Allow shop managers to only manipulate customers on REST API
This commit is contained in:
parent
fff05e9434
commit
246cc569f3
|
@ -273,13 +273,29 @@ function wc_rest_check_post_permissions( $post_type, $context = 'read', $object_
|
||||||
function wc_rest_check_user_permissions( $context = 'read', $object_id = 0 ) {
|
function wc_rest_check_user_permissions( $context = 'read', $object_id = 0 ) {
|
||||||
$contexts = array(
|
$contexts = array(
|
||||||
'read' => 'list_users',
|
'read' => 'list_users',
|
||||||
'create' => 'edit_users',
|
'create' => 'promote_users', // Check if current user can create users, shop managers are not allowed to create users.
|
||||||
'edit' => 'edit_users',
|
'edit' => 'edit_users',
|
||||||
'delete' => 'delete_users',
|
'delete' => 'delete_users',
|
||||||
'batch' => 'edit_users',
|
'batch' => 'promote_users',
|
||||||
);
|
);
|
||||||
|
|
||||||
$permission = current_user_can( $contexts[ $context ], $object_id );
|
// Prevent shop_managers of doing changes or delete adminstrators.
|
||||||
|
if ( ! in_array( $context, array( 'create', 'batch' ), true ) && wc_current_user_has_role( 'shop_manager' ) ) {
|
||||||
|
$permission = false;
|
||||||
|
$user_data = get_userdata( $object_id );
|
||||||
|
$shop_manager_editable_roles = apply_filters( 'woocommerce_shop_manager_editable_roles', array( 'customer' ) );
|
||||||
|
|
||||||
|
if ( isset( $user_data->roles ) ) {
|
||||||
|
$can_manage_users = array_intersect( $user_data->roles, array_unique( $shop_manager_editable_roles ) );
|
||||||
|
|
||||||
|
// Check if Shop Manager can edit customer or with the is same shop manager.
|
||||||
|
if ( 0 < count( $can_manage_users ) || intval( $object_id ) === intval( get_current_user_id() ) ) {
|
||||||
|
$permission = current_user_can( $contexts[ $context ], $object_id );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$permission = current_user_can( $contexts[ $context ], $object_id );
|
||||||
|
}
|
||||||
|
|
||||||
return apply_filters( 'woocommerce_rest_check_permissions', $permission, $context, $object_id, 'user' );
|
return apply_filters( 'woocommerce_rest_check_permissions', $permission, $context, $object_id, 'user' );
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue