Add API key-specific permission check

Part of woocommerce#4055
maxrice · Nov 19, 2013 · ef22f03 · ef22f03
1 parent 61fb0f7
commit ef22f03
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/includes/api/class-wc-api-authentication.php b/includes/api/class-wc-api-authentication.php
@@ -44,6 +44,9 @@ public function authenticate( $user ) {
 			else
 				$user = $this->perform_oauth_authentication();
 
+			// check API key-specific permission
+			$this->check_api_key_permissions( $user );
+
 		} catch ( Exception $e ) {
 
 			$user = new WP_Error( 'woocommerce_api_authentication_error', $e->getMessage(), array( 'status' => $e->getCode() ) );
@@ -263,4 +266,33 @@ private function check_oauth_timestamp_and_nonce( $user, $timestamp, $nonce ) {
 		update_user_meta( $user->ID, 'woocommerce_api_nonces', $used_nonces );
 	}
 
+	/**
+	 * Check that the API keys provided have the proper key-specific permissions to either read or write API resources
+	 *
+	 * @param WP_User $user
+	 * @throws Exception if the permission check fails
+	 */
+	public function check_api_key_permissions( $user ) {
+
+		$key_permissions = $user->woocommerce_api_key_permissions;
+
+		switch ( WC()->api->server->method ) {
+
+			case 'HEAD':
+			case 'GET':
+				if ( 'read' !== $key_permissions && 'read_write' !== $key_permissions ) {
+					throw new Exception( __( 'The API key provided does not have read permissions', 'woocommerce' ), 401 );
+				}
+				break;
+
+			case 'POST':
+			case 'PUT':
+			case 'PATCH':
+			case 'DELETE':
+				if ( 'write' !== $key_permissions && 'read_write' !== $key_permissions ) {
+					throw new Exception( __( 'The API key provided does not have write permissions', 'woocommerce' ), 401 );
+				}
+				break;
+		}
+	}
 }