REST API: Synchronize permission checks in ::get_items_permissions_check() methods for post types, post statuses, and users:

* Only query post types with `'show_in_rest' => true` instead of looping over all post types and checking the `show_in_rest` property separately. * Return from the `foreach()` loop as soon as the permission check succeeded. Props pbiron, TimothyBlynJacobs, SergeyBiryukov. Fixes #49118. git-svn-id: https://develop.svn.wordpress.org/trunk@47034 602fd350-edb4-49c9-b593-d223f7449a82
2026-04-13 09:04:24 +00:00 · 2020-01-03 02:26:36 +00:00
parent adb9483563
commit c27ab74ca9
3 changed files with 16 additions and 13 deletions
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
@@ -199,17 +199,16 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 		}

 		if ( 'authors' === $request['who'] ) {
-			$can_view = false;
-			$types    = get_post_types( array( 'show_in_rest' => true ), 'objects' );
+			$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
+
 			foreach ( $types as $type ) {
 				if ( post_type_supports( $type->name, 'author' )
 					&& current_user_can( $type->cap->edit_posts ) ) {
-					$can_view = true;
+					return true;
 				}
 			}
-			if ( ! $can_view ) {
-				return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
-			}
+
+			return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
 		}

 		return true;