WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Customize: Prevent auto-draft post/page stubs from being saved with empty slugs or published with non-unique slugs. 

* Allow `WP_Customize_Nav_Menus::insert_auto_draft_post()` to take full post array to pass to `wp_insert_post()`, except for `post_status`. Require `post_title`. 
* Ensure empty `post_name` gets explicitly set to slugified `post_title`.
* Explicitly allow only `post_type` and `post_title` params in `WP_Customize_Nav_Menus::ajax_insert_auto_draft_post()`.
* Use `wp_update_post()` instead of `wp_publish_post()` to ensure unique slugs are assigned to published auto-draft posts.
* Re-use `WP_Customize_Nav_Menus::insert_auto_draft_post()` when inserting stubs from starter content.
 
See #38114, #38013, #34923.
Fixes #38539.

Built from https://develop.svn.wordpress.org/trunk@39038


git-svn-id: http://core.svn.wordpress.org/trunk@38980 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Weston Ruter 2016-10-30 20:21:33 +00:00
parent 0181e937c5
commit 015cb27b87
3 changed files with 36 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
wp-includes/class-wp-customize-manager.php
View File

@ -959,10 +959,10 @@ final class WP_Customize_Manager {
// Posts & pages. // Posts & pages.
if ( ! empty( $posts ) ) { if ( ! empty( $posts ) ) {
foreach ( array_keys( $posts ) as $post_symbol ) { foreach ( array_keys( $posts ) as $post_symbol ) {
$posts[ $post_symbol ]['ID'] = wp_insert_post( wp_slash( array_merge( $r = $this->nav_menus->insert_auto_draft_post( $posts[ $post_symbol ] );
$posts[ $post_symbol ], if ( $r instanceof WP_Post ) {
array( 'post_status' => 'auto-draft' ) $posts[ $post_symbol ]['ID'] = $r->ID;
) ) ); }
} }
$this->set_post_value( 'nav_menus_created_posts', wp_list_pluck( $posts, 'ID' ) ); // This is why nav_menus component is dependency for adding posts. $this->set_post_value( 'nav_menus_created_posts', wp_list_pluck( $posts, 'ID' ) ); // This is why nav_menus component is dependency for adding posts.
} }

46
wp-includes/class-wp-customize-nav-menus.php
View File

@ -734,10 +734,12 @@ final class WP_Customize_Nav_Menus {
* @since 4.7.0 * @since 4.7.0
* *
* @param array $postarr { * @param array $postarr {
* Abbreviated post array. * Post array. Note that post_status is overridden to be `auto-draft`.
* *
* @var string $post_title Post title. * @var string $post_title Post title. Required.
* @var string $post_type Post type. * @var string $post_type Post type. Required.
* @var string $post_name Post name.
* @var string $post_content Post content.
* } * }
* @return WP_Post|WP_Error Inserted auto-draft post object or error. * @return WP_Post|WP_Error Inserted auto-draft post object or error.
*/ */
@ -745,18 +747,22 @@ final class WP_Customize_Nav_Menus {
if ( ! isset( $postarr['post_type'] ) || ! post_type_exists( $postarr['post_type'] ) ) { if ( ! isset( $postarr['post_type'] ) || ! post_type_exists( $postarr['post_type'] ) ) {
return new WP_Error( 'unknown_post_type', __( 'Unknown post type' ) ); return new WP_Error( 'unknown_post_type', __( 'Unknown post type' ) );
} }
if ( ! isset( $postarr['post_title'] ) ) { if ( empty( $postarr['post_title'] ) ) {
$postarr['post_title'] = ''; return new WP_Error( 'empty_title', __( 'Empty title' ) );
}
if ( ! empty( $postarr['post_status'] ) ) {
return new WP_Error( 'status_forbidden', __( 'Status is forbidden' ) );
}
$postarr['post_status'] = 'auto-draft';
// Auto-drafts are allowed to have empty post_names, so it has to be explicitly set.
if ( empty( $postarr['post_name'] ) ) {
$postarr['post_name'] = sanitize_title( $postarr['post_title'] );
} }
add_filter( 'wp_insert_post_empty_content', '__return_false', 1000 ); add_filter( 'wp_insert_post_empty_content', '__return_false', 1000 );
$args = array( $r = wp_insert_post( wp_slash( $postarr ), true );
'post_status' => 'auto-draft',
'post_type' => $postarr['post_type'],
'post_title' => $postarr['post_title'],
'post_name' => sanitize_title( $postarr['post_title'] ), // Auto-drafts are allowed to have empty post_names, so we need to explicitly set it.
);
$r = wp_insert_post( wp_slash( $args ), true );
remove_filter( 'wp_insert_post_empty_content', '__return_false', 1000 ); remove_filter( 'wp_insert_post_empty_content', '__return_false', 1000 );
if ( is_wp_error( $r ) ) { if ( is_wp_error( $r ) ) {
@ -785,15 +791,18 @@ final class WP_Customize_Nav_Menus {
wp_send_json_error( 'missing_params', 400 ); wp_send_json_error( 'missing_params', 400 );
} }
$params = wp_array_slice_assoc( $params = wp_unslash( $_POST['params'] );
array_merge( $illegal_params = array_diff( array_keys( $params ), array( 'post_type', 'post_title' ) );
if ( ! empty( $illegal_params ) ) {
wp_send_json_error( 'illegal_params', 400 );
}
$params = array_merge(
array( array(
'post_type' => '', 'post_type' => '',
'post_title' => '', 'post_title' => '',
), ),
wp_unslash( $_POST['params'] ) $params
),
array( 'post_type', 'post_title' )
); );
if ( empty( $params['post_type'] ) || ! post_type_exists( $params['post_type'] ) ) { if ( empty( $params['post_type'] ) || ! post_type_exists( $params['post_type'] ) ) {
@ -1139,7 +1148,8 @@ final class WP_Customize_Nav_Menus {
$post_ids = $setting->post_value(); $post_ids = $setting->post_value();
if ( ! empty( $post_ids ) ) { if ( ! empty( $post_ids ) ) {
foreach ( $post_ids as $post_id ) { foreach ( $post_ids as $post_id ) {
wp_publish_post( $post_id ); // Note that wp_publish_post() cannot be used because unique slugs need to be assigned.
wp_update_post( array( 'ID' => $post_id, 'post_status' => 'publish' ) );
} }
} }
} }

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.7-beta1-39037'; $wp_version = '4.7-beta1-39038';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.