[not verified] don't extend WP_REST_Posts_Controller and make sure we…

… request as the user
Automattic · May 31, 2023 · da01c5f · da01c5f
1 parent 56399c1
commit da01c5f
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 15 deletions.
diff --git a/..._inc/lib/core-api/wpcom-endpoints/class-wpcom-rest-api-v2-endpoint-send-email-preview.php b/..._inc/lib/core-api/wpcom-endpoints/class-wpcom-rest-api-v2-endpoint-send-email-preview.php
@@ -6,13 +6,14 @@
  */
 
 use Automattic\Jetpack\Connection\Manager;
+
 require_once __DIR__ . '/trait-wpcom-rest-api-proxy-request-trait.php';
 
 /**
  * Class WPCOM_REST_API_V2_Endpoint_Send_Email_Preview
  * Handles the sending of email previews via the WordPress.com REST API
  */
-class WPCOM_REST_API_V2_Endpoint_Send_Email_Preview extends WP_REST_Posts_Controller {
+class WPCOM_REST_API_V2_Endpoint_Send_Email_Preview extends WP_REST_Controller {
 
 	use WPCOM_REST_API_Proxy_Request_Trait;
 
@@ -38,12 +39,11 @@ public function __construct() {
 	 */
 	public function register_routes() {
 		$options = array(
-			'show_in_index'       => true,
-			'methods'             => 'POST',
+			'show_in_index' => true,
+			'methods'       => 'POST',
 			// if this is not a wpcom site, we need to proxy the request to wpcom
-			'callback'            => ( defined( 'IS_WPCOM' ) && IS_WPCOM ) ? array( $this, 'send_email_preview' ) : array( $this, 'proxy_request_to_wpcom' ),
-			'permission_callback' => array( $this, 'permissions_check' ),
-			'args'                => array(
+			'callback'      => ( defined( 'IS_WPCOM' ) && IS_WPCOM ) ? array( $this, 'send_email_preview' ) : array( $this, 'proxy_request_to_wpcom_as_user' ),
+			'args'          => array(
 				'id' => array(
 					'description' => __( 'Unique identifier for the post.', 'jetpack' ),
 					'type'        => 'integer',
@@ -62,6 +62,7 @@ public function register_routes() {
 	 * Checks if the user is connected and has access to edit the post
 	 *
 	 * @param WP_REST_Request $request Full data about the request.
+	 *
 	 * @return true|WP_Error True if the request has edit access, WP_Error object otherwise.
 	 */
 	public function permissions_check( $request ) {
@@ -73,20 +74,33 @@ public function permissions_check( $request ) {
 			);
 		}
 
-		$request['context'] = 'edit';
+		$post = get_post( $request['id'] );
+
+		if ( is_wp_error( $post ) ) {
+			return $post;
+		}
+
+		if ( $post && ! current_user_can( 'edit_post', $post->ID ) ) {
+			return new WP_Error(
+				'rest_forbidden_context',
+				__( 'Sorry, you are not allowed to edit this post.', 'jetpack' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
 
-		return $this->get_item_permissions_check( $request );
+		return true;
 	}
 
 	/**
 	 * Sends an email preview of a post to the current user.
 	 *
 	 * @param WP_REST_Request $request Full data about the request.
+	 *
 	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
 	 */
 	public function send_email_preview( $request ) {
 		$post_id = $request['id'];
-		$post    = $this->get_post( $post_id );
+		$post    = get_post( $post_id );
 
 		// Return error if the post cannot be retrieved
 		if ( is_wp_error( $post ) ) {

diff --git a/...ns/jetpack/_inc/lib/core-api/wpcom-endpoints/trait-wpcom-rest-api-proxy-request-trait.php b/...ns/jetpack/_inc/lib/core-api/wpcom-endpoints/trait-wpcom-rest-api-proxy-request-trait.php
@@ -8,7 +8,6 @@
  */
 
 use Automattic\Jetpack\Connection\Client;
-use Automattic\Jetpack\Connection\Manager;
 use Automattic\Jetpack\Status\Visitor;
 
 trait WPCOM_REST_API_Proxy_Request_Trait {
@@ -21,7 +20,7 @@ trait WPCOM_REST_API_Proxy_Request_Trait {
 	 *
 	 * @return mixed|WP_Error           Response from wpcom servers or an error.
 	 */
-	public function proxy_request_to_wpcom( $request, $path = '' ) {
+	public function proxy_request_to_wpcom_as_user( $request, $path = '' ) {
 		$blog_id = \Jetpack_Options::get_option( 'id' );
 		$path    = '/sites/' . rawurldecode( $blog_id ) . rawurldecode( $this->rest_base ) . ( $path ? '/' . rawurldecode( $path ) : '' );
 		$api_url = add_query_arg( $request->get_query_params(), $path );
@@ -34,10 +33,7 @@ public function proxy_request_to_wpcom( $request, $path = '' ) {
 			'method'  => $request->get_method(),
 		);
 
-		// Prefer request as user, if possible. Fall back to blog request to show prompt data for unconnected users.
-		$response = ( ( new Manager() )->is_user_connected() )
-			? Client::wpcom_json_api_request_as_user( $api_url, $this->version, array( $request_options ), $request->get_body(), $this->base_api_path )
-			: Client::wpcom_json_api_request_as_blog( $api_url, $this->version, array( $request_options ), $request->get_body(), $this->base_api_path );
+		$response = Client::wpcom_json_api_request_as_user( $api_url, $this->version, $request_options, $request->get_body(), $this->base_api_path );
 
 		if ( is_wp_error( $response ) ) {
 			return $response;