Merge branch 'fix/privileged-get-requests-not-working' of https://github.com/jkmassel/jwt-auth into fix-get-requests

Author: valendesigns

tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php

@@ -370,6 +370,12 @@ public function test_require_token() {
 		$_SERVER['REQUEST_URI'] = $token_uri;
 		$this->assertFalse( $this->token->require_token() );
 
+		// Some GET requests require authentication to work correctly (i.e. – fetching draft posts)
+		// If a token is present, treat it as though it's required.
+		$_SERVER['HTTP_AUTHORIZATION'] = 'Bearer: Test';
+		$this->assertTrue( $this->token->require_token() );
+		unset( $_SERVER['HTTP_AUTHORIZATION'] );
+
 		// Don't require authentication to generate a token.
 		$_SERVER['REQUEST_METHOD'] = 'POST';
 		$this->assertFalse( $this->token->require_token() );

wp-includes/rest-api/auth/class-wp-rest-token.php

@@ -374,8 +374,10 @@ public function require_token() {
 			$require_token = false;
 		}
 
-		// GET requests do not need to be authenticated.
-		if ( 'GET' === $request_method ) {
+		// GET requests do not require authentication, but if
+		// the Authorization header is provided, requests should
+		// be performed as the user corresponding to that token.
+		if ( 'GET' === $request_method && is_wp_error( $this->get_auth_header() ) ) {
 			$require_token = false;
 		}