Sites API: Return options for Jetpack blog requests

json-endpoints/class.wpcom-json-api-get-site-endpoint.php

@@ -227,44 +227,44 @@ public function build_current_site_response() {
 			array_intersect( $default_fields, $this->fields_to_include ) :
 			$default_fields;
 
-		if ( ! $this->has_blog_access( $this->api->token_details, $blog_id ) ) {
+		$has_blog_access = $this->has_blog_access( $this->api->token_details );
+		$has_user_access = $this->has_user_access();
+
+		if ( ! $has_user_access && ! $has_blog_access ) {
+			// Public access without user or blog auth, only return `$no_member_fields`.
 			$response_keys = array_intersect( $response_keys, self::$no_member_fields );
+		} elseif ( $has_user_access && ! current_user_can( 'edit_posts' ) ) {
+			// Subscriber level user, don't return site options.
+			$response_keys = array_diff( $response_keys, array( 'options' ) );
 		}
 
 		return $this->render_response_keys( $response_keys );
 	}
 
 	/**
-	 * Checks that the current user has access to the current blog,
-	 * and failing that checks that we have a valid blog token.
+	 * Checks that the current user has access to the current blog.
 	 *
-	 * @param $token_details array Details obtained from the authorization token
-	 * @param $blog_id int The server-side blog id on wordpress.com
+	 * @return bool Whether or not the current user can access the current blog.
+	 */
+	private function has_user_access() {
+		return is_user_member_of_blog( get_current_user_id(), get_current_blog_id() );
+	}
+
+	/**
+	 * Checks if the request has a valid blog token for the current blog.
 	 *
+	 * @param array $token_details Access token for the api request.
 	 * @return bool
 	 */
-	private function has_blog_access( $token_details, $blog_id ) {
-		$current_blog_id = (  defined( 'IS_WPCOM' ) && IS_WPCOM ) ?
-			$blog_id :
-			get_current_blog_id();
-
-		if ( is_user_member_of_blog( get_current_user_id(), $current_blog_id ) ) {
-			return true;
-		}
-
+	private function has_blog_access( $token_details ) {
 		$token_details = (array) $token_details;
 		if ( ! isset( $token_details['access'], $token_details['auth'], $token_details['blog_id'] ) ) {
 			return false;
 		}
 
-		if (
-			'jetpack' === $token_details['auth'] &&
+		return 'jetpack' === $token_details['auth'] &&
 			'blog' === $token_details['access'] &&
-			$current_blog_id === $token_details['blog_id']
-		) {
-			return true;
-		}
-		return false;
+			get_current_blog_id() === $token_details['blog_id'];
 	}
 
 	private function render_response_keys( &$response_keys ) {
@@ -389,10 +389,6 @@ protected function render_response_key( $key, &$response, $is_user_logged_in ) {
 	}
 
 	protected function render_option_keys( &$options_response_keys ) {
-		if ( ! current_user_can( 'edit_posts' ) ) {
-			return array();
-		}
-
 		$options = array();
 		$site = $this->site;
 
@@ -628,7 +624,7 @@ public function decorate_jetpack_response( &$response ) {
 			$response->{ $key } = $value;
 		}
 
-		if ( $this->has_blog_access( $this->api->token_details, $response->ID ) ) {
+		if ( $this->has_user_access() || $this->has_blog_access( $this->api->token_details ) ) {
 			$wpcom_member_response = $this->render_response_keys( self::$jetpack_response_field_member_additions );
 
 			foreach( $wpcom_member_response as $key => $value ) {