Add extra check for permissions in delete/regen

Author: rmccue

lib/class-wp-rest-oauth1-admin.php

@@ -389,6 +389,14 @@ public static function handle_delete() {
 		$id = $_GET['id'];
 		check_admin_referer( 'rest-oauth1-delete:' . $id );
 
+		if ( ! current_user_can( 'delete_post', $id ) ) {
+			wp_die(
+				'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
+				'<p>' . __( 'You are not allowed to delete this application.' ) . '</p>',
+				403
+			);
+		}
+
 		$client = WP_REST_OAuth1_Client::get( $id );
 		if ( is_wp_error( $client ) ) {
 			wp_die( $client );
@@ -413,6 +421,14 @@ public static function handle_regenerate() {
 		$id = $_GET['id'];
 		check_admin_referer( 'rest-oauth1-regenerate:' . $id );
 
+		if ( ! current_user_can( 'edit_post', $id ) ) {
+			wp_die(
+				'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
+				'<p>' . __( 'You are not allowed to edit this application.' ) . '</p>',
+				403
+			);
+		}
+
 		$client = WP_REST_OAuth1_Client::get( $id );
 		$client->regenerate_secret();