Unauthenticated user unable to view a customize-draft post via REST API

[westonruter]

1. Create a new post via Customize Posts, giving it a publish status, but do not Publish
2. Click Save.
3. Make a request to via the REST API for the post, such as at http://vvv.example.com/wp-json/wp/v2/foods/159?customize_snapshot_uuid=ed6cb1bd-00c4-4927-8ae2-c98f257478f7
4. Fail: {"code":"rest_forbidden","message":"You don't have permission to do this.","data":{"status":403}}. It was expected that since the snapshot UUID was present, that the publish status in the snapshot would have allowed the post to be accessed.

The issue is in \WP_REST_Posts_Controller::check_read_permission(), specifically:

       // Can we read the post?
        if ( 'publish' === $post->post_status || current_user_can( $post_type->cap->read_post, $post->ID ) ) {
            return true;
        }

It seems the fix for this is to add user_has_cap filter to explicitly grant read_post capability for a post that is modified in the snapshot to have a status whereby the requesting user would be able to view it.

[valendesigns]

@westonruter There would not be a user object to add the capability to if they are not authenticated, so I'm not sure how that would work.

[westonruter]

@valendesigns actually, there is a WP_User object that is passed into user_has_cap. It's just that they have an ID of 0. It looks like:

object(WP_User)[184]
  public 'data' => 
    object(stdClass)[183]
  public 'ID' => int 0
  public 'caps' => 
    array (size=0)
      empty
  public 'cap_key' => null
  public 'roles' => 
    array (size=0)
      empty
  public 'allcaps' => 
    array (size=0)
      empty
  public 'filter' => null

So the filter would just check if 0 === $user->ID for unauthenticated users.

[valendesigns]

Well then, I take that comment back and this should be a quick win. I'll create a PR.