diff --git a/src/wp-admin/about.php b/src/wp-admin/about.php index b6e3202acd..e3845b0435 100644 --- a/src/wp-admin/about.php +++ b/src/wp-admin/about.php @@ -62,6 +62,26 @@ include( ABSPATH . 'wp-admin/admin-header.php' );

+

+ Version %s addressed some security issues.' ), + '5.0.12' + ); + ?> + the release notes.' ), + sprintf( + /* translators: %s: WordPress version */ + esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), + sanitize_title( '5.0.12' ) + ) + ); + ?> +

password_check_passed[ $post->ID ] ) ) { + // Password previously checked and approved. + return false; + } + + return ! current_user_can( 'edit_post', $post->ID ); + } + /** * Retrieves a collection of posts. * @@ -292,7 +332,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { // Allow access to all password protected posts if the context is edit. if ( 'edit' === $request['context'] ) { - add_filter( 'post_password_required', '__return_false' ); + add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); } $posts = array(); @@ -308,7 +348,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { // Reset filter. if ( 'edit' === $request['context'] ) { - remove_filter( 'post_password_required', '__return_false' ); + remove_filter( 'post_password_required', array( $this, 'check_password_required' ) ); } $page = (int) $query_args['paged']; @@ -406,7 +446,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { // Allow access to all password protected posts if the context is edit. if ( 'edit' === $request['context'] ) { - add_filter( 'post_password_required', '__return_false' ); + add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); } if ( $post ) { @@ -434,8 +474,14 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { return false; } - // Edit context always gets access to password-protected posts. - if ( 'edit' === $request['context'] ) { + /* + * Users always gets access to password protected content in the edit + * context if they have the `edit_post` meta capability. + */ + if ( + 'edit' === $request['context'] && + current_user_can( 'edit_post', $post->ID ) + ) { return true; } @@ -1507,8 +1553,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { $has_password_filter = false; if ( $this->can_access_password_content( $post, $request ) ) { + $this->password_check_passed[ $post->ID ] = true; // Allow access to the post, permissions already checked before. - add_filter( 'post_password_required', '__return_false' ); + add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); $has_password_filter = true; } @@ -1535,7 +1582,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { if ( $has_password_filter ) { // Reset filter. - remove_filter( 'post_password_required', '__return_false' ); + remove_filter( 'post_password_required', array( $this, 'check_password_required' ) ); } if ( in_array( 'author', $fields, true ) ) { diff --git a/tests/phpunit/tests/rest-api/rest-posts-controller.php b/tests/phpunit/tests/rest-api/rest-posts-controller.php index 27a1fa354b..f66402e679 100644 --- a/tests/phpunit/tests/rest-api/rest-posts-controller.php +++ b/tests/phpunit/tests/rest-api/rest-posts-controller.php @@ -1223,6 +1223,32 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te $this->assertErrorResponse( 'rest_forbidden', $response, 401 ); } + public function test_get_post_draft_edit_context() { + $post_content = 'Hello World!'; + $this->factory->post->create( + array( + 'post_title' => 'Hola', + 'post_password' => 'password', + 'post_content' => $post_content, + 'post_excerpt' => $post_content, + 'post_author' => self::$editor_id, + ) + ); + $draft_id = $this->factory->post->create( + array( + 'post_status' => 'draft', + 'post_author' => self::$contributor_id, + 'post_content' => ' ', + ) + ); + wp_set_current_user( self::$contributor_id ); + $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/posts/%d', $draft_id ) ); + $request->set_param( 'context', 'edit' ); + $response = rest_get_server()->dispatch( $request ); + $data = $response->get_data(); + $this->assertNotContains( $post_content, $data['content']['rendered'] ); + } + public function test_get_post_invalid_id() { $request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . REST_TESTS_IMPOSSIBLY_HIGH_NUMBER ); $response = $this->server->dispatch( $request );