REST API: Increase the specificity of capability checks for collections when the edit context is in use.

johnbillion · johnbillion · commit e5c87e796826 · 2025-09-30T16:50:20.000Z
The edit access in now taken into account for each individual post, term, or user in the response. Merges [60814] into the 6.8 branch. Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, rmccue, timothyblynjacobs, vortfu, whyisjake, zieladam. git-svn-id: https://develop.svn.wordpress.org/branches/6.8@60817 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -463,7 +463,13 @@ static function ( $format ) {
 			}
 
 			foreach ( $query_result as $post ) {
-				if ( ! $this->check_read_permission( $post ) ) {
+				if ( 'edit' === $request['context'] ) {
+					$permission = $this->check_update_permission( $post );
+				} else {
+					$permission = $this->check_read_permission( $post );
+				}
+
+				if ( ! $permission ) {
 					continue;
 				}
 
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
@@ -365,6 +365,10 @@ public function get_items( $request ) {
 		if ( ! $is_head_request ) {
 			$response = array();
 			foreach ( $query_result as $term ) {
+				if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', $term->term_id ) ) {
+					continue;
+				}
+
 				$data       = $this->prepare_item_for_response( $term, $request );
 				$response[] = $this->prepare_response_for_collection( $data );
 			}
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
@@ -220,7 +220,7 @@ public function get_items_permissions_check( $request ) {
 		if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
 			return new WP_Error(
 				'rest_forbidden_context',
-				__( 'Sorry, you are not allowed to list users.' ),
+				__( 'Sorry, you are not allowed to edit users.' ),
 				array( 'status' => rest_authorization_required_code() )
 			);
 		}
@@ -379,6 +379,10 @@ static function ( $column ) use ( $search_columns_mapping ) {
 			$users = array();
 
 			foreach ( $query->get_results() as $user ) {
+				if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+					continue;
+				}
+
 				$data    = $this->prepare_item_for_response( $user, $request );
 				$users[] = $this->prepare_response_for_collection( $data );
 			}
@@ -479,13 +483,15 @@ public function get_item_permissions_check( $request ) {
 			return true;
 		}
 
-		if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
+		if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
 			return new WP_Error(
-				'rest_user_cannot_view',
-				__( 'Sorry, you are not allowed to list users.' ),
+				'rest_forbidden_context',
+				__( 'Sorry, you are not allowed to edit this user.' ),
 				array( 'status' => rest_authorization_required_code() )
 			);
-		} elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
+		}
+
+		if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
 			return new WP_Error(
 				'rest_user_cannot_view',
 				__( 'Sorry, you are not allowed to list users.' ),
@@ -1086,7 +1092,7 @@ public function prepare_item_for_response( $item, $request ) {
 			$data['slug'] = $user->user_nicename;
 		}
 
-		if ( in_array( 'roles', $fields, true ) ) {
+		if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
 			// Defensively call array_values() to ensure an array is returned.
 			$data['roles'] = array_values( $user->roles );
 		}
diff --git a/tests/phpunit/tests/rest-api/rest-users-controller.php b/tests/phpunit/tests/rest-api/rest-users-controller.php
@@ -1311,7 +1311,7 @@ public function test_get_item_published_author_wrong_context() {
 		$request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', $author_id ) );
 		$request->set_param( 'context', 'edit' );
 		$response = rest_get_server()->dispatch( $request );
-		$this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
+		$this->assertErrorResponse( 'rest_forbidden_context', $response, 401 );
 	}
 
 	/**

Original file line number	Diff line number	Diff line change
`@@ -463,7 +463,13 @@ static function ( $format ) {`
`463`	`463`	`}`
`464`	`464`
`465`	`465`	`foreach ( $query_result as $post ) {`
`466`		`- if ( ! $this->check_read_permission( $post ) ) {`
	`466`	`+ if ( 'edit' === $request['context'] ) {`
	`467`	`+ $permission = $this->check_update_permission( $post );`
	`468`	`+ } else {`
	`469`	`+ $permission = $this->check_read_permission( $post );`
	`470`	`+ }`
	`471`	`+`
	`472`	`+ if ( ! $permission ) {`
`467`	`473`	`continue;`
`468`	`474`	`}`
`469`	`475`
Original file line number	Diff line number	Diff line change
`@@ -1311,7 +1311,7 @@ public function test_get_item_published_author_wrong_context() {`
`1311`	`1311`	`$request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', $author_id ) );`
`1312`	`1312`	`$request->set_param( 'context', 'edit' );`
`1313`	`1313`	`$response = rest_get_server()->dispatch( $request );`
`1314`		`- $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );`
	`1314`	`+ $this->assertErrorResponse( 'rest_forbidden_context', $response, 401 );`
`1315`	`1315`	`}`
`1316`	`1316`
`1317`	`1317`	`/**`