Adds meta cap for upload_fonts and gates REST API font uploads

lib/compat/wordpress-6.5/fonts/class-wp-rest-font-faces-controller.php

@@ -326,6 +326,14 @@ public function create_item( $request ) {
 			$settings    = $request->get_param( 'font_face_settings' );
 			$file_params = $request->get_file_params();
 
+			if ( ! empty( $file_params ) && ! current_user_can( 'upload_fonts' ) ) {
+				return new WP_Error(
+					'rest_cannot_upload_fonts',
+					__( 'You are not allowed to upload font files.', 'gutenberg' ),
+					array( 'status' => 403 )
+				);
+			}
+
 			// Check that the necessary font face properties are unique.
 			$query = new WP_Query(
 				array(

lib/compat/wordpress-6.5/fonts/fonts.php

@@ -84,6 +84,35 @@ function gutenberg_create_initial_post_types() {
 	);
 }
 
+/**
+ * Filters the user capabilities to grant the 'upload_fonts' capability as necessary.
+ *
+ * To grant the 'upload_fonts' capability, files modifications must be allowed, the fonts directory must be
+ * writable, and the user must have the 'edit_theme_options' capability.
+ *
+ * @since 5.6.0
+ *
+ * @param bool[] $allcaps An array of all the user's capabilities.
+ * @return bool[] Filtered array of the user's capabilities.
+ */
+function gutenberg_maybe_grant_upload_font_cap( $allcaps, $caps ) {
+	if ( ! in_array( 'upload_fonts', $caps, true ) ) {
+		return $allcaps;
+	}
+
+	$fonts_dir = wp_get_font_dir()['path'];
+	if (
+		wp_is_file_mod_allowed( 'can_upload_fonts' ) &&
+		wp_is_writable( $fonts_dir ) &&
+		! empty( $allcaps['edit_theme_options'] )
+	) {
+		$allcaps['upload_fonts'] = true;
+	}
+
+	return $allcaps;
+}
+add_filter( 'user_has_cap', 'gutenberg_maybe_grant_upload_font_cap', 10, 2 );
+
 /**
  * Initializes REST routes.
  *