diff --git a/classes/class-wpcom-liveblog-rest-api.php b/classes/class-wpcom-liveblog-rest-api.php index ec666329..e6ed90b2 100644 --- a/classes/class-wpcom-liveblog-rest-api.php +++ b/classes/class-wpcom-liveblog-rest-api.php @@ -205,6 +205,7 @@ public static function register_routes() { array( 'methods' => WP_REST_Server::READABLE, 'callback' => array( __CLASS__, 'get_authors' ), + 'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ), 'args' => array( 'term' => array( 'required' => false, @@ -230,6 +231,7 @@ public static function register_routes() { array( 'methods' => WP_REST_Server::READABLE, 'callback' => array( __CLASS__, 'get_hashtag_terms' ), + 'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ), 'args' => array( 'term' => array( 'required' => false, diff --git a/liveblog.php b/liveblog.php index 59eac1de..843ecd82 100644 --- a/liveblog.php +++ b/liveblog.php @@ -917,6 +917,8 @@ public static function flatten_entries( $entries ) { } public static function ajax_preview_entry() { + self::ajax_current_user_can_edit_liveblog(); + $entry_content = isset( $_REQUEST['entry_content'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['entry_content'] ) ) : ''; // input var ok $entry_content = self::format_preview_entry( $entry_content );