From e0360dd1e9ae1ba3d02c8760b5142a4f28cff01d Mon Sep 17 00:00:00 2001
From: vnmedeiros <vnicius.nm.ba@gmail.com>
Date: Wed, 3 Apr 2019 16:35:32 -0300
Subject: [PATCH] add check to private visibility for taxonomy  #220

---
 .../class-tainacan-rest-items-controller.php  | 29 +++++++++++++++----
 ...ss-tainacan-rest-taxonomies-controller.php |  5 +++-
 .../class-tainacan-rest-terms-controller.php  | 10 +++++--
 .../class-tainacan-repository.php             |  6 ++++
 4 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/src/api/endpoints/class-tainacan-rest-items-controller.php b/src/api/endpoints/class-tainacan-rest-items-controller.php
index 4694a7d69..884d8f8b0 100644
--- a/src/api/endpoints/class-tainacan-rest-items-controller.php
+++ b/src/api/endpoints/class-tainacan-rest-items-controller.php
@@ -385,21 +385,38 @@ class REST_Items_Controller extends REST_Controller {
 	public function get_items_permissions_check( $request ) {
 		$collection = $this->collections_repository->fetch($request['collection_id']);
 
+		if('edit' === $request['context'] && !is_user_logged_in()) {
+			return false;
+		}
+
+		if ( isset($request['taxquery']) && !$this->get_items_permissions_check_for_taxonomy($request['taxquery']) ) {
+			return false;
+		}
+
 		if(($collection instanceof Entities\Collection)) {
-			if('edit' === $request['context'] && !$collection->can_read()) {
+			if(!$collection->can_read()) {
 				return false;
 			}
-
 			return true;
 		} else {
-			if('edit' === $request['context'] && !$this->collections_repository->can_read(new Entities\Collection())) {
-				return false;
-			}
-
 			return true;
 		}
 	}
 
+	private function get_items_permissions_check_for_taxonomy($taxonomies) {
+		$taxonomy_repository = Repositories\Taxonomies::get_instance();
+		foreach ($taxonomies as $tax) {
+			$tax_id = $taxonomy_repository->get_id_by_db_identifier($tax['taxonomy']);
+			$taxonomy = $taxonomy_repository->fetch($tax_id);
+			if(($taxonomy instanceof Entities\Taxonomy)) {
+				if(!$taxonomy->can_read()) {
+					return false;
+				}
+			}
+		}
+		return true;
+	}
+
 	/**
 	 * @param \WP_REST_Request $request
 	 *
diff --git a/src/api/endpoints/class-tainacan-rest-taxonomies-controller.php b/src/api/endpoints/class-tainacan-rest-taxonomies-controller.php
index 8c7730c92..18936bcba 100644
--- a/src/api/endpoints/class-tainacan-rest-taxonomies-controller.php
+++ b/src/api/endpoints/class-tainacan-rest-taxonomies-controller.php
@@ -172,7 +172,10 @@ class REST_Taxonomies_Controller extends REST_Controller {
 		$taxonomy = $this->taxonomy_repository->fetch($request['taxonomy_id']);
 
 		if(($taxonomy instanceof Entities\Taxonomy)) {
-			if('edit' === $request['context'] && !$taxonomy->can_read()) {
+			if('edit' === $request['context'] && !is_user_logged_in()) {
+				return false;
+			}
+			if(!$taxonomy->can_read()) {
 				return false;
 			}
 
diff --git a/src/api/endpoints/class-tainacan-rest-terms-controller.php b/src/api/endpoints/class-tainacan-rest-terms-controller.php
index aab90ec76..9e0b34891 100644
--- a/src/api/endpoints/class-tainacan-rest-terms-controller.php
+++ b/src/api/endpoints/class-tainacan-rest-terms-controller.php
@@ -350,7 +350,10 @@ class REST_Terms_Controller extends REST_Controller {
 		$taxonomy = $this->taxonomy_repository->fetch($request['taxonomy_id']);
 
 		if(($taxonomy instanceof Entities\Taxonomy)) {
-			if('edit' === $request['context'] && !$taxonomy->can_read()) {
+			if('edit' === $request['context'] && !is_user_logged_in()) {
+				return false;
+			}
+			if(!$taxonomy->can_read()) {
 				return false;
 			}
 
@@ -385,7 +388,10 @@ class REST_Terms_Controller extends REST_Controller {
 		$taxonomy = $this->taxonomy_repository->fetch($request['taxonomy_id']);
 
 		if(($taxonomy instanceof Entities\Taxonomy)) {
-			if('edit' === $request['context'] && !$taxonomy->can_read()) {
+			if('edit' === $request['context'] && !is_user_logged_in()) {
+				return false;
+			}
+			if(!$taxonomy->can_read()) {
 				return false;
 			}
 
diff --git a/src/classes/repositories/class-tainacan-repository.php b/src/classes/repositories/class-tainacan-repository.php
index 64e65679e..d1aa207f3 100644
--- a/src/classes/repositories/class-tainacan-repository.php
+++ b/src/classes/repositories/class-tainacan-repository.php
@@ -670,6 +670,12 @@ abstract class Repository {
 	 * @throws \Exception
 	 */
 	public function can_read( $entity, $user = null ) {
+		if(!is_user_logged_in()) {
+			$status = get_post_status($entity->get_id());
+			$post_status_obj = get_post_status_object($status);
+			return $post_status_obj->public;
+		}
+
 		if ( is_null( $user ) ) {
 			$user = get_current_user_id();
 		} elseif ( is_object( $user ) ) {