Collaboration: Harden entity permission checks

Reject non-numeric object IDs early in
can_user_collaborate_on_entity_type(). Verify that a post's actual
type matches the room's claimed entity name before granting access.

For taxonomy rooms, confirm the term exists in the specified taxonomy
and simplify the capability check to use assign_term with the
term's object ID.

Author: josephfusco

src/wp-includes/collaboration/class-wp-http-polling-collaboration-server.php

@@ -347,15 +347,25 @@ public function handle_request( WP_REST_Request $request ) {
 	 * @return bool True if user has permission, otherwise false.
 	 */
 	private function can_user_collaborate_on_entity_type( string $entity_kind, string $entity_name, ?string $object_id ): bool {
+		// Reject non-numeric object IDs early.
+		if ( ! is_null( $object_id ) && ! is_numeric( $object_id ) ) {
+			return false;
+		}
+
 		// Handle single post type entities with a defined object ID.
 		if ( 'postType' === $entity_kind && is_numeric( $object_id ) ) {
+			if ( get_post_type( $object_id ) !== $entity_name ) {
+				return false;
+			}
 			return current_user_can( 'edit_post', (int) $object_id );
 		}
 
 		// Handle single taxonomy term entities with a defined object ID.
 		if ( 'taxonomy' === $entity_kind && is_numeric( $object_id ) ) {
-			$taxonomy = get_taxonomy( $entity_name );
-			return isset( $taxonomy->cap->assign_terms ) && current_user_can( $taxonomy->cap->assign_terms );
+			if ( ! term_exists( (int) $object_id, $entity_name ) ) {
+				return false;
+			}
+			return current_user_can( 'assign_term', (int) $object_id );
 		}
 
 		// Handle single comment entities with a defined object ID.