Skip to content
This repository was archived by the owner on Sep 24, 2018. It is now read-only.

Add permission check for retrieving the /posts endpoint when context=…#1412

Merged
rachelbaker merged 5 commits intoWP-API:developfrom
danielpunkass:forbid-edit-context-listing
Jul 22, 2015
Merged

Add permission check for retrieving the /posts endpoint when context=…#1412
rachelbaker merged 5 commits intoWP-API:developfrom
danielpunkass:forbid-edit-context-listing

Conversation

@danielpunkass
Copy link
Copy Markdown
Contributor

@danielpunkass danielpunkass commented Jul 21, 2015

…edit

By extension of the fact that getting any individual post yields a forbidden context error when the context=edit and the user is not authorized, the user should also not be permitted to list any post items when unauthorized.

@danielpunkass
Add permission check for retrieving the /posts endpoint when context=…
0702c19 
…edit

By extension of the fact that getting any individual post yields a forbidden context error when the context=edit and the user is not authorized, the user should also not be permitted to list any post items when unauthorized.
@danielpunkass
Remove trailing / from /posts in the comment.
0d42626
@rachelbaker
Copy link
Copy Markdown
Member

rachelbaker commented Jul 21, 2015

@danielpunkass Great catch that we were missing this permission check. I don't know if edit_posts is the correct permission check here, though.

@WP-API/amigos Any suggestions for the permission check we should be using here? I was thinking something like current_user_can( $this->post_type->cap->create_posts );

@danielbachhuber
Copy link
Copy Markdown
Member

danielbachhuber commented Jul 21, 2015

Any suggestions for the permission check we should be using here? I was thinking something like current_user_can( $this->post_type->cap->create_posts );

Why not current_user_can( $this->post_type->cap->edit_posts ); ?

@rachelbaker
Copy link
Copy Markdown
Member

rachelbaker commented Jul 21, 2015

Why not current_user_can( $this->post_type->cap->edit_posts ); ?

WFM

@danielpunkass
Copy link
Copy Markdown
Contributor Author

danielpunkass commented Jul 21, 2015

Ah, am I reading this correctly that it would tie the permissions to e.g. whether the user has the ability to edit pages, or a custom post_type? I guess $this->post_type is set as a consequence of the specific endpoint e.g. /posts -> "post", etc? Sounds good to me, I'll update the pull request later tonight probably.

@danielpunkass
Refine permissions check for getting lists of collection items.
c279d48 
On advice of @rachelbaker and @danielbachhuber, refine the permissions test to require the user has the edit_posts permission for the specific post_type. Also add a unit test to confirm the functionality of allowing the post list to be retrieved when the user does in fact have the editing capability.
@danielpunkass
Merge branch 'forbid-edit-context-listing' of github.com:danielpunkas…
87f969e 
…s/WP-API into forbid-edit-context-listing

* 'forbid-edit-context-listing' of github.com:danielpunkass/WP-API:
  Remove trailing / from /posts in the comment.
@danielpunkass
Change error message for forbidden post listing to be more consistent…
17a8296 
… with others that may reject on a specific post type.
rachelbaker added a commit that referenced this pull request Jul 22, 2015
@rachelbaker
Merge pull request #1412 from danielpunkass/forbid-edit-context-listing
c77302c 
Add permission check for retrieving the posts collection in edit context
@rachelbaker rachelbaker merged commit c77302c into WP-API:develop Jul 22, 2015
@rachelbaker
Copy link
Copy Markdown
Member

rachelbaker commented Jul 22, 2015

Merged #1412

@dave-green-uk dave-green-uk mentioned this pull request Jun 25, 2016
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@danielpunkass @rachelbaker @danielbachhuber