Check post-types validity for requests
[MAILPOET-4082]
This commit is contained in:
Sam Najian
committed by
Rodrigo Primo
Rodrigo Primo
parent
789385b0c4
commit
b800cf189f
@ -4,23 +4,33 @@ namespace MailPoet\API\JSON\v1;
|
||||
|
||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\Newsletter\AutomatedLatestContent as ALC;
|
||||
use MailPoet\Util\APIPermissionHelper;
|
||||
use MailPoet\WP\Functions as WPFunctions;
|
||||
use MailPoet\WP\Posts as WPPosts;
|
||||
|
||||
class AutomatedLatestContent extends APIEndpoint {
|
||||
/** @var \MailPoet\Newsletter\AutomatedLatestContent */
|
||||
/** @var ALC */
|
||||
public $ALC;
|
||||
|
||||
/*** @var WPFunctions */
|
||||
private $wp;
|
||||
|
||||
/*** @var APIPermissionHelper */
|
||||
private $permissionHelper;
|
||||
|
||||
public $permissions = [
|
||||
'global' => AccessControl::PERMISSION_MANAGE_EMAILS,
|
||||
];
|
||||
|
||||
public function __construct(
|
||||
\MailPoet\Newsletter\AutomatedLatestContent $alc,
|
||||
ALC $alc,
|
||||
APIPermissionHelper $permissionHelper,
|
||||
WPFunctions $wp
|
||||
) {
|
||||
$this->ALC = $alc;
|
||||
$this->wp = $wp;
|
||||
$this->permissionHelper = $permissionHelper;
|
||||
}
|
||||
|
||||
public function getPostTypes() {
|
||||
@ -65,14 +75,24 @@ class AutomatedLatestContent extends APIEndpoint {
|
||||
return $this->successResponse(array_values($terms));
|
||||
}
|
||||
|
||||
/**
|
||||
* @param \WP_Post[] $posts
|
||||
* @return \WP_Post[]
|
||||
*/
|
||||
private function getPermittedPosts($posts) {
|
||||
return array_filter($posts, function ($post) {
|
||||
return $this->permissionHelper->checkReadPermission($post);
|
||||
});
|
||||
}
|
||||
|
||||
public function getPosts($data = []) {
|
||||
return $this->successResponse(
|
||||
$this->ALC->getPosts($data)
|
||||
$this->getPermittedPosts($this->ALC->getPosts($data))
|
||||
);
|
||||
}
|
||||
|
||||
public function getTransformedPosts($data = []) {
|
||||
$posts = $this->ALC->getPosts($data);
|
||||
$posts = $this->getPermittedPosts($this->ALC->getPosts($data));
|
||||
return $this->successResponse(
|
||||
$this->ALC->transformPosts($data, $posts)
|
||||
);
|
||||
@ -83,7 +103,7 @@ class AutomatedLatestContent extends APIEndpoint {
|
||||
$renderedPosts = [];
|
||||
|
||||
foreach ($data['blocks'] as $block) {
|
||||
$posts = $this->ALC->getPosts($block, $usedPosts);
|
||||
$posts = $this->getPermittedPosts($this->ALC->getPosts($block, $usedPosts));
|
||||
$renderedPosts[] = $this->ALC->transformPosts($block, $posts);
|
||||
|
||||
foreach ($posts as $post) {
|
||||
|
||||
@ -84,6 +84,7 @@ class ContainerConfigurator implements IContainerConfigurator {
|
||||
$container->autowire(\MailPoet\API\JSON\v1\SubscriberStats::class)->setPublic(true);
|
||||
$container->autowire(\MailPoet\API\JSON\v1\Subscribers::class)->setPublic(true);
|
||||
$container->autowire(\MailPoet\API\JSON\v1\WoocommerceSettings::class)->setPublic(true);
|
||||
$container->autowire(\MailPoet\Util\APIPermissionHelper::class)->setPublic(true);
|
||||
// API response builders
|
||||
$container->autowire(\MailPoet\API\JSON\ResponseBuilders\NewslettersResponseBuilder::class)->setPublic(true);
|
||||
$container->autowire(\MailPoet\API\JSON\ResponseBuilders\NewsletterTemplatesResponseBuilder::class);
|
||||
|
||||
35
mailpoet/lib/Util/APIPermissionHelper.php
Normal file
35
mailpoet/lib/Util/APIPermissionHelper.php
Normal file
@ -0,0 +1,35 @@
|
||||
<?php
|
||||
|
||||
namespace MailPoet\Util;
|
||||
|
||||
if (!class_exists('\WP_REST_Posts_Controller')) {
|
||||
require_once ABSPATH . '/wp-includes/rest-api/endpoints/class-wp-rest-controller.php';
|
||||
require_once ABSPATH . '/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php';
|
||||
}
|
||||
|
||||
class APIPermissionHelper extends \WP_REST_Posts_Controller {
|
||||
public function __construct() {
|
||||
// constructor is needed to override parent constructor
|
||||
}
|
||||
|
||||
public function checkReadPermission(\WP_Post $post): bool {
|
||||
return parent::check_read_permission($post);
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a given post type can be viewed or managed.
|
||||
* Refrain from checking `show_in_rest` contrary to what parent::check_is_post_type_allowed does
|
||||
*
|
||||
* @param \WP_Post_Type|string $post_type Post type name or object.
|
||||
* @return bool Whether the post type is allowed in REST.
|
||||
* @see parent::check_is_post_type_allowed
|
||||
*/
|
||||
// phpcs:disable PSR1.Methods.CamelCapsMethodName
|
||||
protected function check_is_post_type_allowed($post_type) {
|
||||
if (!is_object($post_type)) {
|
||||
$post_type = get_post_type_object($post_type);
|
||||
}
|
||||
|
||||
return !empty($post_type) && $post_type->public;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user