From 3c7e23297ea61fb2c36b5f7f56145d06671cbf5a Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@xwp.co>
Date: Sat, 19 Nov 2016 22:39:33 +0000
Subject: [PATCH] Customize: Ensure that
 `WP_Customize_Manager::save_changeset_post()` returns `setting_validities`
 even for supplied values that are unchanged from values in changeset.

Check setting existence and authorization via `WP_Customize_Manager::validate_setting_values()` even for `null` values to account for custom params being added to settings, preventing failures from being silently ignored.

See #38705, #30937.
Fixes #38865.

Built from https://develop.svn.wordpress.org/trunk@39320


git-svn-id: http://core.svn.wordpress.org/trunk@39260 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-wp-customize-manager.php | 34 ++++++++++++++--------
 wp-includes/version.php                    |  2 +-
 2 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/wp-includes/class-wp-customize-manager.php b/wp-includes/class-wp-customize-manager.php
index d047620ca1..ec7c251a68 100644
--- a/wp-includes/class-wp-customize-manager.php
+++ b/wp-includes/class-wp-customize-manager.php
@@ -1728,12 +1728,12 @@ final class WP_Customize_Manager {
 				}
 				continue;
 			}
-			if ( is_null( $unsanitized_value ) ) {
-				continue;
-			}
 			if ( $options['validate_capability'] && ! current_user_can( $setting->capability ) ) {
 				$validity = new WP_Error( 'unauthorized', __( 'Unauthorized to modify setting due to capability.' ) );
 			} else {
+				if ( is_null( $unsanitized_value ) ) {
+					continue;
+				}
 				$validity = $setting->validate( $unsanitized_value );
 			}
 			if ( ! is_wp_error( $validity ) ) {
@@ -2030,7 +2030,6 @@ final class WP_Customize_Manager {
 				$changed_setting_ids[] = $setting_id;
 			}
 		}
-		$post_values = wp_array_slice_assoc( $post_values, $changed_setting_ids );
 
 		/**
 		 * Fires before save validation happens.
@@ -2046,7 +2045,11 @@ final class WP_Customize_Manager {
 		do_action( 'customize_save_validation_before', $this );
 
 		// Validate settings.
-		$setting_validities = $this->validate_setting_values( $post_values, array(
+		$validated_values = array_merge(
+			array_fill_keys( array_keys( $args['data'] ), null ), // Make sure existence/capability checks are done on value-less setting updates.
+			$post_values
+		);
+		$setting_validities = $this->validate_setting_values( $validated_values, array(
 			'validate_capability' => true,
 			'validate_existence' => true,
 		) );
@@ -2064,10 +2067,6 @@ final class WP_Customize_Manager {
 			return new WP_Error( 'transaction_fail', '', $response );
 		}
 
-		$response = array(
-			'setting_validities' => $setting_validities,
-		);
-
 		// Obtain/merge data for changeset.
 		$original_changeset_data = $this->get_changeset_post_data( $changeset_post_id );
 		$data = $original_changeset_data;
@@ -2105,14 +2104,21 @@ final class WP_Customize_Manager {
 				// Remove setting from changeset entirely.
 				unset( $data[ $changeset_setting_id ] );
 			} else {
-				// Merge any additional setting params that have been supplied with the existing params.
+
 				if ( ! isset( $data[ $changeset_setting_id ] ) ) {
 					$data[ $changeset_setting_id ] = array();
 				}
 
+				// Merge any additional setting params that have been supplied with the existing params.
+				$merged_setting_params = array_merge( $data[ $changeset_setting_id ], $setting_params );
+
+				// Skip updating setting params if unchanged (ensuring the user_id is not overwritten).
+				if ( $data[ $changeset_setting_id ] === $merged_setting_params ) {
+					continue;
+				}
+
 				$data[ $changeset_setting_id ] = array_merge(
-					$data[ $changeset_setting_id ],
-					$setting_params,
+					$merged_setting_params,
 					array(
 						'type' => $setting->type,
 						'user_id' => $args['user_id'],
@@ -2220,6 +2226,10 @@ final class WP_Customize_Manager {
 
 		remove_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ) );
 
+		$response = array(
+			'setting_validities' => $setting_validities,
+		);
+
 		if ( is_wp_error( $r ) ) {
 			$response['changeset_post_save_failure'] = $r->get_error_code();
 			return new WP_Error( 'changeset_post_save_failure', '', $response );
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 25a2fc8afb..1f96357596 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.7-beta4-39319';
+$wp_version = '4.7-beta4-39320';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.