Allow GET requests to use tokens, if provided

Author: jkmassel

tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php

@@ -231,6 +231,18 @@ public function test_require_token() {
 		$_SERVER['REQUEST_URI'] = $token_uri;
 		$this->assertFalse( $this->token->require_token() );
 
+		// Some GET requests require authentication to work correctly (i.e. – fetching draft posts)
+		// If a token is present, treat it as though it's required.
+		$mock = $this->getMockBuilder( get_class( $this->token ) )
+			->setMethods(
+				array(
+					'validate_token',
+				)
+			)
+			->getMock();
+		$mock->method( 'validate_token' )->willReturn( true );
+		$this->assertTrue( $mock->require_token() );
+
 		// Don't require authentication to generate a token.
 		$_SERVER['REQUEST_METHOD'] = 'POST';
 		$this->assertFalse( $this->token->require_token() );

wp-includes/rest-api/auth/class-wp-rest-token.php

@@ -272,8 +272,9 @@ public function require_token() {
 			$require_token = false;
 		}
 
-		// GET requests do not need to be authenticated.
-		if ( 'GET' === $request_method ) {
+		// GET requests do not require authentication, but if a valid token is provided, requests should
+		// be performed as the user corresponding to that token.
+		if ( 'GET' === $request_method && is_wp_error( $this->validate_token() ) ) {
 			$require_token = false;
 		}