Customize: Ensure `customize_autosaved` requests only use revision of logged-in user.

Props dlh, westonruter.
See #42433, #39896.
Fixes #42450.

Built from https://develop.svn.wordpress.org/trunk@42615


git-svn-id: http://core.svn.wordpress.org/trunk@42444 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Weston Ruter 2018-01-30 00:21:30 +00:00
parent 86434ebca4
commit c6013a2b87
2 changed files with 16 additions and 7 deletions

View File

@ -1141,7 +1141,7 @@ final class WP_Customize_Manager {
if ( ! $changeset_post_id ) { if ( ! $changeset_post_id ) {
$this->_changeset_data = array(); $this->_changeset_data = array();
} else { } else {
if ( $this->autosaved() ) { if ( $this->autosaved() && is_user_logged_in() ) {
$autosave_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); $autosave_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
if ( $autosave_post ) { if ( $autosave_post ) {
$data = $this->get_changeset_post_data( $autosave_post->ID ); $data = $this->get_changeset_post_data( $autosave_post->ID );
@ -2902,12 +2902,14 @@ final class WP_Customize_Manager {
$post_array['edit_date'] = true; // Prevent date clearing. $post_array['edit_date'] = true; // Prevent date clearing.
$r = wp_update_post( wp_slash( $post_array ), true ); $r = wp_update_post( wp_slash( $post_array ), true );
// Delete autosave revision when the changeset is updated. // Delete autosave revision for user when the changeset is updated.
$autosave_draft = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); if ( ! empty( $args['user_id'] ) ) {
$autosave_draft = wp_get_post_autosave( $changeset_post_id, $args['user_id'] );
if ( $autosave_draft ) { if ( $autosave_draft ) {
wp_delete_post( $autosave_draft->ID, true ); wp_delete_post( $autosave_draft->ID, true );
} }
} }
}
} else { } else {
$r = wp_insert_post( wp_slash( $post_array ), true ); $r = wp_insert_post( wp_slash( $post_array ), true );
if ( ! is_wp_error( $r ) ) { if ( ! is_wp_error( $r ) ) {
@ -3548,6 +3550,11 @@ final class WP_Customize_Manager {
* @since 4.9.0 * @since 4.9.0
*/ */
public function handle_dismiss_autosave_or_lock_request() { public function handle_dismiss_autosave_or_lock_request() {
// Calls to dismiss_user_auto_draft_changesets() and wp_get_post_autosave() require non-zero get_current_user_id().
if ( ! is_user_logged_in() ) {
wp_send_json_error( 'unauthenticated', 401 );
}
if ( ! $this->is_preview() ) { if ( ! $this->is_preview() ) {
wp_send_json_error( 'not_preview', 400 ); wp_send_json_error( 'not_preview', 400 );
} }
@ -4649,7 +4656,9 @@ final class WP_Customize_Manager {
$changeset_post_id = $this->changeset_post_id(); $changeset_post_id = $this->changeset_post_id();
if ( ! $this->saved_starter_content_changeset && ! $this->autosaved() ) { if ( ! $this->saved_starter_content_changeset && ! $this->autosaved() ) {
if ( $changeset_post_id ) { if ( $changeset_post_id ) {
if ( is_user_logged_in() ) {
$autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); $autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
}
} else { } else {
$autosave_autodraft_posts = $this->get_changeset_posts( $autosave_autodraft_posts = $this->get_changeset_posts(
array( array(

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.0-alpha-42614'; $wp_version = '5.0-alpha-42615';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.