From 16efff7396d5b7a12ecef448a6ab29157ca9ef46 Mon Sep 17 00:00:00 2001 From: Jeremy Dormitzer Date: Sat, 27 Oct 2018 12:00:47 -0400 Subject: [PATCH] Fixed outbox permissions for commenters and non-owner users --- includes/server/actors.php | 8 ++++++++ includes/server/api.php | 14 ++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/includes/server/actors.php b/includes/server/actors.php index 43960f4..f8b6d24 100644 --- a/includes/server/actors.php +++ b/includes/server/actors.php @@ -20,6 +20,14 @@ function get_actor_by_slug ( $slug ) { return get_actor_from_row( $row ); } +function get_actor_row_by_slug ( $slug ) { + global $wpdb; + $row = $wpdb->get_row( $wpdb->prepare( + "SELECT * FROM {$wpdb->prefix}pterotype_actors WHERE slug = %s", $slug + ) ); + return $row; +} + function get_actor_id( $slug ) { global $wpdb; return $wpdb->get_var( $wpdb->prepare( diff --git a/includes/server/api.php b/includes/server/api.php index 28bd67d..88cbdaf 100644 --- a/includes/server/api.php +++ b/includes/server/api.php @@ -69,8 +69,18 @@ function get_shares( $request ) { return \pterotype\shares\get_shares_collection( $object_id ); } -function user_can_post_to_outbox() { - return current_user_can( 'publish_posts' ); +function user_can_post_to_outbox( $request ) { + $actor_slug = $request->get_url_params()['actor']; + $actor_row = \pterotype\actors\get_actor_row_by_slug( $actor_slug ); + if ( ! $actor_row || is_wp_error( $actor_row ) ) { + return false; + } + if ( $actor_row->type === 'blog' ) { + return \current_user_can( 'publish_posts' ); + } else if ( $actor_row->type === 'user' ) { + return \is_user_logged_in(); + } + return true; } function register_routes() {