mirror of
git://develop.git.wordpress.org/
synced 2025-03-15 09:29:48 +01:00
Grouped merges for 5.0.12.
* REST API: Allow authors to read their own password protected posts. * About page update. Merges [50717] to the 5.0 branch. git-svn-id: https://develop.svn.wordpress.org/branches/5.0@50731 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jonathan Desrosiers
parent
85f99cf214
commit
fdad53e8ae
@ -62,6 +62,26 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
|
||||
|
||||
<div class="changelog point-releases">
|
||||
<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
|
||||
<p>
|
||||
<?php
|
||||
printf(
|
||||
/* translators: %s: WordPress version number */
|
||||
__( '<strong>Version %s</strong> addressed some security issues.' ),
|
||||
'5.0.12'
|
||||
);
|
||||
?>
|
||||
<?php
|
||||
printf(
|
||||
/* translators: %s: HelpHub URL */
|
||||
__( 'For more information, see <a href="%s">the release notes</a>.' ),
|
||||
sprintf(
|
||||
/* translators: %s: WordPress version */
|
||||
esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
|
||||
sanitize_title( '5.0.12' )
|
||||
)
|
||||
);
|
||||
?>
|
||||
</p>
|
||||
<p>
|
||||
<?php
|
||||
printf(
|
||||
|
||||
@ -32,6 +32,14 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||
*/
|
||||
protected $meta;
|
||||
|
||||
/**
|
||||
* Passwordless post access permitted.
|
||||
*
|
||||
* @since 5.7.1
|
||||
* @var int[]
|
||||
*/
|
||||
protected $password_check_passed = array();
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
@ -137,6 +145,38 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Override the result of the post password check for REST requested posts.
|
||||
*
|
||||
* Allow users to read the content of password protected posts if they have
|
||||
* previously passed a permission check or if they have the `edit_post` capability
|
||||
* for the post being checked.
|
||||
*
|
||||
* @since 5.7.1
|
||||
*
|
||||
* @param bool $required Whether the post requires a password check.
|
||||
* @param WP_Post $post The post been password checked.
|
||||
* @return bool Result of password check taking in to account REST API considerations.
|
||||
*/
|
||||
public function check_password_required( $required, $post ) {
|
||||
if ( ! $required ) {
|
||||
return $required;
|
||||
}
|
||||
|
||||
$post = get_post( $post );
|
||||
|
||||
if ( ! $post ) {
|
||||
return $required;
|
||||
}
|
||||
|
||||
if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) {
|
||||
// Password previously checked and approved.
|
||||
return false;
|
||||
}
|
||||
|
||||
return ! current_user_can( 'edit_post', $post->ID );
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieves a collection of posts.
|
||||
*
|
||||
@ -292,7 +332,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||
|
||||
// Allow access to all password protected posts if the context is edit.
|
||||
if ( 'edit' === $request['context'] ) {
|
||||
add_filter( 'post_password_required', '__return_false' );
|
||||
add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
|
||||
}
|
||||
|
||||
$posts = array();
|
||||
@ -308,7 +348,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||
|
||||
// Reset filter.
|
||||
if ( 'edit' === $request['context'] ) {
|
||||
remove_filter( 'post_password_required', '__return_false' );
|
||||
remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
|
||||
}
|
||||
|
||||
$page = (int) $query_args['paged'];
|
||||
@ -406,7 +446,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||
|
||||
// Allow access to all password protected posts if the context is edit.
|
||||
if ( 'edit' === $request['context'] ) {
|
||||
add_filter( 'post_password_required', '__return_false' );
|
||||
add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
|
||||
}
|
||||
|
||||
if ( $post ) {
|
||||
@ -434,8 +474,14 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Edit context always gets access to password-protected posts.
|
||||
if ( 'edit' === $request['context'] ) {
|
||||
/*
|
||||
* Users always gets access to password protected content in the edit
|
||||
* context if they have the `edit_post` meta capability.
|
||||
*/
|
||||
if (
|
||||
'edit' === $request['context'] &&
|
||||
current_user_can( 'edit_post', $post->ID )
|
||||
) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -1507,8 +1553,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||
$has_password_filter = false;
|
||||
|
||||
if ( $this->can_access_password_content( $post, $request ) ) {
|
||||
$this->password_check_passed[ $post->ID ] = true;
|
||||
// Allow access to the post, permissions already checked before.
|
||||
add_filter( 'post_password_required', '__return_false' );
|
||||
add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
|
||||
|
||||
$has_password_filter = true;
|
||||
}
|
||||
@ -1535,7 +1582,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
|
||||
|
||||
if ( $has_password_filter ) {
|
||||
// Reset filter.
|
||||
remove_filter( 'post_password_required', '__return_false' );
|
||||
remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
|
||||
}
|
||||
|
||||
if ( in_array( 'author', $fields, true ) ) {
|
||||
|
||||
@ -1223,6 +1223,32 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
|
||||
$this->assertErrorResponse( 'rest_forbidden', $response, 401 );
|
||||
}
|
||||
|
||||
public function test_get_post_draft_edit_context() {
|
||||
$post_content = 'Hello World!';
|
||||
$this->factory->post->create(
|
||||
array(
|
||||
'post_title' => 'Hola',
|
||||
'post_password' => 'password',
|
||||
'post_content' => $post_content,
|
||||
'post_excerpt' => $post_content,
|
||||
'post_author' => self::$editor_id,
|
||||
)
|
||||
);
|
||||
$draft_id = $this->factory->post->create(
|
||||
array(
|
||||
'post_status' => 'draft',
|
||||
'post_author' => self::$contributor_id,
|
||||
'post_content' => '<!-- wp:latest-posts {"displayPostContent":true} /--> <!-- wp:latest-posts {"displayPostContent":true,"displayPostContentRadio":"full_post"} /-->',
|
||||
)
|
||||
);
|
||||
wp_set_current_user( self::$contributor_id );
|
||||
$request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/posts/%d', $draft_id ) );
|
||||
$request->set_param( 'context', 'edit' );
|
||||
$response = rest_get_server()->dispatch( $request );
|
||||
$data = $response->get_data();
|
||||
$this->assertNotContains( $post_content, $data['content']['rendered'] );
|
||||
}
|
||||
|
||||
public function test_get_post_invalid_id() {
|
||||
$request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . REST_TESTS_IMPOSSIBLY_HIGH_NUMBER );
|
||||
$response = $this->server->dispatch( $request );
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user