Reviewed post permissions
This commit is contained in:
Claudio Sanches
parent
124a4291b0
commit
f4012b7f1f
|
|
@ -43,19 +43,15 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
|
|||
protected $public = false;
|
||||
|
||||
/**
|
||||
* Check if a given request has access to read an item.
|
||||
* Check if a given request has access to read items.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function get_item_permissions_check( $request ) {
|
||||
$post = get_post( (int) $request['id'] );
|
||||
|
||||
if ( $post ) {
|
||||
return $this->check_read_permission( $post );
|
||||
public function get_items_permissions_check( $request ) {
|
||||
if ( ! wc_rest_check_post_permissions( $this->post_type, 'read' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot list resources.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -65,26 +61,27 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
|
|||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function create_item_permissions_check( $request ) {
|
||||
|
||||
$post_type = get_post_type_object( $this->post_type );
|
||||
|
||||
if ( ! current_user_can( $post_type->cap->create_posts ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_create', sprintf( __( 'Sorry, you are not allowed to create a new %s.', 'woocommerce' ), $this->post_type ), array( 'status' => rest_authorization_required_code() ) );
|
||||
if ( ! wc_rest_check_post_permissions( $this->post_type, 'create' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_create', __( 'Sorry, you are not allowed to create resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access to read items.
|
||||
* Check if a given request has access to read an item.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function get_items_permissions_check( $request ) {
|
||||
$post_type = get_post_type_object( $this->post_type );
|
||||
public function get_item_permissions_check( $request ) {
|
||||
$post = get_post( (int) $request['id'] );
|
||||
|
||||
return current_user_can( $post_type->cap->read_private_posts );
|
||||
if ( $post && ! wc_rest_check_post_permissions( $this->post_type, 'read', $post->ID ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot view this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -95,10 +92,9 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
|
|||
*/
|
||||
public function update_item_permissions_check( $request ) {
|
||||
$post = get_post( $request['id'] );
|
||||
$post_type = get_post_type_object( $this->post_type );
|
||||
|
||||
if ( $post && ! $this->check_update_permission( $post ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_edit', sprintf( __( 'Sorry, you are not allowed to update this %s.', 'woocommerce' ), $this->post_type ), array( 'status' => rest_authorization_required_code() ) );;
|
||||
if ( $post && ! wc_rest_check_post_permissions( $this->post_type, 'edit', $post->ID ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_edit', __( 'Sorry, you are not allowed to edit resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
|
|
@ -113,48 +109,13 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
|
|||
public function delete_item_permissions_check( $request ) {
|
||||
$post = get_post( $request['id'] );
|
||||
|
||||
if ( $post && ! $this->check_delete_permission( $post ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_delete', sprintf( __( 'Sorry, you are not allowed to delete %s.', 'woocommerce' ), $this->post_type ), array( 'status' => rest_authorization_required_code() ) );
|
||||
if ( $post && ! wc_rest_check_post_permissions( $this->post_type, 'delete', $post->ID ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_delete', __( 'Sorry, you are not allowed to delete this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if we can read an item.
|
||||
*
|
||||
* Correctly handles posts with the inherit status.
|
||||
*
|
||||
* @param object $post Post object.
|
||||
* @return boolean Can we read it?
|
||||
*/
|
||||
public function check_read_permission( $post ) {
|
||||
$post_type = get_post_type_object( $this->post_type );
|
||||
return 'revision' !== $post->post_type && current_user_can( $post_type->cap->read_private_posts, $post->ID );
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if we can edit an item.
|
||||
*
|
||||
* @param object $post Post object.
|
||||
* @return boolean Can we edit it?
|
||||
*/
|
||||
protected function check_update_permission( $post ) {
|
||||
$post_type = get_post_type_object( $this->post_type );
|
||||
return current_user_can( $post_type->cap->edit_post, $post->ID );
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if we can delete an item.
|
||||
*
|
||||
* @param object $post Post object.
|
||||
* @return boolean Can we delete it?
|
||||
*/
|
||||
protected function check_delete_permission( $post ) {
|
||||
$post_type = get_post_type_object( $this->post_type );
|
||||
return current_user_can( $post_type->cap->delete_post, $post->ID );
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a single item.
|
||||
*
|
||||
|
|
@ -405,7 +366,7 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
|
|||
|
||||
$posts = array();
|
||||
foreach ( $query_result as $post ) {
|
||||
if ( ! $this->check_read_permission( $post ) ) {
|
||||
if ( ! wc_rest_check_post_permissions( $this->post_type, 'read', $post->ID ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
|
|
@ -483,7 +444,7 @@ abstract class WC_REST_Posts_Controller extends WP_REST_Controller {
|
|||
*/
|
||||
$supports_trash = apply_filters( "woocommerce_rest_{$this->post_type}_trashable", $supports_trash, $post );
|
||||
|
||||
if ( ! $this->check_delete_permission( $post ) ) {
|
||||
if ( ! wc_rest_check_post_permissions( $this->post_type, 'delete', $post->ID ) ) {
|
||||
return new WP_Error( "woocommerce_rest_user_cannot_delete_{$this->post_type}", sprintf( __( 'Sorry, you are not allowed to delete %s.', 'woocommerce' ), $this->post_type ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ if ( ! defined( 'ABSPATH' ) ) {
|
|||
* REST API Order Notes controller class.
|
||||
*
|
||||
* @package WooCommerce/API
|
||||
* @extends WC_REST_Posts_Controller
|
||||
* @extends WP_REST_Controller
|
||||
*/
|
||||
class WC_REST_Order_Notes_Controller extends WP_REST_Controller {
|
||||
|
||||
|
|
|
|||
|
|
@ -100,76 +100,6 @@ class WC_REST_Order_Refunds_Controller extends WC_REST_Posts_Controller {
|
|||
) );
|
||||
}
|
||||
|
||||
/**
|
||||
* Check whether a given request has permission to read orders.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function get_items_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot list order refunds.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access create orders.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return boolean
|
||||
*/
|
||||
public function create_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_create', __( 'Sorry, you are not allowed to create resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access to read an order.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function get_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot view this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access update an order.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return boolean
|
||||
*/
|
||||
public function update_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_edit', __( 'Sorry, you are not allowed to edit resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access delete an order.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return boolean
|
||||
*/
|
||||
public function delete_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_delete', __( 'Sorry, you are not allowed to delete this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Prepare a single order refund output for response.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -101,76 +101,6 @@ class WC_REST_Orders_Controller extends WC_REST_Posts_Controller {
|
|||
) );
|
||||
}
|
||||
|
||||
/**
|
||||
* Check whether a given request has permission to read orders.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function get_items_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot list orders.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access create orders.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return boolean
|
||||
*/
|
||||
public function create_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'publish_shop_orders' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_create', __( 'Sorry, you are not allowed to create resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access to read an order.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function get_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot view this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access update an order.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return boolean
|
||||
*/
|
||||
public function update_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_edit', __( 'Sorry, you are not allowed to edit resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access delete an order.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return boolean
|
||||
*/
|
||||
public function delete_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_delete', __( 'Sorry, you are not allowed to delete this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Prepare a single order output for response.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -110,76 +110,6 @@ class WC_REST_Webhooks_Controller extends WC_REST_Posts_Controller {
|
|||
) );
|
||||
}
|
||||
|
||||
/**
|
||||
* Check whether a given request has permission to read webhooks.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function get_items_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot list webhooks.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access create webhooks.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return boolean
|
||||
*/
|
||||
public function create_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_create', __( 'Sorry, you are not allowed to create resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access to read a webhook.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function get_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot view this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access update a webhook.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return boolean
|
||||
*/
|
||||
public function update_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_edit', __( 'Sorry, you are not allowed to edit resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a given request has access delete a webhook.
|
||||
*
|
||||
* @param WP_REST_Request $request Full details about the request.
|
||||
* @return boolean
|
||||
*/
|
||||
public function delete_item_permissions_check( $request ) {
|
||||
if ( ! current_user_can( 'manage_woocommerce' ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_delete', __( 'Sorry, you are not allowed to delete this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a single webhook.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -199,3 +199,31 @@ function wc_rest_urlencode_rfc3986( $value ) {
|
|||
return str_replace( '%', '%25', rawurlencode( rawurldecode( $value ) ) );
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check permissions of posts on REST API.
|
||||
*
|
||||
* @since 2.6.0
|
||||
* @param string $post_type Post type.
|
||||
* @param string $context Request context.
|
||||
* @param int $object_id Post ID.
|
||||
* @return bool
|
||||
*/
|
||||
function wc_rest_check_post_permissions( $post_type, $context = 'read', $object_id = 0 ) {
|
||||
$contexts = array(
|
||||
'read' => 'read_private_posts',
|
||||
'create' => 'publish_posts',
|
||||
'edit' => 'edit_post',
|
||||
'delete' => 'delete_post',
|
||||
);
|
||||
|
||||
if ( 'revision' === $post_type ) {
|
||||
$permission = false;
|
||||
} else {
|
||||
$cap = $contexts[ $context ];
|
||||
$post_type_object = get_post_type_object( $post_type );
|
||||
$permission = current_user_can( $post_type_object->cap->$cap, $object_id );
|
||||
}
|
||||
|
||||
return apply_filters( 'woocommerce_rest_check_post_permissions', $permission, $post_type, $context, $object_id );
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue