Skip to content

Commit e0e4873

Browse files
dkotterdkotter
committed
Add more robust permission checks. Better check on post ID before returning it
1 parent 86f1ebe commit e0e4873

File tree

1 file changed

+37
-2
lines changed

1 file changed

+37
-2
lines changed

includes/Abilities/Title_Generation.php

Lines changed: 37 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -133,7 +133,7 @@ protected function execute_callback( $input ) {
133133
'label' => $this->get_label(),
134134
'description' => $this->get_description(),
135135
'content' => wp_kses_post( $args['content'] ),
136-
'post_id' => absint( $args['post_id'] ) ?? esc_html__( 'Not provided', 'ai' ),
136+
'post_id' => $args['post_id'] ? absint( $args['post_id'] ) : esc_html__( 'Not provided', 'ai' ),
137137
'n' => absint( $args['n'] ),
138138
);
139139
}
@@ -147,7 +147,42 @@ protected function execute_callback( $input ) {
147147
* @return bool|\WP_Error True if the user has permission, WP_Error otherwise.
148148
*/
149149
protected function permission_callback( $args ) {
150-
if ( ! current_user_can( 'edit_posts' ) ) {
150+
$post_id = isset( $args['post_id'] ) ? absint( $args['post_id'] ) : null;
151+
152+
if ( $post_id ) {
153+
$post = get_post( $args['post_id'] );
154+
155+
// Ensure the post exists.
156+
if ( ! $post ) {
157+
return new WP_Error(
158+
'post_not_found',
159+
/* translators: %d: Post ID. */
160+
sprintf( esc_html__( 'Post with ID %d not found.', 'ai' ), absint( $args['post_id'] ) )
161+
);
162+
}
163+
164+
// Ensure the user has permission to edit this particular post.
165+
if ( ! current_user_can( 'edit_post', $post_id ) ) {
166+
return new WP_Error(
167+
'insufficient_capabilities',
168+
esc_html__( 'You do not have permission to generate titles for this post.', 'ai' )
169+
);
170+
}
171+
172+
// Ensure the post type is allowed in REST endpoints.
173+
$post_type = get_post_type( $post_id );
174+
175+
if ( ! $post_type ) {
176+
return false;
177+
}
178+
179+
$post_type_obj = get_post_type_object( $post_type );
180+
181+
if ( ! $post_type_obj || empty( $post_type_obj->show_in_rest ) ) {
182+
return false;
183+
}
184+
} elseif ( ! current_user_can( 'edit_posts' ) ) {
185+
// Ensure the user has permission to edit posts in general.
151186
return new WP_Error(
152187
'insufficient_capabilities',
153188
esc_html__( 'You do not have permission to generate titles.', 'ai' )

0 commit comments

Comments
 (0)