WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Customize: Ensure that `WP_Customize_Manager::save_changeset_post()` returns `setting_validities` even for supplied values that are unchanged from values in changeset. 

Check setting existence and authorization via `WP_Customize_Manager::validate_setting_values()` even for `null` values to account for custom params being added to settings, preventing failures from being silently ignored.

See #38705, #30937.
Fixes #38865.

Built from https://develop.svn.wordpress.org/trunk@39320


git-svn-id: http://core.svn.wordpress.org/trunk@39260 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Weston Ruter 2016-11-19 22:39:33 +00:00
parent c04452a81f
commit 3c7e23297e
2 changed files with 23 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
wp-includes/class-wp-customize-manager.php
View File

@ -1728,12 +1728,12 @@ final class WP_Customize_Manager {
} }
continue; continue;
} }
if ( is_null( $unsanitized_value ) ) {
continue;
}
if ( $options['validate_capability'] && ! current_user_can( $setting->capability ) ) { if ( $options['validate_capability'] && ! current_user_can( $setting->capability ) ) {
$validity = new WP_Error( 'unauthorized', __( 'Unauthorized to modify setting due to capability.' ) ); $validity = new WP_Error( 'unauthorized', __( 'Unauthorized to modify setting due to capability.' ) );
} else { } else {
if ( is_null( $unsanitized_value ) ) {
continue;
}
$validity = $setting->validate( $unsanitized_value ); $validity = $setting->validate( $unsanitized_value );
} }
if ( ! is_wp_error( $validity ) ) { if ( ! is_wp_error( $validity ) ) {
@ -2030,7 +2030,6 @@ final class WP_Customize_Manager {
$changed_setting_ids[] = $setting_id; $changed_setting_ids[] = $setting_id;
} }
} }
$post_values = wp_array_slice_assoc( $post_values, $changed_setting_ids );
/** /**
* Fires before save validation happens. * Fires before save validation happens.
@ -2046,7 +2045,11 @@ final class WP_Customize_Manager {
do_action( 'customize_save_validation_before', $this ); do_action( 'customize_save_validation_before', $this );
// Validate settings. // Validate settings.
$setting_validities = $this->validate_setting_values( $post_values, array( $validated_values = array_merge(
array_fill_keys( array_keys( $args['data'] ), null ), // Make sure existence/capability checks are done on value-less setting updates.
$post_values
);
$setting_validities = $this->validate_setting_values( $validated_values, array(
'validate_capability' => true, 'validate_capability' => true,
'validate_existence' => true, 'validate_existence' => true,
) ); ) );
@ -2064,10 +2067,6 @@ final class WP_Customize_Manager {
return new WP_Error( 'transaction_fail', '', $response ); return new WP_Error( 'transaction_fail', '', $response );
} }
$response = array(
'setting_validities' => $setting_validities,
);
// Obtain/merge data for changeset. // Obtain/merge data for changeset.
$original_changeset_data = $this->get_changeset_post_data( $changeset_post_id ); $original_changeset_data = $this->get_changeset_post_data( $changeset_post_id );
$data = $original_changeset_data; $data = $original_changeset_data;
@ -2105,14 +2104,21 @@ final class WP_Customize_Manager {
// Remove setting from changeset entirely. // Remove setting from changeset entirely.
unset( $data[ $changeset_setting_id ] ); unset( $data[ $changeset_setting_id ] );
} else { } else {
// Merge any additional setting params that have been supplied with the existing params.
if ( ! isset( $data[ $changeset_setting_id ] ) ) { if ( ! isset( $data[ $changeset_setting_id ] ) ) {
$data[ $changeset_setting_id ] = array(); $data[ $changeset_setting_id ] = array();
} }
// Merge any additional setting params that have been supplied with the existing params.
$merged_setting_params = array_merge( $data[ $changeset_setting_id ], $setting_params );
// Skip updating setting params if unchanged (ensuring the user_id is not overwritten).
if ( $data[ $changeset_setting_id ] === $merged_setting_params ) {
continue;
}
$data[ $changeset_setting_id ] = array_merge( $data[ $changeset_setting_id ] = array_merge(
$data[ $changeset_setting_id ], $merged_setting_params,
$setting_params,
array( array(
'type' => $setting->type, 'type' => $setting->type,
'user_id' => $args['user_id'], 'user_id' => $args['user_id'],
@ -2220,6 +2226,10 @@ final class WP_Customize_Manager {
remove_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ) ); remove_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ) );
$response = array(
'setting_validities' => $setting_validities,
);
if ( is_wp_error( $r ) ) { if ( is_wp_error( $r ) ) {
$response['changeset_post_save_failure'] = $r->get_error_code(); $response['changeset_post_save_failure'] = $r->get_error_code();
return new WP_Error( 'changeset_post_save_failure', '', $response ); return new WP_Error( 'changeset_post_save_failure', '', $response );

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.7-beta4-39319'; $wp_version = '4.7-beta4-39320';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.