WP_REST_Posts_Controller::can_access_password_content( WP_Post $post, WP_REST_Request $request )

Checks if the user can access password-protected content.

Description

This method determines whether we need to override the regular password check in core with a filter.

Parameters

$post: (WP_Post) (Required) Post to check against.
$request: (WP_REST_Request) (Required) Request data to check.

Return

(bool) True if the user can access password-protected content, otherwise false.

Source

File: wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

public function can_access_password_content( $post, $request ) {
		if ( empty( $post->post_password ) ) {
			// No filter required.
			return false;
		}

		/*
		 * Users always gets access to password protected content in the edit
		 * context if they have the `edit_post` meta capability.
		 */
		if (
			'edit' === $request['context'] &&
			current_user_can( 'edit_post', $post->ID )
		) {
			return true;
		}

		// No password, no auth.
		if ( empty( $request['password'] ) ) {
			return false;
		}

		// Double-check the request password.
		return hash_equals( $post->post_password, $request['password'] );
	}

Uses

Uses	Description
wp-includes/compat.php: hash_equals()	Timing attack safe string comparison
wp-includes/capabilities.php: current_user_can()	Returns whether the current user has the specified capability.

Used By

Used By	Description
wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php: WP_REST_Posts_Controller::prepare_item_for_response()	Prepares a single post output for response.

Changelog

Version	Description
4.7.0	Introduced.

© 2003–2021 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/classes/wp_rest_posts_controller/can_access_password_content