From a31ef08ed7aee525f1c014e21c047eb7bce556ea Mon Sep 17 00:00:00 2001 From: Claudio Sanches Date: Mon, 22 Feb 2016 17:48:38 -0300 Subject: [PATCH] Improved permissions check --- .../abstract-wc-rest-posts-controller.php | 122 +++++------------- 1 file changed, 30 insertions(+), 92 deletions(-) diff --git a/includes/abstracts/abstract-wc-rest-posts-controller.php b/includes/abstracts/abstract-wc-rest-posts-controller.php index 4143f6acbfe..5a3e579be9b 100644 --- a/includes/abstracts/abstract-wc-rest-posts-controller.php +++ b/includes/abstracts/abstract-wc-rest-posts-controller.php @@ -35,6 +35,35 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller { */ protected $public = false; + /** + * Check if a given request has access to read a item. + * + * @param WP_REST_Request $request Full details about the request. + * @return WP_Error|boolean + */ + public function get_item_permissions_check( $request ) { + $post = get_post( (int) $request['id'] ); + + if ( $post ) { + $post_type = get_post_type_object( $this->post_type ); + return 'revision' !== $post->post_type && current_user_can( $post_type->cap->read_private_posts, $post->ID ); + } + + return true; + } + + /** + * Check if a given request has access to read items. + * + * @param WP_REST_Request $request Full details about the request. + * @return WP_Error|boolean + */ + public function get_items_permissions_check( $request ) { + $post_type = get_post_type_object( $this->post_type ); + + return current_user_can( $post_type->cap->read_private_posts ); + } + /** * Get a single item. * @@ -48,6 +77,7 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller { if ( empty( $id ) || empty( $post->ID ) || $this->post_type !== $post->post_type ) { return new WP_Error( sprintf( 'woocommerce_rest_api_invalid_%s_id', $this->post_type ), __( 'Invalid id.', 'woocommerce' ), array( 'status' => 404 ) ); } + $data = $this->prepare_item_for_response( $post, $request ); $response = rest_ensure_response( $data ); @@ -58,98 +88,6 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller { return $response; } - /** - * Check if a given request has access to read a post. - * - * @param WP_REST_Request $request Full details about the request. - * @return WP_Error|boolean - */ - public function get_item_permissions_check( $request ) { - $post = get_post( (int) $request['id'] ); - if ( 'edit' === $request['context'] && $post && ! $this->check_update_permission( $post ) ) { - return new WP_Error( 'rest_forbidden_context', sprintf( __( 'Sorry, you are not allowed to edit %s', 'woocommerce' ), $this->rest_base ), array( 'status' => rest_authorization_required_code() ) ); - } - - if ( $post ) { - return $this->check_read_permission( $post ); - } - - return true; - } - - /** - * Check if we can read a post. - * - * Correctly handles posts with the inherit status. - * - * @param object $post Post object. - * @return boolean Can we read it? - */ - public function check_read_permission( $post ) { - return $this->check_permission( $post, 'read' ); - } - - /** - * Check if we can edit a post. - * - * @param object $post Post object. - * @return boolean Can we edit it? - */ - protected function check_update_permission( $post ) { - return $this->check_permission( $post, 'edit' ); - } - - /** - * Check if we can create a post. - * - * @param object $post Post object. - * @return boolean Can we create it?. - */ - protected function check_create_permission( $post ) { - return $this->check_permission( $post, 'edit' ); - } - - /** - * Check if we can delete a post. - * - * @param object $post Post object. - * @return boolean Can we delete it? - */ - protected function check_delete_permission( $post ) { - return $this->check_permission( $post, 'delete' ); - } - - /** - * Checks the permissions for the current user given a post and context. - * - * @param WP_Post|int $post - * @param string $context the type of permission to check, either `read`, `write`, or `delete` - * @return bool true if the current user has the permissions to perform the context on the post - */ - private function check_permission( $post, $context ) { - $permission = false; - - if ( ! is_a( $post, 'WP_Post' ) ) { - $post = get_post( $post ); - } - - if ( is_null( $post ) ) { - return $permission; - } - - $post_type = get_post_type_object( $post->post_type ); - - if ( 'read' === $context ) { - $permission = 'revision' !== $post->post_type && current_user_can( $post_type->cap->read_private_posts, $post->ID ); - } elseif ( 'edit' === $context ) { - $permission = current_user_can( $post_type->cap->edit_post, $post->ID ); - } elseif ( 'delete' === $context ) { - $permission = current_user_can( $post_type->cap->delete_post, $post->ID ); - } - - return apply_filters( 'woocommerce_api_check_permission', $permission, $context, $post, $post_type ); - } - /** * Check the post_date_gmt or modified_gmt and prepare any post or * modified date for single post output.