Allow developers to select which user permissions are necessary to authenticate API calls

[brachypelma]

This is somewhat related to this closed issue.

I noticed that the Font Awesome plugin's REST API route (defined in class-fontawesome-api-controller.php) uses the following to authenticate calls to its API endpoint

return current_user_can( 'manage_options' ) || current_user_can( 'edit_posts' );

While this allows admins and post editor/authors to access the FA menu in Gutenberg when authoring site content, it has some unfortunate restrictions. To illustrate, here is my scenario:

A WordPress site I am working on has a number of custom content types (events, news stories, magazine issues) and corresponding custom user roles for each custom content type (so we have users who can only edit event posts, or only edit news story posts, e.g.). These custom content type specific authors are not admins, so none of them have the manage_options capability. Moreover, since each custom role is siloed off into editing just content of a specific type (i.e. not posts), they do not have the edit_posts capability either.

For cases like these, it would be useful to be able to specify additional capabilities that could authenticate API calls. As it stands, it looks like manage_options and edit_posts are hard-coded.

Is there a way to override this authentication logic? If not, do you think this would be a good feature to add?

[mlwilkerson]

Hi @brachypelma, I think that's a fine idea. I propose PR #203 to resolve it. Would that work for you?

Here's an example of how it might be used in a functions.php