From c53ace807cc36a4a5f3188f37184de4dce6eba2d Mon Sep 17 00:00:00 2001
From: leogermani <leogermani@gmail.com>
Date: Fri, 16 Aug 2019 11:58:11 -0300
Subject: [PATCH] fix api permission check for metadata and filter endpoints

---
 ...class-tainacan-rest-filters-controller.php |  2 +-
 ...lass-tainacan-rest-metadata-controller.php | 21 ++++++++++++++++---
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/api/endpoints/class-tainacan-rest-filters-controller.php b/src/api/endpoints/class-tainacan-rest-filters-controller.php
index f83e5602a..fe0906f6e 100644
--- a/src/api/endpoints/class-tainacan-rest-filters-controller.php
+++ b/src/api/endpoints/class-tainacan-rest-filters-controller.php
@@ -400,7 +400,7 @@ class REST_Filters_Controller extends REST_Controller {
 	 */
 	public function get_items_permissions_check( $request ) {
 		if(!isset($request['collection_id'])) {
-			if ( 'edit' === $request['context'] && ! $this->filter_repository->can_read( new Entities\Filter() ) ) {
+			if ( 'edit' === $request['context'] && ! $this->filter_repository->can_edit( new Entities\Filter() ) ) {
 				return false;
 			}
 
diff --git a/src/api/endpoints/class-tainacan-rest-metadata-controller.php b/src/api/endpoints/class-tainacan-rest-metadata-controller.php
index 87da4c239..5dba080b7 100644
--- a/src/api/endpoints/class-tainacan-rest-metadata-controller.php
+++ b/src/api/endpoints/class-tainacan-rest-metadata-controller.php
@@ -378,11 +378,26 @@ class REST_Metadata_Controller extends REST_Controller {
 	 * @throws \Exception
 	 */
 	public function get_items_permissions_check( $request ) {
-		if ( 'edit' === $request['context'] && ! $this->metadatum_repository->can_edit(new Entities\Metadatum()) ) {
-			return false;
+		
+		if(!isset($request['collection_id'])) {
+			if ( 'edit' === $request['context'] && ! $this->metadatum_repository->can_edit( new Entities\Metadatum() ) ) {
+				return false;
+			}
+
+			return true;
 		}
 
-		return true;
+		$collection = $this->collection_repository->fetch($request['collection_id']);
+
+		if($collection instanceof Entities\Collection){
+			if ( 'edit' === $request['context'] && ! $collection->can_read() ) {
+				return false;
+			}
+
+			return true;
+		}
+
+		return false;
 	}
 
 	/**