Grouped merges for 4.9.17.

* REST API: Allow authors to read their own password protected posts.
* About page update

Merges [50717] to the 4.9 branch.


Built from https://develop.svn.wordpress.org/branches/4.9@50732


git-svn-id: http://core.svn.wordpress.org/branches/4.9@50341 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Peter Wilson 2021-04-15 01:13:54 +00:00
parent 124bbbc653
commit ac28cd61cf
2 changed files with 74 additions and 7 deletions

View File

@ -33,6 +33,26 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
<div class="changelog point-releases">
<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
<p>
<?php
printf(
/* translators: %s: WordPress version number */
__( '<strong>Version %s</strong> addressed some security issues.' ),
'4.9.17'
);
?>
<?php
printf(
/* translators: %s: HelpHub URL */
__( 'For more information, see <a href="%s">the release notes</a>.' ),
sprintf(
/* translators: %s: WordPress version */
esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
sanitize_title( '4.9.17' )
)
);
?>
</p>
<p>
<?php
printf(

View File

@ -32,6 +32,14 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
*/
protected $meta;
/**
* Passwordless post access permitted.
*
* @since 5.7.1
* @var int[]
*/
protected $password_check_passed = array();
/**
* Constructor.
*
@ -137,6 +145,38 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
return true;
}
/**
* Override the result of the post password check for REST requested posts.
*
* Allow users to read the content of password protected posts if they have
* previously passed a permission check or if they have the `edit_post` capability
* for the post being checked.
*
* @since 5.7.1
*
* @param bool $required Whether the post requires a password check.
* @param WP_Post $post The post been password checked.
* @return bool Result of password check taking in to account REST API considerations.
*/
public function check_password_required( $required, $post ) {
if ( ! $required ) {
return $required;
}
$post = get_post( $post );
if ( ! $post ) {
return $required;
}
if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) {
// Password previously checked and approved.
return false;
}
return ! current_user_can( 'edit_post', $post->ID );
}
/**
* Retrieves a collection of posts.
*
@ -292,7 +332,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
// Allow access to all password protected posts if the context is edit.
if ( 'edit' === $request['context'] ) {
add_filter( 'post_password_required', '__return_false' );
add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
}
$posts = array();
@ -308,7 +348,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
// Reset filter.
if ( 'edit' === $request['context'] ) {
remove_filter( 'post_password_required', '__return_false' );
remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
}
$page = (int) $query_args['paged'];
@ -406,7 +446,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
// Allow access to all password protected posts if the context is edit.
if ( 'edit' === $request['context'] ) {
add_filter( 'post_password_required', '__return_false' );
add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
}
if ( $post ) {
@ -434,8 +474,14 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
return false;
}
// Edit context always gets access to password-protected posts.
if ( 'edit' === $request['context'] ) {
/*
* Users always gets access to password protected content in the edit
* context if they have the `edit_post` meta capability.
*/
if (
'edit' === $request['context'] &&
current_user_can( 'edit_post', $post->ID )
) {
return true;
}
@ -1485,8 +1531,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
$has_password_filter = false;
if ( $this->can_access_password_content( $post, $request ) ) {
$this->password_check_passed[ $post->ID ] = true;
// Allow access to the post, permissions already checked before.
add_filter( 'post_password_required', '__return_false' );
add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
$has_password_filter = true;
}
@ -1512,7 +1559,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
if ( $has_password_filter ) {
// Reset filter.
remove_filter( 'post_password_required', '__return_false' );
remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
}
if ( in_array( 'author', $fields, true ) ) {