 2001 From: Dominik Schilling Date: Sat, 23 May 2020 15:22:53 +0000 Subject: [PATCH] Role/Capability: Use meta caps `edit_post`, `read_post`, and `delete_post` directly. Rather than consulting the post type object, let `map_meta_cap()` handle that for us. Props peterwilsoncc, ocean90. Fixes #50128. See #23226. git-svn-id: https://develop.svn.wordpress.org/trunk@47850 602fd350-edb4-49c9-b593-d223f7449a82 --- .../class-wp-customize-nav-menus.php | 2 +- .../class-wp-rest-attachments-controller.php | 17 ++++++----------- .../class-wp-rest-autosaves-controller.php | 4 +--- .../class-wp-rest-blocks-controller.php | 5 ++--- .../class-wp-rest-comments-controller.php | 2 +- .../class-wp-rest-posts-controller.php | 6 +++--- .../class-wp-rest-revisions-controller.php | 10 +++------- tests/phpunit/tests/rest-api.php | 1 - 8 files changed, 17 insertions(+), 30 deletions(-) diff --git a/src/wp-includes/class-wp-customize-nav-menus.php b/src/wp-includes/class-wp-customize-nav-menus.php index df374b9865..ef152895a8 100644 --- a/src/wp-includes/class-wp-customize-nav-menus.php +++ b/src/wp-includes/class-wp-customize-nav-menus.php @@ -1356,7 +1356,7 @@ final class WP_Customize_Nav_Menus { if ( ! $post_type_obj ) { continue; } - if ( ! current_user_can( $post_type_obj->cap->publish_posts ) || ! current_user_can( $post_type_obj->cap->edit_post, $post_id ) ) { + if ( ! current_user_can( $post_type_obj->cap->publish_posts ) || ! current_user_can( 'edit_post', $post_id ) ) { continue; } $post_ids[] = $post->ID; diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php index 475d273f4f..d30c6c0d90 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php @@ -109,17 +109,12 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } // Attaching media to a post requires ability to edit said post. - if ( ! empty( $request['post'] ) ) { - $parent = get_post( (int) $request['post'] ); - $post_parent_type = get_post_type_object( $parent->post_type ); - - if ( ! current_user_can( $post_parent_type->cap->edit_post, $request['post'] ) ) { - return new WP_Error( - 'rest_cannot_edit', - __( 'Sorry, you are not allowed to upload media to this post.' ), - array( 'status' => rest_authorization_required_code() ) - ); - } + if ( ! empty( $request['post'] ) && ! current_user_can( 'edit_post', (int) $request['post'] ) ) { + return new WP_Error( + 'rest_cannot_edit', + __( 'Sorry, you are not allowed to upload media to this post.' ), + array( 'status' => rest_authorization_required_code() ) + ); } return true; diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php index 5cc85738ac..5378e3f276 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php @@ -160,9 +160,7 @@ class WP_REST_Autosaves_Controller extends WP_REST_Revisions_Controller { return $parent; } - $parent_post_type_obj = get_post_type_object( $parent->post_type ); - - if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) { + if ( ! current_user_can( 'edit_post', $parent->ID ) ) { return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to view autosaves of this post.' ), diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-blocks-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-blocks-controller.php index 7dd8d36532..7d5237fb37 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-blocks-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-blocks-controller.php @@ -28,9 +28,8 @@ class WP_REST_Blocks_Controller extends WP_REST_Posts_Controller { * @return bool Whether the block can be read. */ public function check_read_permission( $post ) { - // Ensure that the user is logged in and has the read_blocks capability. - $post_type = get_post_type_object( $post->post_type ); - if ( ! current_user_can( $post_type->cap->read_post, $post->ID ) ) { + // By default the read_post capability is mapped to edit_posts. + if ( ! current_user_can( 'read_post', $post->ID ) ) { return false; } diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index f12082c3c0..da2457c85a 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -1774,7 +1774,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { } if ( post_password_required( $post ) ) { - $result = current_user_can( $post_type->cap->edit_post, $post->ID ); + $result = current_user_can( 'edit_post', $post->ID ); } else { $result = $posts_controller->check_read_permission( $post ); } diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php index d07006f762..ea0375e10d 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php @@ -1479,7 +1479,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { } // Is the post readable? - if ( 'publish' === $post->post_status || current_user_can( $post_type->cap->read_post, $post->ID ) ) { + if ( 'publish' === $post->post_status || current_user_can( 'read_post', $post->ID ) ) { return true; } @@ -1522,7 +1522,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { return false; } - return current_user_can( $post_type->cap->edit_post, $post->ID ); + return current_user_can( 'edit_post', $post->ID ); } /** @@ -1558,7 +1558,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { return false; } - return current_user_can( $post_type->cap->delete_post, $post->ID ); + return current_user_can( 'delete_post', $post->ID ); } /** diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php index cc1945ae9d..295a20f81c 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php @@ -169,9 +169,7 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller { return $parent; } - $parent_post_type_obj = get_post_type_object( $parent->post_type ); - - if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) { + if ( ! current_user_can( 'edit_post', $parent->ID ) ) { return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to view revisions of this post.' ), @@ -409,7 +407,7 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller { $parent_post_type = get_post_type_object( $parent->post_type ); - if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) { + if ( ! current_user_can( 'delete_post', $parent->ID ) ) { return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete revisions of this post.' ), @@ -427,9 +425,7 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller { return $response; } - $post_type = get_post_type_object( 'revision' ); - - if ( ! current_user_can( $post_type->cap->delete_post, $revision->ID ) ) { + if ( ! current_user_can( 'delete_post', $revision->ID ) ) { return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete this revision.' ), diff --git a/tests/phpunit/tests/rest-api.php b/tests/phpunit/tests/rest-api.php index 788dc069a8..f3cac8ede5 100644 --- a/tests/phpunit/tests/rest-api.php +++ b/tests/phpunit/tests/rest-api.php @@ -1323,7 +1323,6 @@ class Tests_REST_API extends WP_UnitTestCase { /** * @dataProvider rest_ensure_response_data_provider - * @group test1 * * @param mixed $response The response passed to rest_ensure_response(). * @param mixed $expected_data The expected data a response should include.