From 3bb3bdcba92b56a5953d38c82acdb2fef3881b56 Mon Sep 17 00:00:00 2001
From: Ronald Huereca <ronald@mediaron.com>
Date: Mon, 10 Jun 2019 11:21:41 -0500
Subject: [PATCH] Fixing REST API Endpoint.

---
 languages/metronet-profile-picture.pot | 112 +++++++++++++------------
 metronet-profile-picture.php           |  15 ++--
 readme.txt                             |   9 +-
 3 files changed, 76 insertions(+), 60 deletions(-)

diff --git a/languages/metronet-profile-picture.pot b/languages/metronet-profile-picture.pot
index 875382b..b50123c 100644
--- a/languages/metronet-profile-picture.pot
+++ b/languages/metronet-profile-picture.pot
@@ -2,15 +2,15 @@
 # This file is distributed under the same license as the User Profile Picture plugin.
 msgid ""
 msgstr ""
-"Project-Id-Version: User Profile Picture 2.2.5\n"
+"Project-Id-Version: User Profile Picture 2.2.6\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/user-profile-picture\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2019-06-01T22:26:23+00:00\n"
-"PO-Revision-Date: 2019-06-01T22:26:23+00:00\n"
+"POT-Creation-Date: 2019-06-10T16:20:09+00:00\n"
+"PO-Revision-Date: 2019-06-10T16:20:09+00:00\n"
 "X-Generator: WP-CLI 2.0.1\n"
 "X-Domain: metronet-profile-picture\n"
 
@@ -34,114 +34,118 @@ msgstr ""
 msgid "https://www.mediaron.com"
 msgstr ""
 
-#: metronet-profile-picture.php:97
-#: metronet-profile-picture.php:142
-#: metronet-profile-picture.php:158
-#: metronet-profile-picture.php:188
-#: metronet-profile-picture.php:477
-#: metronet-profile-picture.php:483
+#: metronet-profile-picture.php:116
+#: metronet-profile-picture.php:167
+#: metronet-profile-picture.php:185
+#: metronet-profile-picture.php:221
+#: metronet-profile-picture.php:554
+#: metronet-profile-picture.php:560
 msgid "Upload or Change Profile Picture"
 msgstr ""
 
-#: metronet-profile-picture.php:99
-#: metronet-profile-picture.php:144
-#: metronet-profile-picture.php:159
-#: metronet-profile-picture.php:189
-#: metronet-profile-picture.php:479
-#: metronet-profile-picture.php:485
+#: metronet-profile-picture.php:118
+#: metronet-profile-picture.php:169
+#: metronet-profile-picture.php:186
+#: metronet-profile-picture.php:222
+#: metronet-profile-picture.php:556
+#: metronet-profile-picture.php:562
 msgid "Click to Edit"
 msgstr ""
 
-#: metronet-profile-picture.php:100
-#: metronet-profile-picture.php:145
-#: metronet-profile-picture.php:493
+#: metronet-profile-picture.php:119
+#: metronet-profile-picture.php:170
+#: metronet-profile-picture.php:570
 msgid "Remove profile image"
 msgstr ""
 
-#: metronet-profile-picture.php:399
-#: metronet-profile-picture.php:545
+#: metronet-profile-picture.php:463
+#: metronet-profile-picture.php:630
 msgid "Crop Thumbnail"
 msgstr ""
 
-#: metronet-profile-picture.php:466
+#: metronet-profile-picture.php:543
 msgid "Profile Image"
 msgstr ""
 
-#: metronet-profile-picture.php:518
+#: metronet-profile-picture.php:595
 msgid "Override Avatar?"
 msgstr ""
 
-#: metronet-profile-picture.php:543
+#: metronet-profile-picture.php:628
 msgid "Set Profile Image"
 msgstr ""
 
-#: metronet-profile-picture.php:544
+#: metronet-profile-picture.php:629
 msgid "Remove Profile Image"
 msgstr ""
 
-#: metronet-profile-picture.php:755
+#: metronet-profile-picture.php:847
 msgid "You must be able to upload files."
 msgstr ""
 
-#: metronet-profile-picture.php:759
-#: metronet-profile-picture.php:792
-#: metronet-profile-picture.php:818
-#: metronet-profile-picture.php:854
+#: metronet-profile-picture.php:851
+#: metronet-profile-picture.php:889
+#: metronet-profile-picture.php:916
+#: metronet-profile-picture.php:954
 msgid "User not found."
 msgstr ""
 
-#: metronet-profile-picture.php:763
+#: metronet-profile-picture.php:854
+msgid "You must have a role of editor or above to set a new profile image."
+msgstr ""
+
+#: metronet-profile-picture.php:858
 msgid "User not owner."
 msgstr ""
 
-#: metronet-profile-picture.php:827
-#: metronet-profile-picture.php:861
+#: metronet-profile-picture.php:925
+#: metronet-profile-picture.php:961
 msgid "Profile picture not found."
 msgstr ""
 
-#: metronet-profile-picture.php:1049
+#: metronet-profile-picture.php:1154
 msgid "Author"
 msgstr ""
 
-#: metronet-profile-picture.php:1050
-#: gutenberg/class-gutenberg.php:207
+#: metronet-profile-picture.php:1155
+#: gutenberg/class-gutenberg.php:212
 msgid "Latest Posts"
 msgstr ""
 
-#: metronet-profile-picture.php:1051
+#: metronet-profile-picture.php:1156
 msgid "Author Information"
 msgstr ""
 
-#: metronet-profile-picture.php:1088
-#: metronet-profile-picture.php:1144
-#: gutenberg/class-gutenberg.php:299
-#: gutenberg/class-gutenberg.php:355
+#: metronet-profile-picture.php:1193
+#: metronet-profile-picture.php:1249
+#: gutenberg/class-gutenberg.php:307
+#: gutenberg/class-gutenberg.php:363
 #: dist/blocks.build.js:1
 msgid "View Posts"
 msgstr ""
 
-#: metronet-profile-picture.php:1093
-#: metronet-profile-picture.php:1149
-#: gutenberg/class-gutenberg.php:304
-#: gutenberg/class-gutenberg.php:360
+#: metronet-profile-picture.php:1198
+#: metronet-profile-picture.php:1254
+#: gutenberg/class-gutenberg.php:312
+#: gutenberg/class-gutenberg.php:368
 #: dist/blocks.build.js:1
 msgid "View Website"
 msgstr ""
 
-#: metronet-profile-picture.php:1117
-#: gutenberg/class-gutenberg.php:328
+#: metronet-profile-picture.php:1222
+#: gutenberg/class-gutenberg.php:336
 #: dist/blocks.build.js:1
 msgid "View all posts by"
 msgstr ""
 
-#: metronet-profile-picture.php:1121
-#: gutenberg/class-gutenberg.php:332
+#: metronet-profile-picture.php:1226
+#: gutenberg/class-gutenberg.php:340
 #: dist/blocks.build.js:1
 msgid "Website"
 msgstr ""
 
-#: gutenberg/class-gutenberg.php:199
-#: gutenberg/class-gutenberg.php:203
+#: gutenberg/class-gutenberg.php:204
+#: gutenberg/class-gutenberg.php:208
 msgid "Author Details"
 msgstr ""
 
@@ -225,10 +229,6 @@ msgstr ""
 msgid "Right"
 msgstr ""
 
-#: dist/blocks.build.js:1
-msgid "Loading..."
-msgstr ""
-
 #: dist/blocks.build.js:1
 msgid "User Profile Settings"
 msgstr ""
@@ -444,3 +444,7 @@ msgstr ""
 #: dist/blocks.build.js:1
 msgid "Add profile title..."
 msgstr ""
+
+#: dist/blocks.build.js:1
+msgid "Loading..."
+msgstr ""
diff --git a/metronet-profile-picture.php b/metronet-profile-picture.php
index 443a858..095f6a2 100644
--- a/metronet-profile-picture.php
+++ b/metronet-profile-picture.php
@@ -4,7 +4,7 @@
 Plugin URI: http://wordpress.org/extend/plugins/metronet-profile-picture/
 Description: Use the native WP uploader on your user profile page.
 Author: Ronald Huereca
-Version: 2.2.5
+Version: 2.2.6
 Requires at least: 3.5
 Author URI: https://www.mediaron.com
 Contributors: ronalfy
@@ -12,7 +12,7 @@
 Domain Path: /languages
 */
 
-define( 'METRONET_PROFILE_PICTURE_VERSION', '2.2.5' );
+define( 'METRONET_PROFILE_PICTURE_VERSION', '2.2.6' );
 
 /**
  * Main Class for User Profile Picture
@@ -850,11 +850,16 @@ public function rest_api_put_profile( $request ) {
 		if ( ! $user_id ) {
 			return new WP_Error( 'mpp_no_user', __( 'User not found.', 'metronet-profile-picture' ), array( 'status' => 403 ) );
 		}
-		$is_post_owner = ( get_post( $media_id )->post_author === $user_id ) ? true : false;
-		if ( ! $is_post_owner ) {
-			return new WP_Error( 'mpp_not_owner', __( 'User not owner.', 'metronet-profile-picture' ), array( 'status' => 403 ) );
+		if ( ! current_user_can( 'edit_others_posts' ) ) {
+			return new WP_Error( 'mpp_not_privs', __( 'You must have a role of editor or above to set a new profile image.', 'metronet-profile-picture' ), array( 'status' => 403 ) );
+		} else {
+			$is_post_owner = ( get_post( $media_id )->post_author === $user_id ) ? true : false;
+			if ( ! $is_post_owner ) {
+				return new WP_Error( 'mpp_not_owner', __( 'User not owner.', 'metronet-profile-picture' ), array( 'status' => 403 ) );
+			}
 		}
 
+
 		$post_id = $this->get_post_id( $user_id );
 		//Save user meta
 		update_user_option( $user_id, 'metronet_post_id', $post_id );
diff --git a/readme.txt b/readme.txt
index 99441c0..a8132e0 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: ronalfy, Alaadiaa
 Tags: users, user profile, gravatar, avatar, blocks, block
 Requires at least: 3.5
 Tested up to: 5.2
-Stable tag: 2.2.5
+Stable tag: 2.2.6
 Requires PHP: 5.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -124,6 +124,10 @@ Yes, but you'll have to set a new profile image per site.  This is currently a l
 
 == Changelog ==
 
+= 2.2.6 =
+* Released 2019-06-10
+* Fixing permissions in REST API
+
 = 2.2.5 =
 * Released 2019-06-02
 * Code cleanup.
@@ -299,5 +303,8 @@ Yes, but you'll have to set a new profile image per site.  This is currently a l
 
 == Upgrade Notice ==
 
+= 2.2.6 =
+Fixing permissions in REST API.
+
 = 2.2.5 =
 Code cleanup. Leaner Gutenberg JavaScript. Gutenberg improvements. Security improvements.
\ No newline at end of file