fix api permission check for metadata and filter endpoints

2019-08-16 11:58:11 -03:00 · 2019-08-16 11:58:11 -03:00 · c53ace807c
parent 06aad1df7f
commit c53ace807c
2 changed files with 19 additions and 4 deletions
--- a/src/api/endpoints/class-tainacan-rest-filters-controller.php
+++ b/src/api/endpoints/class-tainacan-rest-filters-controller.php
@ -400,7 +400,7 @@ class REST_Filters_Controller extends REST_Controller {
 	 */
 	public function get_items_permissions_check( $request ) {
 		if(!isset($request['collection_id'])) {
-			if ( 'edit' === $request['context'] && ! $this->filter_repository->can_read( new Entities\Filter() ) ) {
+			if ( 'edit' === $request['context'] && ! $this->filter_repository->can_edit( new Entities\Filter() ) ) {
 				return false;
 			}

--- a/src/api/endpoints/class-tainacan-rest-metadata-controller.php
+++ b/src/api/endpoints/class-tainacan-rest-metadata-controller.php
@ -378,11 +378,26 @@ class REST_Metadata_Controller extends REST_Controller {
 	 * @throws \Exception
 	 */
 	public function get_items_permissions_check( $request ) {
-		if ( 'edit' === $request['context'] && ! $this->metadatum_repository->can_edit(new Entities\Metadatum()) ) {
-			return false;
+		
+		if(!isset($request['collection_id'])) {
+			if ( 'edit' === $request['context'] && ! $this->metadatum_repository->can_edit( new Entities\Metadatum() ) ) {
+				return false;
+			}
+
+			return true;
 		}

-		return true;
+		$collection = $this->collection_repository->fetch($request['collection_id']);
+
+		if($collection instanceof Entities\Collection){
+			if ( 'edit' === $request['context'] && ! $collection->can_read() ) {
+				return false;
+			}
+
+			return true;
+		}
+
+		return false;
 	}

 	/**