add capability check to the endpoint permission callback

Automattic · Feb 24, 2023 · 795347d · 795347d
1 parent a5627a7
commit 795347d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/projects/packages/forms/src/class-wpcom-rest-api-v2-endpoint-forms.php b/projects/packages/forms/src/class-wpcom-rest-api-v2-endpoint-forms.php
@@ -150,7 +150,7 @@ public function get_responses_permission_check() {
 			return $site_id;
 		}
 
-		if ( ! is_user_member_of_blog( get_current_user_id(), $site_id ) ) {
+		if ( ! current_user_can( 'manage_options' ) || ! is_user_member_of_blog( get_current_user_id(), $site_id ) ) {
 			return new WP_Error(
 				'invalid_user_permission_jetpack_form_responses',
 				'unauthorized',