Allow unauthenticated user to view a customize-draft post via REST API #117
Conversation
2 similar comments
| return $allcaps; | ||
| } | ||
|
|
||
| $post = get_post( absint( $args[2] ) ); |
There was a problem hiding this comment.
Question: Why absint? Should be guaranteed to already be a post ID. If it isn't, then the previous if should check for it.
There was a problem hiding this comment.
Yes, it seems to be guaranteed, good point. Added that automatically, will remove.
| if ( ! $chageset_id ) { | ||
| return $allcaps; | ||
| } | ||
| $data = $this->post_type->get_post_content( get_post( absint( $chageset_id ) ) ); |
There was a problem hiding this comment.
Mispelling in chageset_id.
| if ( isset( $data[ $key ] ) ) { | ||
| $changeset_post_values = $data[ $key ]['value']; | ||
| if ( isset( $changeset_post_values['post_status'] ) ) { | ||
| $is_published = 'publish' === $changeset_post_values['post_status']; |
There was a problem hiding this comment.
What if the post is private and the current user can read private posts?
There was a problem hiding this comment.
Unauthenticated user shouldn't have the ability to read private posts by default. Are you thinking of a case when reading private posts permission is given somewhere else to the unauthenticated user via a filter? Maybe it should be handled in the place where that's added then? Or in which cases would unauthenticated user have the permission to read private posts?
There was a problem hiding this comment.
I'm thinking of when a less-privileged authenticated user is making an API request. Consider an editor user making an authenticated request to the API. They should be able to see a post which is in the DB as an draft but which is private in the customized state.
| '0' => 'read_post', | ||
| '2' => $post_id, | ||
| ); | ||
| $allcaps = $this->manager->filter_user_has_cap( array(), $caps, $args ); |
There was a problem hiding this comment.
Instead of using the filter_user_has_cap method directly, should this instead use current_user_can to ensure that the filter is applying?
|
|
||
| if ( | ||
| ! $this->current_snapshot_uuid | ||
| || 0 !== $current_user->ID |
There was a problem hiding this comment.
I think the check for current user being 0 should be removed because it should also work for under-privileged users making authenticated requests to read posts that normally they wouldn't be able to read, except that the post is made readable due to the status in the customized state.
Consider an author user making an authenticated API request. They should be able to access a post that is draft in the DB but publish in the customized state.
| ! $this->current_snapshot_uuid | ||
| || 0 !== $current_user->ID | ||
| || ! isset( $args[2] ) | ||
| || 'read_post' !== $args['0'] |
There was a problem hiding this comment.
Why is 0 a string here?
|
|
||
| if ( true === $is_published ) { | ||
| $allcaps[ $caps[0] ] = true; | ||
| } |
There was a problem hiding this comment.
You might want to change the condition here to be:
$allcaps[ $caps[0] ] = $is_published;This could potentially handle the reverse condition where access to a post could be revoked if if its status is changed from publish to private and the user is not authorized to view private posts. There's probably more to it than that, but this is what came to mind.
| $args = array( | ||
| '0' => 'read_post', | ||
| '2' => $post_id, | ||
| ); |
There was a problem hiding this comment.
These variables, $args and $caps aren't being used?
| $post_id = $this->factory()->post->create( array( | ||
| 'post_type' => 'post', | ||
| 'post_status' => 'auto-draft', | ||
| ) ); |
There was a problem hiding this comment.
Can there be other posts here including ones that have the draft, private, and publish statuses? Then below in the changeset data these posts can have the post_status overridden to for example reverse the statuses. Then at the end it can set the current user to anonymous, to an author, and to an administrator and for each then the read_post cap check can be verified to return the proper result for the customized state?
There was a problem hiding this comment.
On it. For some reason checking for read_post cap causes failure (fatal error) in unit tests, haven't figured out why yet, that's why the delay in fixing.
miina
changed the title
…th-users-api-read-permissions
|
Changes Unknown when pulling abefb00 on feature/grant-unauth-users-api-read-permissions into ** on develop**. |
miina
changed the title
|
@miina Please fix merge conflicts so I can review. Thanks! |
1 similar comment
Fixes #32
Allows unauthenticated user read a customize-draft post in case it's with status
publishwithin the Snapshot/Changeset.