Improved permissions check
This commit is contained in:
parent
54739c5e19
commit
a31ef08ed7
|
@ -35,6 +35,35 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
|
||||||
*/
|
*/
|
||||||
protected $public = false;
|
protected $public = false;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if a given request has access to read a item.
|
||||||
|
*
|
||||||
|
* @param WP_REST_Request $request Full details about the request.
|
||||||
|
* @return WP_Error|boolean
|
||||||
|
*/
|
||||||
|
public function get_item_permissions_check( $request ) {
|
||||||
|
$post = get_post( (int) $request['id'] );
|
||||||
|
|
||||||
|
if ( $post ) {
|
||||||
|
$post_type = get_post_type_object( $this->post_type );
|
||||||
|
return 'revision' !== $post->post_type && current_user_can( $post_type->cap->read_private_posts, $post->ID );
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if a given request has access to read items.
|
||||||
|
*
|
||||||
|
* @param WP_REST_Request $request Full details about the request.
|
||||||
|
* @return WP_Error|boolean
|
||||||
|
*/
|
||||||
|
public function get_items_permissions_check( $request ) {
|
||||||
|
$post_type = get_post_type_object( $this->post_type );
|
||||||
|
|
||||||
|
return current_user_can( $post_type->cap->read_private_posts );
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get a single item.
|
* Get a single item.
|
||||||
*
|
*
|
||||||
|
@ -48,6 +77,7 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
|
||||||
if ( empty( $id ) || empty( $post->ID ) || $this->post_type !== $post->post_type ) {
|
if ( empty( $id ) || empty( $post->ID ) || $this->post_type !== $post->post_type ) {
|
||||||
return new WP_Error( sprintf( 'woocommerce_rest_api_invalid_%s_id', $this->post_type ), __( 'Invalid id.', 'woocommerce' ), array( 'status' => 404 ) );
|
return new WP_Error( sprintf( 'woocommerce_rest_api_invalid_%s_id', $this->post_type ), __( 'Invalid id.', 'woocommerce' ), array( 'status' => 404 ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
$data = $this->prepare_item_for_response( $post, $request );
|
$data = $this->prepare_item_for_response( $post, $request );
|
||||||
$response = rest_ensure_response( $data );
|
$response = rest_ensure_response( $data );
|
||||||
|
|
||||||
|
@ -58,98 +88,6 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
|
||||||
return $response;
|
return $response;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Check if a given request has access to read a post.
|
|
||||||
*
|
|
||||||
* @param WP_REST_Request $request Full details about the request.
|
|
||||||
* @return WP_Error|boolean
|
|
||||||
*/
|
|
||||||
public function get_item_permissions_check( $request ) {
|
|
||||||
$post = get_post( (int) $request['id'] );
|
|
||||||
if ( 'edit' === $request['context'] && $post && ! $this->check_update_permission( $post ) ) {
|
|
||||||
return new WP_Error( 'rest_forbidden_context', sprintf( __( 'Sorry, you are not allowed to edit %s', 'woocommerce' ), $this->rest_base ), array( 'status' => rest_authorization_required_code() ) );
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( $post ) {
|
|
||||||
return $this->check_read_permission( $post );
|
|
||||||
}
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Check if we can read a post.
|
|
||||||
*
|
|
||||||
* Correctly handles posts with the inherit status.
|
|
||||||
*
|
|
||||||
* @param object $post Post object.
|
|
||||||
* @return boolean Can we read it?
|
|
||||||
*/
|
|
||||||
public function check_read_permission( $post ) {
|
|
||||||
return $this->check_permission( $post, 'read' );
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Check if we can edit a post.
|
|
||||||
*
|
|
||||||
* @param object $post Post object.
|
|
||||||
* @return boolean Can we edit it?
|
|
||||||
*/
|
|
||||||
protected function check_update_permission( $post ) {
|
|
||||||
return $this->check_permission( $post, 'edit' );
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Check if we can create a post.
|
|
||||||
*
|
|
||||||
* @param object $post Post object.
|
|
||||||
* @return boolean Can we create it?.
|
|
||||||
*/
|
|
||||||
protected function check_create_permission( $post ) {
|
|
||||||
return $this->check_permission( $post, 'edit' );
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Check if we can delete a post.
|
|
||||||
*
|
|
||||||
* @param object $post Post object.
|
|
||||||
* @return boolean Can we delete it?
|
|
||||||
*/
|
|
||||||
protected function check_delete_permission( $post ) {
|
|
||||||
return $this->check_permission( $post, 'delete' );
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Checks the permissions for the current user given a post and context.
|
|
||||||
*
|
|
||||||
* @param WP_Post|int $post
|
|
||||||
* @param string $context the type of permission to check, either `read`, `write`, or `delete`
|
|
||||||
* @return bool true if the current user has the permissions to perform the context on the post
|
|
||||||
*/
|
|
||||||
private function check_permission( $post, $context ) {
|
|
||||||
$permission = false;
|
|
||||||
|
|
||||||
if ( ! is_a( $post, 'WP_Post' ) ) {
|
|
||||||
$post = get_post( $post );
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( is_null( $post ) ) {
|
|
||||||
return $permission;
|
|
||||||
}
|
|
||||||
|
|
||||||
$post_type = get_post_type_object( $post->post_type );
|
|
||||||
|
|
||||||
if ( 'read' === $context ) {
|
|
||||||
$permission = 'revision' !== $post->post_type && current_user_can( $post_type->cap->read_private_posts, $post->ID );
|
|
||||||
} elseif ( 'edit' === $context ) {
|
|
||||||
$permission = current_user_can( $post_type->cap->edit_post, $post->ID );
|
|
||||||
} elseif ( 'delete' === $context ) {
|
|
||||||
$permission = current_user_can( $post_type->cap->delete_post, $post->ID );
|
|
||||||
}
|
|
||||||
|
|
||||||
return apply_filters( 'woocommerce_api_check_permission', $permission, $context, $post, $post_type );
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check the post_date_gmt or modified_gmt and prepare any post or
|
* Check the post_date_gmt or modified_gmt and prepare any post or
|
||||||
* modified date for single post output.
|
* modified date for single post output.
|
||||||
|
|
Loading…
Reference in New Issue