From a2ff5b9c64ee4d0e9b001147a078766073e6e1b1 Mon Sep 17 00:00:00 2001
From: ingeniumed <ingeniumed@users.noreply.github.com>
Date: Thu, 6 Jun 2024 11:04:53 +1000
Subject: [PATCH] Guard the authors, hashtag read endpoints as well as the ajax
 preview entry endpoint

---
 classes/class-wpcom-liveblog-rest-api.php | 2 ++
 liveblog.php                              | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/classes/class-wpcom-liveblog-rest-api.php b/classes/class-wpcom-liveblog-rest-api.php
index ec666329..e6ed90b2 100644
--- a/classes/class-wpcom-liveblog-rest-api.php
+++ b/classes/class-wpcom-liveblog-rest-api.php
@@ -205,6 +205,7 @@ public static function register_routes() {
 			array(
 				'methods'  => WP_REST_Server::READABLE,
 				'callback' => array( __CLASS__, 'get_authors' ),
+				'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ),
 				'args'     => array(
 					'term' => array(
 						'required' => false,
@@ -230,6 +231,7 @@ public static function register_routes() {
 			array(
 				'methods'  => WP_REST_Server::READABLE,
 				'callback' => array( __CLASS__, 'get_hashtag_terms' ),
+				'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ),
 				'args'     => array(
 					'term' => array(
 						'required' => false,
diff --git a/liveblog.php b/liveblog.php
index 59eac1de..843ecd82 100644
--- a/liveblog.php
+++ b/liveblog.php
@@ -917,6 +917,8 @@ public static function flatten_entries( $entries ) {
 		}
 
 		public static function ajax_preview_entry() {
+			self::ajax_current_user_can_edit_liveblog();
+
 			$entry_content = isset( $_REQUEST['entry_content'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['entry_content'] ) ) : ''; // input var ok
 			$entry_content = self::format_preview_entry( $entry_content );