Merge pull request #506 from buddypress/feature/bp-view-feature

Review the `bp_view` capability support in endpoints

includes/bp-activity/classes/class-bp-rest-activity-endpoint.php

@@ -260,6 +260,17 @@ public function get_items( $request ) {
 	 * @return true|WP_Error
 	 */
 	public function get_items_permissions_check( $request ) {
+		$retval = new WP_Error(
+			'bp_rest_authorization_required',
+			__( 'Sorry, you are not allowed to perform this action.', 'buddypress' ),
+			array(
+				'status' => rest_authorization_required_code(),
+			)
+		);
+
+		if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'activity' ) ) ) {
+			$retval = true;
+		}
 
 		/**
 		 * Filter the activity `get_items` permissions check.
@@ -269,7 +280,7 @@ public function get_items_permissions_check( $request ) {
 		 * @param true|WP_Error   $retval  Returned value.
 		 * @param WP_REST_Request $request Full data about the request.
 		 */
-		return apply_filters( 'bp_rest_activity_get_items_permissions_check', true, $request );
+		return apply_filters( 'bp_rest_activity_get_items_permissions_check', $retval, $request );
 	}
 
 	/**
@@ -332,7 +343,7 @@ public function get_item_permissions_check( $request ) {
 			)
 		);
 
-		if ( $this->can_see( $request ) ) {
+		if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'activity' ) ) && $this->can_see( $request ) ) {
 			$retval = true;
 		}
 

includes/bp-blogs/classes/class-bp-rest-attachments-blog-avatar-endpoint.php

@@ -14,7 +14,6 @@
  * @since 6.0.0
  */
 class BP_REST_Attachments_Blog_Avatar_Endpoint extends WP_REST_Controller {
-
 	use BP_REST_Attachments;
 
 	/**
@@ -172,26 +171,24 @@ public function get_item_permissions_check( $request ) {
 			)
 		);
 
-		$this->blog = $this->blogs_endpoint->get_blog_object( $request->get_param( 'id' ) );
-
-		if ( ! is_object( $this->blog ) ) {
-			$retval = new WP_Error(
-				'bp_rest_blog_invalid_id',
-				__( 'Invalid group ID.', 'buddypress' ),
-				array(
-					'status' => 404,
-				)
-			);
-		} elseif ( buddypress()->avatar->show_avatars ) {
-			$retval = true;
-		} else {
-			$retval = new WP_Error(
-				'bp_rest_attachments_blog_avatar_disabled',
-				__( 'Sorry, blog avatar is disabled.', 'buddypress' ),
-				array(
-					'status' => 500,
-				)
-			);
+		if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'blogs' ) ) ) {
+			$this->blog = $this->blogs_endpoint->get_blog_object( $request->get_param( 'id' ) );
+
+			if ( ! is_object( $this->blog ) ) {
+				$retval = new WP_Error(
+					'bp_rest_blog_invalid_id',
+					__( 'Invalid group ID.', 'buddypress' ),
+					array( 'status' => 404 )
+				);
+			} elseif ( buddypress()->avatar->show_avatars ) {
+				$retval = true;
+			} else {
+				$retval = new WP_Error(
+					'bp_rest_attachments_blog_avatar_disabled',
+					__( 'Sorry, blog avatar is disabled.', 'buddypress' ),
+					array( 'status' => 500 )
+				);
+			}
 		}
 
 		/**

includes/bp-blogs/classes/class-bp-rest-blogs-endpoint.php

@@ -165,6 +165,17 @@ public function get_items( $request ) {
 	 * @return true|WP_Error
 	 */
 	public function get_items_permissions_check( $request ) {
+		$retval = new WP_Error(
+			'bp_rest_authorization_required',
+			__( 'Sorry, you are not allowed to perform this action.', 'buddypress' ),
+			array(
+				'status' => rest_authorization_required_code(),
+			)
+		);
+
+		if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'blogs' ) ) ) {
+			$retval = true;
+		}
 
 		/**
 		 * Filter the blogs `get_items` permissions check.
@@ -174,7 +185,7 @@ public function get_items_permissions_check( $request ) {
 		 * @param true|WP_Error   $retval  Returned value.
 		 * @param WP_REST_Request $request The request sent to the API.
 		 */
-		return apply_filters( 'bp_rest_blogs_get_items_permissions_check', true, $request );
+		return apply_filters( 'bp_rest_blogs_get_items_permissions_check', $retval, $request );
 	}
 
 	/**
@@ -229,6 +240,17 @@ public function get_item( $request ) {
 	 * @return true|WP_Error
 	 */
 	public function get_item_permissions_check( $request ) {
+		$retval = new WP_Error(
+			'bp_rest_authorization_required',
+			__( 'Sorry, you are not allowed to perform this action.', 'buddypress' ),
+			array(
+				'status' => rest_authorization_required_code(),
+			)
+		);
+
+		if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'blogs' ) ) ) {
+			$retval = true;
+		}
 
 		/**
 		 * Filter the blog `get_item` permissions check.
@@ -238,7 +260,7 @@ public function get_item_permissions_check( $request ) {
 		 * @param true|WP_Error   $retval  Returned value.
 		 * @param WP_REST_Request $request The request sent to the API.
 		 */
-		return apply_filters( 'bp_rest_blogs_get_item_permissions_check', true, $request );
+		return apply_filters( 'bp_rest_blogs_get_item_permissions_check', $retval, $request );
 	}
 
 	/**

includes/bp-groups/classes/class-bp-rest-attachments-group-avatar-endpoint.php

@@ -14,7 +14,6 @@
  * @since 0.1.0
  */
 class BP_REST_Attachments_Group_Avatar_Endpoint extends WP_REST_Controller {
-
 	use BP_REST_Attachments;
 
 	/**
@@ -178,13 +177,12 @@ public function get_item_permissions_check( $request ) {
 		);
 
 		if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'groups' ) ) ) {
-			$retval      = new WP_Error(
+			$retval = new WP_Error(
 				'bp_rest_group_invalid_id',
 				__( 'Invalid group ID.', 'buddypress' ),
-				array(
-					'status' => 404,
-				)
+				array( 'status' => 404 )
 			);
+
 			$this->group = $this->groups_endpoint->get_group_object( $request );
 
 			if ( false !== $this->group ) {

includes/bp-groups/classes/class-bp-rest-attachments-group-cover-endpoint.php

@@ -16,7 +16,6 @@
  * @since 6.0.0
  */
 class BP_REST_Attachments_Group_Cover_Endpoint extends WP_REST_Controller {
-
 	use BP_REST_Attachments;
 
 	/**
@@ -167,9 +166,7 @@ public function get_item_permissions_check( $request ) {
 			$retval = new WP_Error(
 				'bp_rest_group_invalid_id',
 				__( 'Invalid group ID.', 'buddypress' ),
-				array(
-					'status' => 404,
-				)
+				array( 'status' => 404 )
 			);
 
 			$this->group = $this->groups_endpoint->get_group_object( $request );