Add filter for REST API menu read access check

src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php

@@ -80,6 +80,19 @@ public function get_item_permissions_check( $request ) {
 	 * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
 	 */
 	protected function check_has_read_only_access( $request ) {
+		/**
+		 * Filters whether the current user has read access to menu items via the REST API.
+		 *
+		 * @since 6.8.0
+		 * @param $read_only_access bool Whether the current user has read access to menu items via the REST API.
+		 * @param $request WP_REST_Request Full details about the request.
+		 * @param $this WP_REST_Controller The current instance of the controller.
+		 */
+		$read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+		if ( $read_only_access ) {
+			return true;
+		}
+
 		if ( current_user_can( 'edit_theme_options' ) ) {
 			return true;
 		}

src/wp-includes/rest-api/endpoints/class-wp-rest-menu-locations-controller.php

@@ -80,15 +80,7 @@ public function register_routes() {
 	 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
 	 */
 	public function get_items_permissions_check( $request ) {
-		if ( ! current_user_can( 'edit_theme_options' ) ) {
-			return new WP_Error(
-				'rest_cannot_view',
-				__( 'Sorry, you are not allowed to view menu locations.' ),
-				array( 'status' => rest_authorization_required_code() )
-			);
-		}
-
-		return true;
+		return $this->check_has_read_only_access( $request );
 	}
 
 	/**
@@ -123,15 +115,7 @@ public function get_items( $request ) {
 	 * @return true|WP_Error True if the request has read access for the item, WP_Error object otherwise.
 	 */
 	public function get_item_permissions_check( $request ) {
-		if ( ! current_user_can( 'edit_theme_options' ) ) {
-			return new WP_Error(
-				'rest_cannot_view',
-				__( 'Sorry, you are not allowed to view menu locations.' ),
-				array( 'status' => rest_authorization_required_code() )
-			);
-		}
-
-		return true;
+		return $this->check_has_read_only_access( $request );
 	}
 
 	/**
@@ -157,6 +141,32 @@ public function get_item( $request ) {
 		return rest_ensure_response( $data );
 	}
 
+	/**
+	 * Checks whether the current user has read permission for the endpoint.
+	 *
+	 * @since 6.8.0
+	 *
+	 * @param WP_REST_Request $request Full details about the request.
+	 * @return true|WP_Error True if the current user has permission, WP_Error object otherwise.
+	 */
+	protected function check_has_read_only_access( $request ) {
+		/** This filter is documented in wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php */
+		$read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+		if ( $read_only_access ) {
+			return true;
+		}
+
+		if ( ! current_user_can( 'edit_theme_options' ) ) {
+			return new WP_Error(
+				'rest_cannot_view',
+				__( 'Sorry, you are not allowed to view menu locations.' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+
+		return true;
+	}
+
 	/**
 	 * Prepares a menu location object for serialization.
 	 *

src/wp-includes/rest-api/endpoints/class-wp-rest-menus-controller.php

@@ -84,6 +84,12 @@ protected function get_term( $id ) {
 	 * @return true|WP_Error True if the current user has permission, WP_Error object otherwise.
 	 */
 	protected function check_has_read_only_access( $request ) {
+		/** This filter is documented in wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php */
+		$read_only_access = apply_filters( 'rest_menu_read_access', false, $request, $this );
+		if ( $read_only_access ) {
+			return true;
+		}
+
 		if ( current_user_can( 'edit_theme_options' ) ) {
 			return true;
 		}