REST API: Introduce filter for controlling menu read access.

The menu, menu item, and menu location endpoints were added to the REST API in [52079]. In that commit, menu data was treated as private and restricted to logged-in users with the edit_theme_options capability. However, in many cases, this data can be considered public. Previously, there was no simple way for developers to allow this data to be exposed via the REST API.

This commit introduces the rest_menu_read_access filter, enabling developers to control read access to menus, menu items, and menu locations in the REST API. The same filter is applied across all three REST API classes, simplifying the process of opting into exposing this data.

Each instance of the filter provides the current request and the relevant class instance as context, allowing developers to selectively or globally enable access to the data.

Props spacedmonkey, antonvlasenko, kadamwhite, julianmar, masteradhoc.
Fixes #54304.

git-svn-id: https://develop.svn.wordpress.org/trunk@59718 602fd350-edb4-49c9-b593-d223f7449a82

Author: spacedmonkey

src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php

@@ -80,6 +80,19 @@ public function get_item_permissions_check( $request ) {
 	 * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
 	 */
 	protected function check_has_read_only_access( $request ) {
+		/**
+		 * Filters whether the current user has read access to menu items via the REST API.
+		 *
+		 * @since 6.8.0
+		 * @param $read_only_access bool Whether the current user has read access to menu items via the REST API.
+		 * @param $request WP_REST_Request Full details about the request.
+		 * @param $this WP_REST_Controller The current instance of the controller.
+		 */
+		$read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+		if ( $read_only_access ) {
+			return true;
+		}
+
 		if ( current_user_can( 'edit_theme_options' ) ) {
 			return true;
 		}

src/wp-includes/rest-api/endpoints/class-wp-rest-menu-locations-controller.php

@@ -80,15 +80,7 @@ public function register_routes() {
 	 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
 	 */
 	public function get_items_permissions_check( $request ) {
-		if ( ! current_user_can( 'edit_theme_options' ) ) {
-			return new WP_Error(
-				'rest_cannot_view',
-				__( 'Sorry, you are not allowed to view menu locations.' ),
-				array( 'status' => rest_authorization_required_code() )
-			);
-		}
-
-		return true;
+		return $this->check_has_read_only_access( $request );
 	}
 
 	/**
@@ -123,15 +115,7 @@ public function get_items( $request ) {
 	 * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
 	 */
 	public function get_item_permissions_check( $request ) {
-		if ( ! current_user_can( 'edit_theme_options' ) ) {
-			return new WP_Error(
-				'rest_cannot_view',
-				__( 'Sorry, you are not allowed to view menu locations.' ),
-				array( 'status' => rest_authorization_required_code() )
-			);
-		}
-
-		return true;
+		return $this->check_has_read_only_access( $request );
 	}
 
 	/**
@@ -157,6 +141,32 @@ public function get_item( $request ) {
 		return rest_ensure_response( $data );
 	}
 
+	/**
+	 * Checks whether the current user has read permission for the endpoint.
+	 *
+	 * @since 6.8.0
+	 *
+	 * @param WP_REST_Request $request Full details about the request.
+	 * @return true|WP_Error True if the current user has permission, WP_Error object otherwise.
+	 */
+	protected function check_has_read_only_access( $request ) {
+		/** This filter is documented in wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php */
+		$read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+		if ( $read_only_access ) {
+			return true;
+		}
+
+		if ( ! current_user_can( 'edit_theme_options' ) ) {
+			return new WP_Error(
+				'rest_cannot_view',
+				__( 'Sorry, you are not allowed to view menu locations.' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+
+		return true;
+	}
+
 	/**
 	 * Prepares a menu location object for serialization.
 	 *

src/wp-includes/rest-api/endpoints/class-wp-rest-menus-controller.php

@@ -84,6 +84,12 @@ protected function get_term( $id ) {
 	 * @return true|WP_Error True if the current user has permission, WP_Error object otherwise.
 	 */
 	protected function check_has_read_only_access( $request ) {
+		/** This filter is documented in wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php */
+		$read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+		if ( $read_only_access ) {
+			return true;
+		}
+
 		if ( current_user_can( 'edit_theme_options' ) ) {
 			return true;
 		}

tests/phpunit/tests/rest-api/wpRestMenuItemsController.php

@@ -183,6 +183,30 @@ public function test_get_item() {
 		$this->check_get_menu_item_response( $response, 'view' );
 	}
 
+	/**
+	 * @ticket 54304
+	 * @covers ::get_items
+	 */
+	public function test_get_items_filter() {
+		add_filter( 'rest_menu_read_access', '__return_true' );
+		$request  = new WP_REST_Request( 'GET', '/wp/v2/menu-items' );
+		$response = rest_get_server()->dispatch( $request );
+
+		$this->check_get_menu_items_response( $response );
+	}
+
+	/**
+	 * @ticket 54304
+	 * @covers ::get_item
+	 */
+	public function test_get_item_filter() {
+		add_filter( 'rest_menu_read_access', '__return_true' );
+		$request  = new WP_REST_Request( 'GET', sprintf( '/wp/v2/menu-items/%d', $this->menu_item_id ) );
+		$response = rest_get_server()->dispatch( $request );
+
+		$this->check_get_menu_item_response( $response, 'view' );
+	}
+
 	/**
 	 * @ticket 40878
 	 * @covers ::get_item

tests/phpunit/tests/rest-api/wpRestMenuLocationsController.php

@@ -120,6 +120,45 @@ public function test_get_item() {
 		$this->assertSame( $menu, $data['name'] );
 	}
 
+	/**
+	 * @ticket 54304
+	 * @covers ::get_items
+	 */
+	public function test_get_items_filter() {
+		$menus = array( 'primary', 'secondary' );
+		$this->register_nav_menu_locations( array( 'primary', 'secondary' ) );
+		add_filter( 'rest_menu_read_access', '__return_true' );
+
+		$request  = new WP_REST_Request( 'GET', '/wp/v2/menu-locations' );
+		$response = rest_get_server()->dispatch( $request );
+		$data     = $response->get_data();
+		$data     = array_values( $data );
+		$this->assertCount( 2, $data, 'Number of menu location are not 2' );
+
+		$names        = wp_list_pluck( $data, 'name' );
+		$descriptions = wp_list_pluck( $data, 'description' );
+		$this->assertSame( $menus, $names );
+		$menu_descriptions = array_map( 'ucfirst', $names );
+
+		$this->assertSame( $menu_descriptions, $descriptions, 'Menu descriptions do not match' );
+	}
+
+	/**
+	 * @ticket 54304
+	 * @covers ::get_item
+	 */
+	public function test_get_item_filter() {
+		$menu = 'primary';
+		$this->register_nav_menu_locations( array( $menu ) );
+
+		add_filter( 'rest_menu_read_access', '__return_true' );
+		$request  = new WP_REST_Request( 'GET', '/wp/v2/menu-locations/' . $menu );
+		$response = rest_get_server()->dispatch( $request );
+		$data     = $response->get_data();
+
+		$this->assertSame( $menu, $data['name'] );
+	}
+
 	/**
 	 * @ticket 40878
 	 * @covers ::get_item

tests/phpunit/tests/rest-api/wpRestMenusController.php

@@ -208,6 +208,48 @@ public function test_get_item() {
 		$this->check_get_taxonomy_term_response( $response, $nav_menu_id );
 	}
 
+
+	/**
+	 * @ticket 54304
+	 * @covers ::get_items
+	 */
+	public function test_get_items_filter() {
+		add_filter( 'rest_menu_read_access', '__return_true' );
+		wp_update_nav_menu_object(
+			0,
+			array(
+				'description' => 'Test get',
+				'menu-name'   => 'test Name get',
+			)
+		);
+		$request = new WP_REST_Request( 'GET', '/wp/v2/menus' );
+		$request->set_param( 'per_page', self::$per_page );
+		$response = rest_get_server()->dispatch( $request );
+		$this->check_get_taxonomy_terms_response( $response );
+	}
+
+	/**
+	 * @ticket 54304
+	 * @covers ::get_item
+	 */
+	public function test_get_item_filter() {
+		add_filter( 'rest_menu_read_access', '__return_true' );
+		$nav_menu_id = wp_update_nav_menu_object(
+			0,
+			array(
+				'description' => 'Test menu',
+				'menu-name'   => 'test Name',
+			)
+		);
+
+		$this->register_nav_menu_locations( array( 'primary' ) );
+		set_theme_mod( 'nav_menu_locations', array( 'primary' => $nav_menu_id ) );
+
+		$request  = new WP_REST_Request( 'GET', '/wp/v2/menus/' . $nav_menu_id );
+		$response = rest_get_server()->dispatch( $request );
+		$this->check_get_taxonomy_term_response( $response, $nav_menu_id );
+	}
+
 	/**
 	 * @ticket 40878
 	 * @covers ::create_item