Fixed permission check on customers endpoint for legacy REST API

Kryuko · Nov 2, 2018 · 8c908b1 · 8c908b1
1 parent 246cc56
commit 8c908b1
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/includes/api/legacy/v2/class-wc-api-customers.php b/includes/api/legacy/v2/class-wc-api-customers.php
@@ -736,13 +736,13 @@ protected function validate_request( $id, $type, $context ) {
 					break;
 
 				case 'edit':
-					if ( ! current_user_can( 'edit_users' ) ) {
+					if ( ! wc_rest_check_user_permissions( 'edit', $customer->ID ) ) {
 						throw new WC_API_Exception( 'woocommerce_api_user_cannot_edit_customer', __( 'You do not have permission to edit this customer', 'woocommerce' ), 401 );
 					}
 					break;
 
 				case 'delete':
-					if ( ! current_user_can( 'delete_users' ) ) {
+					if ( ! wc_rest_check_user_permissions( 'delete', $customer->ID ) ) {
 						throw new WC_API_Exception( 'woocommerce_api_user_cannot_delete_customer', __( 'You do not have permission to delete this customer', 'woocommerce' ), 401 );
 					}
 					break;

diff --git a/includes/api/legacy/v3/class-wc-api-customers.php b/includes/api/legacy/v3/class-wc-api-customers.php
@@ -726,13 +726,13 @@ protected function validate_request( $id, $type, $context ) {
 					break;
 
 				case 'edit':
-					if ( ! current_user_can( 'edit_users' ) ) {
+					if ( ! wc_rest_check_user_permissions( 'edit', $customer->ID ) ) {
 						throw new WC_API_Exception( 'woocommerce_api_user_cannot_edit_customer', __( 'You do not have permission to edit this customer', 'woocommerce' ), 401 );
 					}
 					break;
 
 				case 'delete':
-					if ( ! current_user_can( 'delete_users' ) ) {
+					if ( ! wc_rest_check_user_permissions( 'delete', $customer->ID ) ) {
 						throw new WC_API_Exception( 'woocommerce_api_user_cannot_delete_customer', __( 'You do not have permission to delete this customer', 'woocommerce' ), 401 );
 					}
 					break;