mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-06-28 22:30:04 +00:00
REST API: Unify object access handling for simplicity.
Rather than repeating ourselves, unifying the access into a single method keeps everything tidy. While we're at it, add in additional schema handling for common parameters. See #38792. git-svn-id: https://develop.svn.wordpress.org/trunk@39954 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Joe Hoyle
@@ -65,6 +65,12 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
|
||||
) );
|
||||
|
||||
register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<id>[\d]+)', array(
|
||||
'args' => array(
|
||||
'id' => array(
|
||||
'description' => __( 'Unique identifier for the user.' ),
|
||||
'type' => 'integer',
|
||||
),
|
||||
),
|
||||
array(
|
||||
'methods' => WP_REST_Server::READABLE,
|
||||
'callback' => array( $this, 'get_item' ),
|
||||
@@ -326,6 +332,28 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
|
||||
return $response;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the user, if the ID is valid.
|
||||
*
|
||||
* @since 4.7.2
|
||||
*
|
||||
* @param int $id Supplied ID.
|
||||
* @return WP_User|WP_Error True if ID is valid, WP_Error otherwise.
|
||||
*/
|
||||
protected function get_user( $id ) {
|
||||
$error = new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) );
|
||||
if ( (int) $id <= 0 ) {
|
||||
return $error;
|
||||
}
|
||||
|
||||
$user = get_userdata( (int) $id );
|
||||
if ( empty( $user ) || ! $user->exists() ) {
|
||||
return $error;
|
||||
}
|
||||
|
||||
return $user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a given request has access to read a user.
|
||||
*
|
||||
@@ -336,22 +364,20 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
|
||||
* @return true|WP_Error True if the request has read access for the item, otherwise WP_Error object.
|
||||
*/
|
||||
public function get_item_permissions_check( $request ) {
|
||||
|
||||
$id = (int) $request['id'];
|
||||
$user = get_userdata( $id );
|
||||
$types = get_post_types( array( 'show_in_rest' => true ), 'names' );
|
||||
|
||||
if ( empty( $id ) || empty( $user->ID ) ) {
|
||||
return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) );
|
||||
$user = $this->get_user( $request['id'] );
|
||||
if ( is_wp_error( $user ) ) {
|
||||
return $user;
|
||||
}
|
||||
|
||||
if ( get_current_user_id() === $id ) {
|
||||
$types = get_post_types( array( 'show_in_rest' => true ), 'names' );
|
||||
|
||||
if ( get_current_user_id() === $user->ID ) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
|
||||
return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
} elseif ( ! count_user_posts( $id, $types ) && ! current_user_can( 'edit_user', $id ) && ! current_user_can( 'list_users' ) ) {
|
||||
} elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
|
||||
return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
@@ -368,11 +394,9 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
|
||||
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
|
||||
*/
|
||||
public function get_item( $request ) {
|
||||
$id = (int) $request['id'];
|
||||
$user = get_userdata( $id );
|
||||
|
||||
if ( empty( $id ) || empty( $user->ID ) ) {
|
||||
return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) );
|
||||
$user = $this->get_user( $request['id'] );
|
||||
if ( is_wp_error( $user ) ) {
|
||||
return $user;
|
||||
}
|
||||
|
||||
$user = $this->prepare_item_for_response( $user, $request );
|
||||
@@ -542,10 +566,12 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
|
||||
* @return true|WP_Error True if the request has access to update the item, WP_Error object otherwise.
|
||||
*/
|
||||
public function update_item_permissions_check( $request ) {
|
||||
$user = $this->get_user( $request['id'] );
|
||||
if ( is_wp_error( $user ) ) {
|
||||
return $user;
|
||||
}
|
||||
|
||||
$id = (int) $request['id'];
|
||||
|
||||
if ( ! current_user_can( 'edit_user', $id ) ) {
|
||||
if ( ! current_user_can( 'edit_user', $user->ID ) ) {
|
||||
return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
@@ -566,8 +592,12 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
|
||||
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
|
||||
*/
|
||||
public function update_item( $request ) {
|
||||
$id = (int) $request['id'];
|
||||
$user = get_userdata( $id );
|
||||
$user = $this->get_user( $request['id'] );
|
||||
if ( is_wp_error( $user ) ) {
|
||||
return $user;
|
||||
}
|
||||
|
||||
$id = $user->ID;
|
||||
|
||||
if ( ! $user ) {
|
||||
return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) );
|
||||
@@ -682,10 +712,12 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
|
||||
* @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
|
||||
*/
|
||||
public function delete_item_permissions_check( $request ) {
|
||||
$user = $this->get_user( $request['id'] );
|
||||
if ( is_wp_error( $user ) ) {
|
||||
return $user;
|
||||
}
|
||||
|
||||
$id = (int) $request['id'];
|
||||
|
||||
if ( ! current_user_can( 'delete_user', $id ) ) {
|
||||
if ( ! current_user_can( 'delete_user', $user->ID ) ) {
|
||||
return new WP_Error( 'rest_user_cannot_delete', __( 'Sorry, you are not allowed to delete this user.' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
@@ -706,8 +738,12 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
|
||||
if ( is_multisite() ) {
|
||||
return new WP_Error( 'rest_cannot_delete', __( 'The user cannot be deleted.' ), array( 'status' => 501 ) );
|
||||
}
|
||||
$user = $this->get_user( $request['id'] );
|
||||
if ( is_wp_error( $user ) ) {
|
||||
return $user;
|
||||
}
|
||||
|
||||
$id = (int) $request['id'];
|
||||
$id = $user->ID;
|
||||
$reassign = false === $request['reassign'] ? null : absint( $request['reassign'] );
|
||||
$force = isset( $request['force'] ) ? (bool) $request['force'] : false;
|
||||
|
||||
@@ -716,12 +752,6 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
|
||||
return new WP_Error( 'rest_trash_not_supported', __( 'Users do not support trashing. Set force=true to delete.' ), array( 'status' => 501 ) );
|
||||
}
|
||||
|
||||
$user = get_userdata( $id );
|
||||
|
||||
if ( ! $user ) {
|
||||
return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) );
|
||||
}
|
||||
|
||||
if ( ! empty( $reassign ) ) {
|
||||
if ( $reassign === $id || ! get_userdata( $reassign ) ) {
|
||||
return new WP_Error( 'rest_user_invalid_reassign', __( 'Invalid user ID for reassignment.' ), array( 'status' => 400 ) );
|
||||
|
||||
Reference in New Issue
Block a user