context=edit accessible for not logged in users

Hi,

once a request with context=edit is cached, this response will be served to all visitors/users, non-logged-in, logged-in or logged-in but wrong capabilities.

1. I set up a new wp site and install and activate wp-rest-cache.
2. To trigger some context=edit requests: I open the editor to edit the sample post. And open the category select.
Eg /index.php?_locale=user&context=edit&rest_route=%2Fwp%2Fv2%2Ftaxonomies%2Fcategory got cached.
3. Now in another browser/session, not logged in: I request same cached url. -> I get full response. Expected result would be an error Sorry, you are not allowed to edit posts in this post type.

4. if I empty the cache and make the first request not logged in, I’ll get the expected permission error.
fortunately the permission error is not cached so the editor will work. but we are back at step two.

The rest_controller::get_items_permissions_check got skipped.

I tried to edit WP_Rest_Cache_Plugin\Includes\API\Endpoint_Api::skip_caching:
It is to early to check for post_type capabilities, because global $wp_post_types === NULL.
So, at least at this early point, we can’t utilize the rest_controller::get_items_permissions_check.

WP_Rest_Cache_Plugin\Includes\API\Endpoint_Api::get_api_cache is to early as well, global $wp_post_types === NULL.

waiting for global $wp_post_type !== NULL is not efficient.

One instant easy solution would be skipping all context=edit requests.
Better solution maybe: caching results of permissions_check methods per user name. Can get User name from $_COOKIES at this early point.

alright, now breakfast. thanks a lot