REST API: Lockdown post parameter of the terms endpoint.

Props johnbillion, tykoted, timothyblynjacobs, peterwilsoncc, martinkrcho, ehtis.


git-svn-id: https://develop.svn.wordpress.org/trunk@54528 602fd350-edb4-49c9-b593-d223f7449a82

Author: audrasjb

src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

@@ -144,6 +144,35 @@ public function register_routes() {
 		);
 	}
 
+	/**
+	 * Checks if the terms for a post can be read.
+	 *
+	 * @since 6.0.3
+	 *
+	 * @param WP_Post         $post    Post object.
+	 * @param WP_REST_Request $request Full details about the request.
+	 * @return bool Whether the terms for the post can be read.
+	 */
+	public function check_read_terms_permission_for_post( $post, $request ) {
+		// If the requested post isn't associated with this taxonomy, deny access.
+		if ( ! is_object_in_taxonomy( $post->post_type, $this->taxonomy ) ) {
+			return false;
+		}
+
+		// Grant access if the post is publicly viewable.
+		if ( is_post_publicly_viewable( $post ) ) {
+			return true;
+		}
+
+		// Otherwise grant access if the post is readable by the logged in user.
+		if ( current_user_can( 'read_post', $post->ID ) ) {
+			return true;
+		}
+
+		// Otherwise, deny access.
+		return false;
+	}
+
 	/**
 	 * Checks if a request has access to read terms in the specified taxonomy.
 	 *
@@ -167,6 +196,30 @@ public function get_items_permissions_check( $request ) {
 			);
 		}
 
+		if ( ! empty( $request['post'] ) ) {
+			$post = get_post( $request['post'] );
+
+			if ( ! $post ) {
+				return new WP_Error(
+					'rest_post_invalid_id',
+					__( 'Invalid post ID.' ),
+					array(
+						'status' => 400,
+					)
+				);
+			}
+
+			if ( ! $this->check_read_terms_permission_for_post( $post, $request ) ) {
+				return new WP_Error(
+					'rest_forbidden_context',
+					__( 'Sorry, you are not allowed to view terms for this post.' ),
+					array(
+						'status' => rest_authorization_required_code(),
+					)
+				);
+			}
+		}
+
 		return true;
 	}