[wp-trac] [WordPress Trac] #57078: Reading terms from a public REST endpoint is forbidden in the editor unless you can edit them
WordPress Trac
noreply at wordpress.org
Fri Nov 11 17:27:55 UTC 2022
#57078: Reading terms from a public REST endpoint is forbidden in the editor unless
you can edit them
--------------------------+-----------------------------
Reporter: TJNowell | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 5.9
Severity: normal | Keywords:
Focuses: rest-api |
--------------------------+-----------------------------
If you try to use `const terms = select( 'core' ).getEntityRecords(
'taxonomy', 'my_taxonomy' )` as a user that does not have the ability to
edit terms in that taxonomy, the REST API will reject the request with a
403 if the context is `edit`, even if that endpoint is publicly queryable.
This is due to code in the term controllers `get_items_permissions_check`
at:
https://github.com/WordPress/wordpress-
develop/blame/d8712695cbafb597ce53020fe786ff5ad06bbecb/src/wp-includes
/rest-api/endpoints/class-wp-rest-terms-controller.php#L191-L197
**The needed information is available if `context=edit` is manually
removed from the API URL.**
This check should be removed, it does not make sense that public
information is unavailable in the edit context. It should instead reject
editing when editing, not when reading.
I've found this issue while testing an update to WP 5.9.
As a use case, we use this information on a project to display data to
authors, but they cannot change or edit it, it's purely text.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57078>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list