Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improved permissions check

This commit is contained in:
Claudio Sanches 2016-02-22 17:48:38 -03:00
parent 54739c5e19
commit a31ef08ed7
1 changed files with 30 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
includes/abstracts/abstract-wc-rest-posts-controller.php
View File

@ -35,6 +35,35 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
*/ */
protected $public = false; protected $public = false;
/**
* Check if a given request has access to read a item.
*
* @param WP_REST_Request $request Full details about the request.
* @return WP_Error|boolean
*/
public function get_item_permissions_check( $request ) {
$post = get_post( (int) $request['id'] );
if ( $post ) {
$post_type = get_post_type_object( $this->post_type );
return 'revision' !== $post->post_type && current_user_can( $post_type->cap->read_private_posts, $post->ID );
}
return true;
}
/**
* Check if a given request has access to read items.
*
* @param WP_REST_Request $request Full details about the request.
* @return WP_Error|boolean
*/
public function get_items_permissions_check( $request ) {
$post_type = get_post_type_object( $this->post_type );
return current_user_can( $post_type->cap->read_private_posts );
}
/** /**
* Get a single item. * Get a single item.
* *
@ -48,6 +77,7 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
if ( empty( $id ) || empty( $post->ID ) || $this->post_type !== $post->post_type ) { if ( empty( $id ) || empty( $post->ID ) || $this->post_type !== $post->post_type ) {
return new WP_Error( sprintf( 'woocommerce_rest_api_invalid_%s_id', $this->post_type ), __( 'Invalid id.', 'woocommerce' ), array( 'status' => 404 ) ); return new WP_Error( sprintf( 'woocommerce_rest_api_invalid_%s_id', $this->post_type ), __( 'Invalid id.', 'woocommerce' ), array( 'status' => 404 ) );
} }
$data = $this->prepare_item_for_response( $post, $request ); $data = $this->prepare_item_for_response( $post, $request );
$response = rest_ensure_response( $data ); $response = rest_ensure_response( $data );
@ -58,98 +88,6 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
return $response; return $response;
} }
/**
* Check if a given request has access to read a post.
*
* @param WP_REST_Request $request Full details about the request.
* @return WP_Error|boolean
*/
public function get_item_permissions_check( $request ) {
$post = get_post( (int) $request['id'] );
if ( 'edit' === $request['context'] && $post && ! $this->check_update_permission( $post ) ) {
return new WP_Error( 'rest_forbidden_context', sprintf( __( 'Sorry, you are not allowed to edit %s', 'woocommerce' ), $this->rest_base ), array( 'status' => rest_authorization_required_code() ) );
}
if ( $post ) {
return $this->check_read_permission( $post );
}
return true;
}
/**
* Check if we can read a post.
*
* Correctly handles posts with the inherit status.
*
* @param object $post Post object.
* @return boolean Can we read it?
*/
public function check_read_permission( $post ) {
return $this->check_permission( $post, 'read' );
}
/**
* Check if we can edit a post.
*
* @param object $post Post object.
* @return boolean Can we edit it?
*/
protected function check_update_permission( $post ) {
return $this->check_permission( $post, 'edit' );
}
/**
* Check if we can create a post.
*
* @param object $post Post object.
* @return boolean Can we create it?.
*/
protected function check_create_permission( $post ) {
return $this->check_permission( $post, 'edit' );
}
/**
* Check if we can delete a post.
*
* @param object $post Post object.
* @return boolean Can we delete it?
*/
protected function check_delete_permission( $post ) {
return $this->check_permission( $post, 'delete' );
}
/**
* Checks the permissions for the current user given a post and context.
*
* @param WP_Post|int $post
* @param string $context the type of permission to check, either `read`, `write`, or `delete`
* @return bool true if the current user has the permissions to perform the context on the post
*/
private function check_permission( $post, $context ) {
$permission = false;
if ( ! is_a( $post, 'WP_Post' ) ) {
$post = get_post( $post );
}
if ( is_null( $post ) ) {
return $permission;
}
$post_type = get_post_type_object( $post->post_type );
if ( 'read' === $context ) {
$permission = 'revision' !== $post->post_type && current_user_can( $post_type->cap->read_private_posts, $post->ID );
} elseif ( 'edit' === $context ) {
$permission = current_user_can( $post_type->cap->edit_post, $post->ID );
} elseif ( 'delete' === $context ) {
$permission = current_user_can( $post_type->cap->delete_post, $post->ID );
}
return apply_filters( 'woocommerce_api_check_permission', $permission, $context, $post, $post_type );
}
/** /**
* Check the post_date_gmt or modified_gmt and prepare any post or * Check the post_date_gmt or modified_gmt and prepare any post or
* modified date for single post output. * modified date for single post output.