The functions `send_confirmation_on_profile_email()`, `_wp_privacy_send_request_confirmation_notification()`, `_wp_privacy_send_erasure_fulfillment_notification()`, and `wp_send_user_request()` all include a title and URL indicating the current site. However, so far they have dealt with those values inconsistently, sometimes using the site values, other times using the network values if in a multisite. This changeset ensures that only the current site is taken into account in all cases and that special characters in the site name are consistently decoded.
Props subrataemfluence, desrosj.
Merges [43388], [43390], and [43435] to the 4.9 branch.
Fixes#44396.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43459 602fd350-edb4-49c9-b593-d223f7449a82
To prevent someone from passing a string (which would not be added to a new `WP_Error` instance), check for `is_wp_error()` explicitly.
Props desrosj, chetan200891, spyderbytes, lbenicio, sebastien@thivinfo.com, abdullahramzan.
Merges [43457] to the 4.9 branch.
Fixes#44052.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43458 602fd350-edb4-49c9-b593-d223f7449a82
"Be more discrete." declared matt in [3155], and since then, "Silence is Golden" has been the calling card of placeholder index files. Historically, these have been php files, but [43012] changed that and added index.html files for privacy export generated folders.
The php silence files produce no visible content. This adds consistency with these new html files in that there will be no visible content. Silence will fall when the question is asked.
Merges [43446] to the 4.9 branch.
Fixes#44195.
Props audrasjb, rafsuntaskin, Ov3rfly, johnbillion, pento
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43448 602fd350-edb4-49c9-b593-d223f7449a82
Historically, the REST API would generate the entire response object, including running expensive filters, then it would apply the `_fields` parameter, discarding the fields that weren't specificed.
This change causes `_fields` to be applied earlier, so that only requested fields are processed.
Merges [43087] to the 4.9 branch.
Props danielbachhuber.
See #43874.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43445 602fd350-edb4-49c9-b593-d223f7449a82
To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing.
Merges [43440] to the 4.9 branch.
Props danielbachhuber.
Fixes#44096.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43443 602fd350-edb4-49c9-b593-d223f7449a82
So that REST API clients can show appropriate UI for a post's revisions, it needs to know how many revisions the post has, and what the latest revision ID is.
Merge of [43439] and [43441] to the 4.9 branch.
Props kadamwhite, danielbachhuber, birgire, TimothyBlynJacobs, pento.
Fixes#44321.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43442 602fd350-edb4-49c9-b593-d223f7449a82
There are a variety of operations a WordPress user can only perform if they have the correct capabilities. A REST API client should only display UI for one of these operations if the WordPress user can perform the operation.
Rather than requiring REST API clients to calculate whether to display UI based on potentially complicated combinations of user capabilities, `targetSchema` allows us to expose a single flag to show whether the corresponding UI should be displayed.
This change also includes flags on post objects for the following actions:
- `action-publish`: The current user can publish this post.
- `action-sticky`: The current user can make this post sticky, and the post type supports sticking.
- `action-assign-author': The current user can change the author on this post.
- `action-assign-{$taxonomy}`: The current user can assign terms from the "$taxonomy" taxonomy to this post.
- `action-create-{$taxonomy}`: The current user can create terms int the "$taxonomy" taxonomy.
Merges [43437] to the 4.9 branch.
Props TimothyBlynJacobs, danielbachhuber.
Fixes#44287.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43438 602fd350-edb4-49c9-b593-d223f7449a82
Add a `_doing_it_wrong()` message describing the correct usage of the function.
Props kraftbj, azaozz, SergeyBiryukov, YuriV.
Merges [43361], [43362], [43363] to the 4.9 branch.
Fixes#44142.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43364 602fd350-edb4-49c9-b593-d223f7449a82
WordCamps are celebrations of the local WordPress Community and once a local one is scheduled, people in that community should know it is coming. This adjusts the WordPress Events in the dashboard widgets to always display a WordCamp, even if there are multiple Meetups happening first.
Props iandunn, metalandcoffee, warmlaundry, alejandroxlopez, jorbin.
Merges [42726], [42728], and [43356] to the 4.9 branch.
Fixes#41112.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43357 602fd350-edb4-49c9-b593-d223f7449a82
The line was copied from the emails that get sent when an email address changes, without considering if it made sense in the new context.
Props iandunn, ianbelanger, desrosj.
Merges [43353] to the 4.9 branch.
Fixes#44030.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43354 602fd350-edb4-49c9-b593-d223f7449a82
When a term query using `fields=all_with_object_id` hits the cache, the
cached `stdClass` objects must be converted to `WP_Term` objects. This
was overlooked when `WP_Term_Query` was refactored to support object
queries in [38667].
Merges [43313] to the 4.9 branch.
Props dlh.
Fixes#44221.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43314 602fd350-edb4-49c9-b593-d223f7449a82
The customizer has allowed HTML in sidebar descriptions since adding support for sidebars. This change ensures that basic HTML is also allowed for them in the widgets admin screen.
Props flixos90.
Merges [43275] to the 4.9 branch.
Fixes#42608.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43302 602fd350-edb4-49c9-b593-d223f7449a82
There doesn't appear to be any way for an attacker to introduce malicious input into the URL, unless a plugin is filtering the URL to add it, but it's better to be safe than sorry.
Props 1naveengiri, joyously.
Merges [43290] to the 4.9 branch.
Fixes#44115.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43301 602fd350-edb4-49c9-b593-d223f7449a82
Also, updates POT files for Twenty Ten and Twenty Eleven.
Props earnjam, laurelfulford.
Merges [43293] to the 4.9 branch.
Fixes#43915.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43295 602fd350-edb4-49c9-b593-d223f7449a82
If a privacy policy has been set, then a link to it will automatically be shown in the footer.
The element containing the "Proudly powered by WordPress" link was chosen for the new policy link, in order to minimize visual conflicts with custom CSS that was written before the new link existed. Unfortunately, some minor conflicts are expected and unavoidable. Adding this link is required as part of GDPR compliance, and the benefits outweigh the downsides.
To further mitigate the conflicts, a new imprint class was added to the "Proudly powered..." link, in order to facilitate targeting each link invididually with custom styles.
This was accidentally not backported to the `4.9` branch before the beta/RC phase, but there was a consensus that it is safe to do that this late in the release cycle.
See https://wordpress.slack.com/archives/C02RQBWTW/p1526577643000132.
See https://wordpress.slack.com/archives/C02RQBWTW/p1526580781000240.
Props xkon, laurelfulford, birgire, azaozz, iandunn.
Merges [43051] to the 4.9 branch.
See #43715.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43294 602fd350-edb4-49c9-b593-d223f7449a82
A user is required to have the `manage_privacy_options` capability in order to determine which page is set as the privacy policy (the `wp_page_for_privacy_policy`). Given that, it doesn't make sense to allow users without that capability to edit or delete the page.
A similar situation exists with the `page_for_posts` and `page_on_front` options, but Editors are allowed to edit those pages. The reason that this situation is different is because it is more likely that an administrator will want to restrict modifications to the privacy policy, than it is that they will want to allow modifications. Modifications to the policy often require specialized knowledge of local laws, and can have implications for compliance with those laws.
Props dlh, desrosj.
Merges [43286] to the 4.9 branch.
Fixes#44079.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43287 602fd350-edb4-49c9-b593-d223f7449a82
Previously, personal data exports were stored in `wp-content/uploads/exports`, which is generic enough that it's likely there are existing folders with that name, either created by plugins or manually by administrators. If that folder were reused by Core, then `wp_privacy_delete_old_export_files()` would delete all of the existing files inside it, which is almost certainly not what the site owner wants or expects.
To avoid that, the folder is being renamed to include a specific reference to Core, and a more verbose description of its purpose. With those factored in, it's very unlikely that there will be any conflicts with existing folders.
The `wp_privacy_exports_dir()` and `wp_privacy_exports_url()` functions were introduced to provide a canonical source for the location, and the `wp_privacy_exports_dir` and `wp_privacy_exports_url` filters were introduced to allow plugins to customize it.
Props johnjamesjacoby, allendav.
Merges [43284] to the 4.9 branch.
Fixes#44091.
git-svn-id: https://develop.svn.wordpress.org/branches/4.9@43285 602fd350-edb4-49c9-b593-d223f7449a82
