Abilities API: Address content review follow-ups

Author: jorgefilipecosta

src/wp-includes/abilities/class-wp-content-abilities.php

@@ -145,7 +145,7 @@ private function register_get_content(): void {
 		$this->exposed_post_types = $this->get_exposed_post_types();
 
 		$post_types = array_keys( $this->exposed_post_types );
-		$statuses   = $this->get_available_statuses();
+		$statuses   = array_values( get_post_stati( array( 'internal' => false ) ) );
 
 		wp_register_ability(
 			'core/content',
@@ -218,30 +218,12 @@ public function check_permission( $input = array() ): bool {
 
 		$post_type_object = $exposed[ $post_type ];
 		if ( $requires_edit ) {
-			$edit_posts_capability = $this->capability( $post_type_object, 'edit_posts', 'edit_posts' );
-
-			return current_user_can( $edit_posts_capability );
+			return current_user_can( $post_type_object->cap->edit_posts );
 		}
 
 		return $this->can_query_statuses( $input, $post_type_object );
 	}
 
-	/**
-	 * Resolves a capability name from a post type's capability object, with a fallback.
-	 *
-	 * @since 7.1.0
-	 *
-	 * @param WP_Post_Type $post_type_object The post type object.
-	 * @param string       $name             Capability key on the post type's `cap` object.
-	 * @param string       $fallback         Fallback capability name if unset or non-string.
-	 * @return string The resolved capability name.
-	 */
-	private function capability( WP_Post_Type $post_type_object, string $name, string $fallback ): string {
-		$capability = $post_type_object->cap->$name ?? $fallback;
-
-		return is_string( $capability ) ? $capability : $fallback;
-	}
-
 	/**
 	 * Casts a raw input value to a non-negative integer.
 	 *
@@ -270,9 +252,9 @@ private function has_explicit_edit_fields( array $input ): bool {
 			return false;
 		}
 
-		$requested = array_filter( $input['fields'], 'is_string' );
+		$requested_fields = array_filter( $input['fields'], 'is_string' );
 
-		return array() !== array_intersect( self::EDIT_FIELDS, $requested );
+		return array() !== array_intersect( self::EDIT_FIELDS, $requested_fields );
 	}
 
 	/**
@@ -289,19 +271,16 @@ private function has_explicit_edit_fields( array $input ): bool {
 	 * @return bool True if the requested statuses may be queried.
 	 */
 	private function can_query_statuses( array $input, WP_Post_Type $post_type_object ): bool {
-		$edit_posts_capability   = $this->capability( $post_type_object, 'edit_posts', 'edit_posts' );
-		$read_private_capability = $this->capability( $post_type_object, 'read_private_posts', 'read_private_posts' );
-
 		foreach ( $this->normalize_statuses( $input ) as $status ) {
 			if ( 'publish' === $status ) {
 				continue;
 			}
 
-			if ( 'private' === $status && current_user_can( $read_private_capability ) ) {
+			if ( 'private' === $status && current_user_can( $post_type_object->cap->read_private_posts ) ) {
 				continue;
 			}
 
-			if ( current_user_can( $edit_posts_capability ) ) {
+			if ( current_user_can( $post_type_object->cap->edit_posts ) ) {
 				continue;
 			}
 
@@ -464,29 +443,13 @@ private function normalize_per_page( array $input ): int {
 	 * @return array<string, WP_Post_Type> Exposed post type objects keyed by name.
 	 */
 	private function get_exposed_post_types(): array {
-		$exposed = array();
+		$exposed_post_types = array();
 
-		foreach ( get_post_types( array(), 'objects' ) as $post_type_object ) {
-			if ( empty( $post_type_object->show_in_abilities ) ) {
-				continue;
-			}
-			$exposed[ $post_type_object->name ] = $post_type_object;
+		foreach ( get_post_types( array( 'show_in_abilities' => true ), 'objects' ) as $post_type_object ) {
+			$exposed_post_types[ $post_type_object->name ] = $post_type_object;
 		}
 
-		return $exposed;
-	}
-
-	/**
-	 * Returns the post statuses that may be requested through the ability.
-	 *
-	 * Internal statuses (auto-draft, inherit, trash) are excluded.
-	 *
-	 * @since 7.1.0
-	 *
-	 * @return string[] List of public, non-internal post status slugs.
-	 */
-	private function get_available_statuses(): array {
-		return array_values( get_post_stati( array( 'internal' => false ) ) );
+		return $exposed_post_types;
 	}
 
 	/**
@@ -524,8 +487,8 @@ private function normalize_fields( array $input ): array {
 			return $this->fields;
 		}
 
-		$requested = array_filter( $input['fields'], 'is_string' );
-		$fields    = array_intersect( $this->fields, $requested );
+		$requested_fields = array_filter( $input['fields'], 'is_string' );
+		$fields           = array_intersect( $this->fields, $requested_fields );
 
 		return array() === $fields ? $this->fields : array_values( $fields );
 	}
@@ -776,84 +739,84 @@ private function get_content_output_schema(): array {
 	 * @return array<string, mixed> The formatted post data.
 	 */
 	private function format_post( WP_Post $post, array $fields ): array {
-		$type      = $post->post_type;
-		$wants     = static function ( string $field ) use ( $fields ): bool {
+		$post_type        = $post->post_type;
+		$fields_requested = static function ( string $field ) use ( $fields ): bool {
 			return in_array( $field, $fields, true );
 		};
-		$can_edit  = current_user_can( 'edit_post', $post->ID );
-		$protected = post_password_required( $post ) && ! $can_edit;
+		$can_edit         = current_user_can( 'edit_post', $post->ID );
+		$protected        = post_password_required( $post ) && ! $can_edit;
 
 		$data = array();
 
-		if ( $wants( 'id' ) ) {
+		if ( $fields_requested( 'id' ) ) {
 			$data['id'] = (int) $post->ID;
 		}
-		if ( $wants( 'type' ) ) {
-			$data['type'] = $type;
+		if ( $fields_requested( 'type' ) ) {
+			$data['type'] = $post_type;
 		}
-		if ( $wants( 'status' ) ) {
+		if ( $fields_requested( 'status' ) ) {
 			$data['status'] = $post->post_status;
 		}
-		if ( $wants( 'date' ) ) {
+		if ( $fields_requested( 'date' ) ) {
 			$data['date'] = $this->format_local_date( $post, 'date' );
 		}
-		if ( $wants( 'date_gmt' ) ) {
+		if ( $fields_requested( 'date_gmt' ) ) {
 			$data['date_gmt'] = $this->format_gmt_date( $post, 'date' );
 		}
-		if ( $wants( 'modified' ) ) {
+		if ( $fields_requested( 'modified' ) ) {
 			$data['modified'] = $this->format_local_date( $post, 'modified' );
 		}
-		if ( $wants( 'modified_gmt' ) ) {
+		if ( $fields_requested( 'modified_gmt' ) ) {
 			$data['modified_gmt'] = $this->format_gmt_date( $post, 'modified' );
 		}
-		if ( $wants( 'slug' ) ) {
+		if ( $fields_requested( 'slug' ) ) {
 			$data['slug'] = $post->post_name;
 		}
-		if ( $wants( 'link' ) ) {
+		if ( $fields_requested( 'link' ) ) {
 			$data['link'] = (string) get_permalink( $post );
 		}
 
-		if ( $wants( 'title_raw' ) && post_type_supports( $type, 'title' ) && $can_edit ) {
+		if ( $fields_requested( 'title_raw' ) && post_type_supports( $post_type, 'title' ) && $can_edit ) {
 			$data['title_raw'] = $post->post_title;
 		}
 
-		if ( $wants( 'title_rendered' ) && post_type_supports( $type, 'title' ) ) {
+		if ( $fields_requested( 'title_rendered' ) && post_type_supports( $post_type, 'title' ) ) {
 			$data['title_rendered'] = $this->get_title( $post );
 		}
 
-		if ( $wants( 'excerpt_raw' ) && post_type_supports( $type, 'excerpt' ) && $can_edit ) {
+		if ( $fields_requested( 'excerpt_raw' ) && post_type_supports( $post_type, 'excerpt' ) && $can_edit ) {
 			$data['excerpt_raw'] = $post->post_excerpt;
 		}
 
-		if ( $wants( 'excerpt_rendered' ) && post_type_supports( $type, 'excerpt' ) ) {
+		if ( $fields_requested( 'excerpt_rendered' ) && post_type_supports( $post_type, 'excerpt' ) ) {
 			$data['excerpt_rendered'] = $protected ? '' : (string) get_the_excerpt( $post );
 		}
 
-		if ( $wants( 'excerpt_protected' ) && post_type_supports( $type, 'excerpt' ) ) {
+		if ( $fields_requested( 'excerpt_protected' ) && post_type_supports( $post_type, 'excerpt' ) ) {
 			$data['excerpt_protected'] = (bool) $post->post_password;
 		}
 
-		if ( $wants( 'content_raw' ) && post_type_supports( $type, 'editor' ) && $can_edit ) {
+		if ( $fields_requested( 'content_raw' ) && post_type_supports( $post_type, 'editor' ) && $can_edit ) {
 			$data['content_raw'] = $post->post_content;
 		}
 
-		if ( $wants( 'content_rendered' ) && post_type_supports( $type, 'editor' ) ) {
+		if ( $fields_requested( 'content_rendered' ) && post_type_supports( $post_type, 'editor' ) ) {
 			$data['content_rendered'] = $protected ? '' : $this->get_rendered_content( $post );
 		}
 
-		if ( $wants( 'content_protected' ) && post_type_supports( $type, 'editor' ) ) {
+		if ( $fields_requested( 'content_protected' ) && post_type_supports( $post_type, 'editor' ) ) {
 			$data['content_protected'] = (bool) $post->post_password;
 		}
 
-		if ( $wants( 'author' ) && post_type_supports( $type, 'author' ) ) {
+		if ( $fields_requested( 'author' ) && post_type_supports( $post_type, 'author' ) ) {
 			$author         = get_userdata( (int) $post->post_author );
 			$data['author'] = array(
 				'id'           => (int) $post->post_author,
 				'display_name' => $author ? $author->display_name : '',
 			);
 		}
 
-		if ( $wants( 'parent' ) && is_post_type_hierarchical( $type ) ) {
+		if ( $fields_requested( 'parent' ) && is_post_type_hierarchical( $post_type ) ) {
 			$data['parent'] = (int) $post->post_parent;
 		}
 

tests/phpunit/tests/abilities-api/wpRegisterCoreContentAbility.php

@@ -98,6 +98,25 @@ private function login_as( string $role ): int {
 		return $user_id;
 	}
 
+	/**
+	 * Returns roles that can read public posts but cannot edit another user's post.
+	 *
+	 * @return array<string, array{role: string}> Role test cases.
+	 */
+	public function data_roles_without_edit_access_to_other_users_posts(): array {
+		return array(
+			'subscriber'  => array(
+				'role' => 'subscriber',
+			),
+			'contributor' => array(
+				'role' => 'contributor',
+			),
+			'author'      => array(
+				'role' => 'author',
+			),
+		);
+	}
+
 	/**
 	 * Convenience accessor for the ability.
 	 *
@@ -525,6 +544,66 @@ public function test_subscriber_cannot_request_raw_fields_for_single_post(): voi
 		$this->assertSame( 'ability_invalid_permissions', $result->get_error_code() );
 	}
 
+	/**
+	 * Users who cannot edit another user's post do not receive raw fields by default.
+	 *
+	 * @dataProvider data_roles_without_edit_access_to_other_users_posts
+	 *
+	 * @param string $role The role to test.
+	 */
+	public function test_default_fields_omit_raw_fields_for_roles_without_edit_access_to_other_users_posts( string $role ): void {
+		$post_owner_id = self::factory()->user->create( array( 'role' => 'administrator' ) );
+		$post_id       = self::factory()->post->create(
+			array(
+				'post_author'  => $post_owner_id,
+				'post_title'   => 'Readable title',
+				'post_content' => 'Readable body for limited role.',
+				'post_excerpt' => 'Readable excerpt.',
+				'post_status'  => 'publish',
+			)
+		);
+
+		$this->login_as( $role );
+
+		$result = $this->ability()->execute( array( 'id' => $post_id ) );
+
+		$this->assertIsArray( $result, 'The readable published post should be returned.' );
+		$this->assertSame( 'Readable title', $result['posts'][0]['title_rendered'], 'Rendered title should remain visible.' );
+		$this->assertStringContainsString( 'Readable body for limited role.', $result['posts'][0]['content_rendered'], 'Rendered content should remain visible.' );
+		$this->assertArrayNotHasKey( 'title_raw', $result['posts'][0], 'Raw title should be omitted.' );
+		$this->assertArrayNotHasKey( 'excerpt_raw', $result['posts'][0], 'Raw excerpt should be omitted.' );
+		$this->assertArrayNotHasKey( 'content_raw', $result['posts'][0], 'Raw content should be omitted.' );
+	}
+
+	/**
+	 * Users who cannot edit another user's post cannot explicitly request raw fields.
+	 *
+	 * @dataProvider data_roles_without_edit_access_to_other_users_posts
+	 *
+	 * @param string $role The role to test.
+	 */
+	public function test_raw_field_requests_are_denied_for_roles_without_edit_access_to_other_users_posts( string $role ): void {
+		$post_owner_id = self::factory()->user->create( array( 'role' => 'administrator' ) );
+		$post_id       = self::factory()->post->create(
+			array(
+				'post_author' => $post_owner_id,
+				'post_status' => 'publish',
+			)
+		);
+
+		$this->login_as( $role );
+
+		$result = $this->ability()->execute(
+			array(
+				'id'     => $post_id,
+				'fields' => array( 'content_raw' ),
+			)
+		);
+
+		$this->assertWPError( $result );
+		$this->assertSame( 'ability_invalid_permissions', $result->get_error_code(), 'Raw field requests should require edit access to the post.' );
+	}
+
 	public function test_subscriber_cannot_request_draft_status(): void {
 		$this->login_as( 'subscriber' );
 
@@ -654,25 +733,34 @@ public function test_password_protected_content_visible_to_editor(): void {
 		$this->assertStringContainsString( 'Top secret body.', $result['posts'][0]['content_rendered'] );
 	}
 
-	public function test_password_protected_rendered_content_is_empty_for_subscriber(): void {
-		$post_id = self::factory()->post->create(
+	/**
+	 * Password-protected rendered content is withheld from users who cannot edit the post.
+	 *
+	 * @dataProvider data_roles_without_edit_access_to_other_users_posts
+	 *
+	 * @param string $role The role to test.
+	 */
+	public function test_password_protected_rendered_content_is_empty_for_roles_without_edit_access_to_other_users_posts( string $role ): void {
+		$post_owner_id = self::factory()->user->create( array( 'role' => 'administrator' ) );
+		$post_id       = self::factory()->post->create(
 			array(
+				'post_author'   => $post_owner_id,
 				'post_status'   => 'publish',
 				'post_password' => 'secret',
 				'post_content'  => 'Hidden rendered body.',
 			)
 		);
 
-		$this->login_as( 'subscriber' );
+		$this->login_as( $role );
 		$result = $this->ability()->execute(
 			array(
 				'id'     => $post_id,
 				'fields' => array( 'id', 'content_rendered', 'content_protected' ),
 			)
 		);
 
-		$this->assertSame( '', $result['posts'][0]['content_rendered'] );
-		$this->assertTrue( $result['posts'][0]['content_protected'] );
+		$this->assertSame( '', $result['posts'][0]['content_rendered'], 'Password-protected rendered content should be withheld.' );
+		$this->assertTrue( $result['posts'][0]['content_protected'], 'The protected flag should reveal the field is password-protected.' );
 	}
 
 	/*