Introduce rest_authorization_required_code()

danielbachhuber · danielbachhuber · commit 7ba0ae6fe4f6 · 2015-12-08T10:10:08.000-08:00
This function produces a contextually-specific HTTP error code based on
whether the user is logged in. It should be used when producing an error
from a failed `current_user_can()` check, because it's helpful to the
client to be able to distinguish between 401 and 403
diff --git a/lib/endpoints/class-wp-rest-attachments-controller.php b/lib/endpoints/class-wp-rest-attachments-controller.php
@@ -21,7 +21,7 @@ public function create_item( $request ) {
 			$parent = get_post( (int) $request['post'] );
 			$post_parent_type = get_post_type_object( $parent->post_type );
 			if ( ! current_user_can( $post_parent_type->cap->edit_post, $request['post'] ) ) {
-				return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this post.' ), array( 'status' => 401 ) );
+				return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this post.' ), array( 'status' => rest_authorization_required_code() ) );
 			}
 		}
 
diff --git a/lib/endpoints/class-wp-rest-comments-controller.php b/lib/endpoints/class-wp-rest-comments-controller.php
@@ -365,7 +365,7 @@ public function get_items_permissions_check( $request ) {
 		}
 
 		if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'manage_comments' ) ) {
-			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view comments with edit context.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view comments with edit context.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
@@ -387,17 +387,17 @@ public function get_item_permissions_check( $request ) {
 		}
 
 		if ( ! $this->check_read_permission( $comment ) ) {
-			return new WP_Error( 'rest_cannot_read', __( 'Sorry, you cannot read this comment.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_read', __( 'Sorry, you cannot read this comment.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		$post = get_post( $comment->comment_post_ID );
 
 		if ( $post && ! $this->check_read_post_permission( $post ) ) {
-			return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you cannot read the post for this comment.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you cannot read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'moderate_comments' ) ) {
-			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view this comment with edit context.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view this comment with edit context.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
@@ -413,13 +413,13 @@ public function create_item_permissions_check( $request ) {
 
 		// Limit who can set comment `author`, `karma` or `status` to anything other than the default.
 		if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) {
-			return new WP_Error( 'rest_comment_invalid_author', __( 'Comment author invalid.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_comment_invalid_author', __( 'Comment author invalid.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 		if ( isset( $request['karma'] ) && $request['karma'] > 0 && ! current_user_can( 'moderate_comments' ) ) {
-			return new WP_Error( 'rest_comment_invalid_karma', __( 'Sorry, you cannot set karma for comments.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_comment_invalid_karma', __( 'Sorry, you cannot set karma for comments.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 		if ( isset( $request['status'] ) && ! current_user_can( 'moderate_comments' ) ) {
-			return new WP_Error( 'rest_comment_invalid_status', __( 'Sorry, you cannot set status for comments.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_comment_invalid_status', __( 'Sorry, you cannot set status for comments.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		// If the post id isn't specified, presume we can create.
@@ -432,7 +432,7 @@ public function create_item_permissions_check( $request ) {
 		if ( $post ) {
 
 			if ( ! $this->check_read_post_permission( $post ) ) {
-				return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you cannot read the post for this comment.' ), array( 'status' => 403 ) );
+				return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you cannot read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
 			}
 
 			if ( ! comments_open( $post->ID ) ) {
@@ -456,7 +456,7 @@ public function update_item_permissions_check( $request ) {
 		$comment = get_comment( $id );
 
 		if ( $comment && ! $this->check_edit_permission( $comment ) ) {
-			return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you can not edit this comment.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you can not edit this comment.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
diff --git a/lib/endpoints/class-wp-rest-meta-posts-controller.php b/lib/endpoints/class-wp-rest-meta-posts-controller.php
@@ -49,12 +49,12 @@ public function get_items_permissions_check( $request ) {
 		}
 
 		if ( ! $this->parent_controller->check_read_permission( $parent ) ) {
-			return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		$post_type = get_post_type_object( $parent->post_type );
 		if ( ! current_user_can( $post_type->cap->edit_post, $parent->ID ) ) {
-			return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view the meta for this post.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view the meta for this post.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 		return true;
 	}
@@ -103,12 +103,12 @@ public function delete_item_permissions_check( $request ) {
 		}
 
 		if ( ! $this->parent_controller->check_read_permission( $parent ) ) {
-			return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		$post_type = get_post_type_object( $parent->post_type );
 		if ( ! current_user_can( $post_type->cap->delete_post, $parent->ID ) ) {
-			return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot delete the meta for this post.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot delete the meta for this post.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 		return true;
 	}
diff --git a/lib/endpoints/class-wp-rest-post-statuses-controller.php b/lib/endpoints/class-wp-rest-post-statuses-controller.php
@@ -70,7 +70,7 @@ public function get_item( $request ) {
 	 */
 	public function prepare_item_for_response( $status, $request ) {
 		if ( ( false === $status->public && ! is_user_logged_in() ) || ( true === $status->internal && is_user_logged_in() ) ) {
-			return new WP_Error( 'rest_cannot_read_status', __( 'Cannot view status.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_read_status', __( 'Cannot view status.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		$data = array(
diff --git a/lib/endpoints/class-wp-rest-post-types-controller.php b/lib/endpoints/class-wp-rest-post-types-controller.php
@@ -70,7 +70,7 @@ public function get_item( $request ) {
 	 */
 	public function prepare_item_for_response( $post_type, $request ) {
 		if ( false === $post_type->public ) {
-			return new WP_Error( 'rest_cannot_read_type', __( 'Cannot view type.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_read_type', __( 'Cannot view type.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		$data = array(
diff --git a/lib/endpoints/class-wp-rest-posts-controller.php b/lib/endpoints/class-wp-rest-posts-controller.php
@@ -337,7 +337,7 @@ public function delete_item( $request ) {
 		$supports_trash = apply_filters( 'rest_post_trashable', $supports_trash, $post );
 
 		if ( ! $this->check_delete_permission( $post ) ) {
-			return new WP_Error( 'rest_user_cannot_delete_post', __( 'Sorry, you are not allowed to delete this post.' ), array( 'status' => 401 ) );
+			return new WP_Error( 'rest_user_cannot_delete_post', __( 'Sorry, you are not allowed to delete this post.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		$request = new WP_REST_Request( 'GET', '/wp/v2/' . $this->get_post_type_base( $this->post_type ) . '/' . $post->ID );
@@ -399,7 +399,7 @@ public function get_items_permissions_check( $request ) {
 		$post_type = get_post_type_object( $this->post_type );
 
 		if ( 'edit' === $request['context'] && ! current_user_can( $post_type->cap->edit_posts ) ) {
-			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit these posts in this post type' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit these posts in this post type' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
@@ -416,7 +416,7 @@ public function get_item_permissions_check( $request ) {
 		$post = get_post( (int) $request['id'] );
 
 		if ( 'edit' === $request['context'] && $post && ! $this->check_update_permission( $post ) ) {
-			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this post' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this post' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		if ( $post ) {
@@ -437,15 +437,15 @@ public function create_item_permissions_check( $request ) {
 		$post_type = get_post_type_object( $this->post_type );
 
 		if ( ! empty( $request['password'] ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
-			return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create password protected posts in this post type' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create password protected posts in this post type' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		if ( ! empty( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
-			return new WP_Error( 'rest_cannot_edit_others', __( 'You are not allowed to create posts as this user.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_edit_others', __( 'You are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
-			return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return current_user_can( $post_type->cap->create_posts );
@@ -467,15 +467,15 @@ public function update_item_permissions_check( $request ) {
 		}
 
 		if ( ! empty( $request['password'] ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
-			return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create password protected posts in this post type' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create password protected posts in this post type' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		if ( ! empty( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
-			return new WP_Error( 'rest_cannot_edit_others', __( 'You are not allowed to update posts as this user.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_edit_others', __( 'You are not allowed to update posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
-			return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
@@ -492,7 +492,7 @@ public function delete_item_permissions_check( $request ) {
 		$post = get_post( $request['id'] );
 
 		if ( $post && ! $this->check_delete_permission( $post ) ) {
-			return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete posts.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete posts.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
@@ -816,13 +816,13 @@ protected function handle_status_param( $post_status, $post_type ) {
 				break;
 			case 'private':
 				if ( ! current_user_can( $post_type->cap->publish_posts ) ) {
-					return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create private posts in this post type' ), array( 'status' => 403 ) );
+					return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create private posts in this post type' ), array( 'status' => rest_authorization_required_code() ) );
 				}
 				break;
 			case 'publish':
 			case 'future':
 				if ( ! current_user_can( $post_type->cap->publish_posts ) ) {
-					return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to publish posts in this post type' ), array( 'status' => 403 ) );
+					return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to publish posts in this post type' ), array( 'status' => rest_authorization_required_code() ) );
 				}
 				break;
 			default:
@@ -1606,7 +1606,7 @@ public function validate_user_can_query_private_statuses( $value, $request, $par
 		if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
 			return true;
 		}
-		return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden' ), array( 'status' => 403 ) );
+		return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden' ), array( 'status' => rest_authorization_required_code() ) );
 	}
 
 }
diff --git a/lib/endpoints/class-wp-rest-posts-terms-controller.php b/lib/endpoints/class-wp-rest-posts-terms-controller.php
@@ -218,7 +218,7 @@ protected function validate_request( $request ) {
 		}
 
 		if ( ! $this->posts_controller->check_read_permission( $post ) ) {
-			return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		if ( ! empty( $request['term_id'] ) ) {
diff --git a/lib/endpoints/class-wp-rest-revisions-controller.php b/lib/endpoints/class-wp-rest-revisions-controller.php
@@ -91,7 +91,7 @@ public function get_items_permissions_check( $request ) {
 		}
 		$parent_post_type_obj = get_post_type_object( $parent->post_type );
 		if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) {
-			return new WP_Error( 'rest_cannot_read', __( 'Sorry, you cannot view revisions of this post.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_read', __( 'Sorry, you cannot view revisions of this post.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
diff --git a/lib/endpoints/class-wp-rest-users-controller.php b/lib/endpoints/class-wp-rest-users-controller.php
@@ -392,11 +392,11 @@ public function get_item_permissions_check( $request ) {
 		$context = ! empty( $request['context'] ) && in_array( $request['context'], array( 'edit', 'view', 'embed' ) ) ? $request['context'] : 'embed';
 
 		if ( 'edit' === $context && ! current_user_can( 'edit_user', $id ) ) {
-			return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you cannot view this user with edit context' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you cannot view this user with edit context' ), array( 'status' => rest_authorization_required_code() ) );
 		} else if ( 'view' === $context && ! current_user_can( 'list_users' ) ) {
-			return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you cannot view this user with view context' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you cannot view this user with view context' ), array( 'status' => rest_authorization_required_code() ) );
 		} else if ( 'embed' === $context && ! count_user_posts( $id ) && ! current_user_can( 'edit_user', $id ) && ! current_user_can( 'list_users' ) ) {
-			return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you cannot view this user' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you cannot view this user' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
@@ -411,7 +411,7 @@ public function get_item_permissions_check( $request ) {
 	public function create_item_permissions_check( $request ) {
 
 		if ( ! current_user_can( 'create_users' ) ) {
-			return new WP_Error( 'rest_cannot_create_user', __( 'Sorry, you are not allowed to create users.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_create_user', __( 'Sorry, you are not allowed to create users.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
@@ -428,11 +428,11 @@ public function update_item_permissions_check( $request ) {
 		$id = (int) $request['id'];
 
 		if ( ! current_user_can( 'edit_user', $id ) ) {
-			return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit users.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit users.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		if ( ! empty( $request['role'] ) && ! current_user_can( 'edit_users' ) ) {
-			return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of users.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of users.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
@@ -450,7 +450,7 @@ public function delete_item_permissions_check( $request ) {
 		$reassign = isset( $request['reassign'] ) ? absint( $request['reassign'] ) : null;
 
 		if ( ! current_user_can( 'delete_user', $id ) ) {
-			return new WP_Error( 'rest_user_cannot_delete', __( 'Sorry, you are not allowed to delete this user.' ), array( 'status' => 403 ) );
+			return new WP_Error( 'rest_user_cannot_delete', __( 'Sorry, you are not allowed to delete this user.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		return true;
@@ -608,7 +608,7 @@ protected function check_role_update( $user_id, $role ) {
 			return true;
 		}
 
-		return new WP_Error( 'rest_user_invalid_role', __( 'You cannot give users that role.' ), array( 'status' => 403 ) );
+		return new WP_Error( 'rest_user_invalid_role', __( 'You cannot give users that role.' ), array( 'status' => rest_authorization_required_code() ) );
 	}
 
 	/**
diff --git a/plugin.php b/plugin.php
@@ -220,6 +220,17 @@ function create_initial_rest_routes() {
 	$controller->register_routes();
 }
 
+if ( ! function_exists( 'rest_authorization_required_code' ) ) {
+	/**
+	 * Returns a contextual HTTP error code for authorization failure.
+	 *
+	 * @return integer
+	 */
+	function rest_authorization_required_code() {
+		return is_user_logged_in() ? 403 : 401;
+	}
+}
+
 if ( ! function_exists( 'register_api_field' ) ) {
 	/**
 	 * Registers a new field on an existing WordPress object type.

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ public function create_item( $request ) {`
`21`	`21`	`$parent = get_post( (int) $request['post'] );`
`22`	`22`	`$post_parent_type = get_post_type_object( $parent->post_type );`
`23`	`23`	`if ( ! current_user_can( $post_parent_type->cap->edit_post, $request['post'] ) ) {`
`24`		`- return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this post.' ), array( 'status' => 401 ) );`
	`24`	`+ return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this post.' ), array( 'status' => rest_authorization_required_code() ) );`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`
Original file line number	Diff line number	Diff line change
`@@ -365,7 +365,7 @@ public function get_items_permissions_check( $request ) {`
`365`	`365`	`}`
`366`	`366`
`367`	`367`	`if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'manage_comments' ) ) {`
`368`		`- return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view comments with edit context.' ), array( 'status' => 403 ) );`
	`368`	`+ return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view comments with edit context.' ), array( 'status' => rest_authorization_required_code() ) );`
`369`	`369`	`}`
`370`	`370`
`371`	`371`	`return true;`
`@@ -387,17 +387,17 @@ public function get_item_permissions_check( $request ) {`
`387`	`387`	`}`
`388`	`388`
`389`	`389`	`if ( ! $this->check_read_permission( $comment ) ) {`
`390`		`- return new WP_Error( 'rest_cannot_read', __( 'Sorry, you cannot read this comment.' ), array( 'status' => 403 ) );`
	`390`	`+ return new WP_Error( 'rest_cannot_read', __( 'Sorry, you cannot read this comment.' ), array( 'status' => rest_authorization_required_code() ) );`
`391`	`391`	`}`
`392`	`392`
`393`	`393`	`$post = get_post( $comment->comment_post_ID );`
`394`	`394`
`395`	`395`	`if ( $post && ! $this->check_read_post_permission( $post ) ) {`
`396`		`- return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you cannot read the post for this comment.' ), array( 'status' => 403 ) );`
	`396`	`+ return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you cannot read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );`
`397`	`397`	`}`
`398`	`398`
`399`	`399`	`if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'moderate_comments' ) ) {`
`400`		`- return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view this comment with edit context.' ), array( 'status' => 403 ) );`
	`400`	`+ return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view this comment with edit context.' ), array( 'status' => rest_authorization_required_code() ) );`
`401`	`401`	`}`
`402`	`402`
`403`	`403`	`return true;`
`@@ -413,13 +413,13 @@ public function create_item_permissions_check( $request ) {`
`413`	`413`
`414`	`414`	// Limit who can set comment `author`, `karma` or `status` to anything other than the default.
`415`	`415`	`if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) {`
`416`		`- return new WP_Error( 'rest_comment_invalid_author', __( 'Comment author invalid.' ), array( 'status' => 403 ) );`
	`416`	`+ return new WP_Error( 'rest_comment_invalid_author', __( 'Comment author invalid.' ), array( 'status' => rest_authorization_required_code() ) );`
`417`	`417`	`}`
`418`	`418`	`if ( isset( $request['karma'] ) && $request['karma'] > 0 && ! current_user_can( 'moderate_comments' ) ) {`
`419`		`- return new WP_Error( 'rest_comment_invalid_karma', __( 'Sorry, you cannot set karma for comments.' ), array( 'status' => 403 ) );`
	`419`	`+ return new WP_Error( 'rest_comment_invalid_karma', __( 'Sorry, you cannot set karma for comments.' ), array( 'status' => rest_authorization_required_code() ) );`
`420`	`420`	`}`
`421`	`421`	`if ( isset( $request['status'] ) && ! current_user_can( 'moderate_comments' ) ) {`
`422`		`- return new WP_Error( 'rest_comment_invalid_status', __( 'Sorry, you cannot set status for comments.' ), array( 'status' => 403 ) );`
	`422`	`+ return new WP_Error( 'rest_comment_invalid_status', __( 'Sorry, you cannot set status for comments.' ), array( 'status' => rest_authorization_required_code() ) );`
`423`	`423`	`}`
`424`	`424`
`425`	`425`	`// If the post id isn't specified, presume we can create.`
`@@ -432,7 +432,7 @@ public function create_item_permissions_check( $request ) {`
`432`	`432`	`if ( $post ) {`
`433`	`433`
`434`	`434`	`if ( ! $this->check_read_post_permission( $post ) ) {`
`435`		`- return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you cannot read the post for this comment.' ), array( 'status' => 403 ) );`
	`435`	`+ return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you cannot read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );`
`436`	`436`	`}`
`437`	`437`
`438`	`438`	`if ( ! comments_open( $post->ID ) ) {`
`@@ -456,7 +456,7 @@ public function update_item_permissions_check( $request ) {`
`456`	`456`	`$comment = get_comment( $id );`
`457`	`457`
`458`	`458`	`if ( $comment && ! $this->check_edit_permission( $comment ) ) {`
`459`		`- return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you can not edit this comment.' ), array( 'status' => 403 ) );`
	`459`	`+ return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you can not edit this comment.' ), array( 'status' => rest_authorization_required_code() ) );`
`460`	`460`	`}`
`461`	`461`
`462`	`462`	`return true;`
Original file line number	Diff line number	Diff line change
`@@ -49,12 +49,12 @@ public function get_items_permissions_check( $request ) {`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`if ( ! $this->parent_controller->check_read_permission( $parent ) ) {`
`52`		`- return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => 403 ) );`
	`52`	`+ return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => rest_authorization_required_code() ) );`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`$post_type = get_post_type_object( $parent->post_type );`
`56`	`56`	`if ( ! current_user_can( $post_type->cap->edit_post, $parent->ID ) ) {`
`57`		`- return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view the meta for this post.' ), array( 'status' => 403 ) );`
	`57`	`+ return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view the meta for this post.' ), array( 'status' => rest_authorization_required_code() ) );`
`58`	`58`	`}`
`59`	`59`	`return true;`
`60`	`60`	`}`
`@@ -103,12 +103,12 @@ public function delete_item_permissions_check( $request ) {`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`if ( ! $this->parent_controller->check_read_permission( $parent ) ) {`
`106`		`- return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => 403 ) );`
	`106`	`+ return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => rest_authorization_required_code() ) );`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`$post_type = get_post_type_object( $parent->post_type );`
`110`	`110`	`if ( ! current_user_can( $post_type->cap->delete_post, $parent->ID ) ) {`
`111`		`- return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot delete the meta for this post.' ), array( 'status' => 403 ) );`
	`111`	`+ return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot delete the meta for this post.' ), array( 'status' => rest_authorization_required_code() ) );`
`112`	`112`	`}`
`113`	`113`	`return true;`
`114`	`114`	`}`
Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ public function get_item( $request ) {`
`70`	`70`	`*/`
`71`	`71`	`public function prepare_item_for_response( $status, $request ) {`
`72`	`72`	`if ( ( false === $status->public && ! is_user_logged_in() ) \|\| ( true === $status->internal && is_user_logged_in() ) ) {`
`73`		`- return new WP_Error( 'rest_cannot_read_status', __( 'Cannot view status.' ), array( 'status' => 403 ) );`
	`73`	`+ return new WP_Error( 'rest_cannot_read_status', __( 'Cannot view status.' ), array( 'status' => rest_authorization_required_code() ) );`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`$data = array(`
Original file line number	Diff line number	Diff line change
`@@ -337,7 +337,7 @@ public function delete_item( $request ) {`
`337`	`337`	`$supports_trash = apply_filters( 'rest_post_trashable', $supports_trash, $post );`
`338`	`338`
`339`	`339`	`if ( ! $this->check_delete_permission( $post ) ) {`
`340`		`- return new WP_Error( 'rest_user_cannot_delete_post', __( 'Sorry, you are not allowed to delete this post.' ), array( 'status' => 401 ) );`
	`340`	`+ return new WP_Error( 'rest_user_cannot_delete_post', __( 'Sorry, you are not allowed to delete this post.' ), array( 'status' => rest_authorization_required_code() ) );`
`341`	`341`	`}`
`342`	`342`
`343`	`343`	`$request = new WP_REST_Request( 'GET', '/wp/v2/' . $this->get_post_type_base( $this->post_type ) . '/' . $post->ID );`
`@@ -399,7 +399,7 @@ public function get_items_permissions_check( $request ) {`
`399`	`399`	`$post_type = get_post_type_object( $this->post_type );`
`400`	`400`
`401`	`401`	`if ( 'edit' === $request['context'] && ! current_user_can( $post_type->cap->edit_posts ) ) {`
`402`		`- return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit these posts in this post type' ), array( 'status' => 403 ) );`
	`402`	`+ return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit these posts in this post type' ), array( 'status' => rest_authorization_required_code() ) );`
`403`	`403`	`}`
`404`	`404`
`405`	`405`	`return true;`
`@@ -416,7 +416,7 @@ public function get_item_permissions_check( $request ) {`
`416`	`416`	`$post = get_post( (int) $request['id'] );`
`417`	`417`
`418`	`418`	`if ( 'edit' === $request['context'] && $post && ! $this->check_update_permission( $post ) ) {`
`419`		`- return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this post' ), array( 'status' => 403 ) );`
	`419`	`+ return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this post' ), array( 'status' => rest_authorization_required_code() ) );`
`420`	`420`	`}`
`421`	`421`
`422`	`422`	`if ( $post ) {`
`@@ -437,15 +437,15 @@ public function create_item_permissions_check( $request ) {`
`437`	`437`	`$post_type = get_post_type_object( $this->post_type );`
`438`	`438`
`439`	`439`	`if ( ! empty( $request['password'] ) && ! current_user_can( $post_type->cap->publish_posts ) ) {`
`440`		`- return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create password protected posts in this post type' ), array( 'status' => 403 ) );`
	`440`	`+ return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create password protected posts in this post type' ), array( 'status' => rest_authorization_required_code() ) );`
`441`	`441`	`}`
`442`	`442`
`443`	`443`	`if ( ! empty( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( $post_type->cap->edit_others_posts ) ) {`
`444`		`- return new WP_Error( 'rest_cannot_edit_others', __( 'You are not allowed to create posts as this user.' ), array( 'status' => 403 ) );`
	`444`	`+ return new WP_Error( 'rest_cannot_edit_others', __( 'You are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );`
`445`	`445`	`}`
`446`	`446`
`447`	`447`	`if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {`
`448`		`- return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => 403 ) );`
	`448`	`+ return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );`
`449`	`449`	`}`
`450`	`450`
`451`	`451`	`return current_user_can( $post_type->cap->create_posts );`
`@@ -467,15 +467,15 @@ public function update_item_permissions_check( $request ) {`
`467`	`467`	`}`
`468`	`468`
`469`	`469`	`if ( ! empty( $request['password'] ) && ! current_user_can( $post_type->cap->publish_posts ) ) {`
`470`		`- return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create password protected posts in this post type' ), array( 'status' => 403 ) );`
	`470`	`+ return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create password protected posts in this post type' ), array( 'status' => rest_authorization_required_code() ) );`
`471`	`471`	`}`
`472`	`472`
`473`	`473`	`if ( ! empty( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( $post_type->cap->edit_others_posts ) ) {`
`474`		`- return new WP_Error( 'rest_cannot_edit_others', __( 'You are not allowed to update posts as this user.' ), array( 'status' => 403 ) );`
	`474`	`+ return new WP_Error( 'rest_cannot_edit_others', __( 'You are not allowed to update posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );`
`475`	`475`	`}`
`476`	`476`
`477`	`477`	`if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {`
`478`		`- return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => 403 ) );`
	`478`	`+ return new WP_Error( 'rest_cannot_assign_sticky', __( 'You do not have permission to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );`
`479`	`479`	`}`
`480`	`480`
`481`	`481`	`return true;`
`@@ -492,7 +492,7 @@ public function delete_item_permissions_check( $request ) {`
`492`	`492`	`$post = get_post( $request['id'] );`
`493`	`493`
`494`	`494`	`if ( $post && ! $this->check_delete_permission( $post ) ) {`
`495`		`- return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete posts.' ), array( 'status' => 403 ) );`
	`495`	`+ return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete posts.' ), array( 'status' => rest_authorization_required_code() ) );`
`496`	`496`	`}`
`497`	`497`
`498`	`498`	`return true;`
`@@ -816,13 +816,13 @@ protected function handle_status_param( $post_status, $post_type ) {`
`816`	`816`	`break;`
`817`	`817`	`case 'private':`
`818`	`818`	`if ( ! current_user_can( $post_type->cap->publish_posts ) ) {`
`819`		`- return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create private posts in this post type' ), array( 'status' => 403 ) );`
	`819`	`+ return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create private posts in this post type' ), array( 'status' => rest_authorization_required_code() ) );`
`820`	`820`	`}`
`821`	`821`	`break;`
`822`	`822`	`case 'publish':`
`823`	`823`	`case 'future':`
`824`	`824`	`if ( ! current_user_can( $post_type->cap->publish_posts ) ) {`
`825`		`- return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to publish posts in this post type' ), array( 'status' => 403 ) );`
	`825`	`+ return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to publish posts in this post type' ), array( 'status' => rest_authorization_required_code() ) );`
`826`	`826`	`}`
`827`	`827`	`break;`
`828`	`828`	`default:`
`@@ -1606,7 +1606,7 @@ public function validate_user_can_query_private_statuses( $value, $request, $par`
`1606`	`1606`	`if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {`
`1607`	`1607`	`return true;`
`1608`	`1608`	`}`
`1609`		`- return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden' ), array( 'status' => 403 ) );`
	`1609`	`+ return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden' ), array( 'status' => rest_authorization_required_code() ) );`
`1610`	`1610`	`}`
`1611`	`1611`
`1612`	`1612`	`}`
Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,7 @@ protected function validate_request( $request ) {`
`218`	`218`	`}`
`219`	`219`
`220`	`220`	`if ( ! $this->posts_controller->check_read_permission( $post ) ) {`
`221`		`- return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => 403 ) );`
	`221`	`+ return new WP_Error( 'rest_forbidden', __( 'Sorry, you cannot view this post.' ), array( 'status' => rest_authorization_required_code() ) );`
`222`	`222`	`}`
`223`	`223`
`224`	`224`	`if ( ! empty( $request['term_id'] ) ) {`
Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ public function get_items_permissions_check( $request ) {`
`91`	`91`	`}`
`92`	`92`	`$parent_post_type_obj = get_post_type_object( $parent->post_type );`
`93`	`93`	`if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) {`
`94`		`- return new WP_Error( 'rest_cannot_read', __( 'Sorry, you cannot view revisions of this post.' ), array( 'status' => 403 ) );`
	`94`	`+ return new WP_Error( 'rest_cannot_read', __( 'Sorry, you cannot view revisions of this post.' ), array( 'status' => rest_authorization_required_code() ) );`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`return true;`