| public can_access_password_content ( WP_Post $post, WP_REST_Request $request ) : boolean | ||
| $post | WP_Post | Post to check against. |
| $request | WP_REST_Request | Request data to check. |
| return | boolean | True if the user can access password-protected content, otherwise false. |
public function can_access_password_content($post, $request)
{
if (empty($post->post_password)) {
// No filter required.
return false;
}
// Edit context always gets access to password-protected posts.
if ('edit' === $request['context']) {
return true;
}
// No password, no auth.
if (empty($request['password'])) {
return false;
}
// Double-check the request password.
return hash_equals($post->post_password, $request['password']);
} /**
* Checks if the post can be read.
*
* Correctly handles posts with the inherit status.
*
* @since 4.7.0
* @access protected
*
* @param WP_Post $post Post object.
* @param WP_REST_Request $request Request data to check.
* @return bool Whether post can be read.
*/
protected function check_read_post_permission($post, $request)
{
$posts_controller = new WP_REST_Posts_Controller($post->post_type);
$post_type = get_post_type_object($post->post_type);
$has_password_filter = false;
// Only check password if a specific post was queried for or a single comment
$requested_post = !empty($request['post']) && 1 === count($request['post']);
$requested_comment = !empty($request['id']);
if (($requested_post || $requested_comment) && $posts_controller->can_access_password_content($post, $request)) {
add_filter('post_password_required', '__return_false');
$has_password_filter = true;
}
if (post_password_required($post)) {
$result = current_user_can($post_type->cap->edit_post, $post->ID);
} else {
$result = $posts_controller->check_read_permission($post);
}
if ($has_password_filter) {
remove_filter('post_password_required', '__return_false');
}
return $result;
}