REST API: Permit access to the themes controller if user can edit any post type.

Check a more exhaustive list of post type editing caps beyond "edit_post" to ensure custom user roles with access to to specific post types may still use block editor functionality depending on theme features. Props miyauchi, TimothyBlynJacobs. Fixes #46723. git-svn-id: https://develop.svn.wordpress.org/trunk@47361 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 14:20:15 +00:00 · 2020-02-25 15:18:19 +00:00
parent a0ac0ff13d
commit b5190458fe
2 changed files with 34 additions and 7 deletions
--- a/tests/phpunit/tests/rest-api/rest-themes-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-themes-controller.php
@@ -155,6 +155,15 @@ class WP_Test_REST_Themes_Controller extends WP_Test_REST_Controller_Testcase {
 		$this->assertEqualSets( $fields, array_keys( $data[0] ) );
 	}

+	/**
+	 * @ticket 46723
+	 */
+	public function test_get_items_logged_out() {
+		wp_set_current_user( 0 );
+		$response = self::perform_active_theme_request();
+		$this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
+	}
+
 	/**
 	 * An error should be returned when the user does not have the edit_posts capability.
 	 *
@@ -166,6 +175,18 @@ class WP_Test_REST_Themes_Controller extends WP_Test_REST_Controller_Testcase {
 		$this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 );
 	}

+	/**
+	 * @ticket 46723
+	 */
+	public function test_get_item_single_post_type_cap() {
+		$user = self::factory()->user->create_and_get();
+		$user->add_cap( 'edit_pages' );
+		wp_set_current_user( $user->ID );
+
+		$response = self::perform_active_theme_request();
+		$this->assertEquals( 200, $response->get_status() );
+	}
+
 	/**
 	 * Test an item is prepared for the response.
 	 *