Commit Graph

56 Commits

Author SHA1 Message Date
davidbaumwald 69e59764eb Grouped backports to the 4.6 branch.
- Comments: Prevent users who can not see a post from seeing comments on it.
- Shortcodes: Restrict media shortcode ajax to certain type.
- REST API: Ensure no-cache headers are sent when methods are overridden.
- Prevent unintended behavior when certain objects are unserialized.

Merges [56834], [56835], [56836], and [56838] to the 4.6 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/4.6@56859


git-svn-id: http://core.svn.wordpress.org/branches/4.6@56370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-10-12 18:10:52 +00:00
Dominik Schilling 97bf32c66a Text Changes: Unify/merge two more permission error messages.
Props ramiy.
Fixes #34521.
Built from https://develop.svn.wordpress.org/trunk@38037


git-svn-id: http://core.svn.wordpress.org/trunk@37978 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-12 11:45:29 +00:00
Rachel Baker e5fcbb3514 REST API: Reverse order of setting sanitization/validation, validating prior to sanitizing.
Fixes mistake in the current behavior, where the sanitization callback ran before the validation callback. Now the validation callback will run before the sanitization.

Props schlessera, rachelbaker.
See #37247.
Fixes #37192.



Built from https://develop.svn.wordpress.org/trunk@37943


git-svn-id: http://core.svn.wordpress.org/trunk@37884 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-02 23:03:27 +00:00
Rachel Baker a475d0a161 REST API: Include auto-discovery Link header when serving API requests.
The Link header allows clients to verify if a site has made the REST API available, as well as indicating how to access it.

Props danielbachhuber.
Fixes #35580.



Built from https://develop.svn.wordpress.org/trunk@37903


git-svn-id: http://core.svn.wordpress.org/trunk@37844 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-29 01:57:55 +00:00
Rachel Baker 228c60a222 REST API: Include X-Robots-Tag: noindex header in REST API responses to prevent endpoints from being indexed by search engines.
Prevent duplicate content issues with search engines and REST API endpoint response data.

Fixes #36390.
Props m_uysl for the initial patch.
Built from https://develop.svn.wordpress.org/trunk@37726


git-svn-id: http://core.svn.wordpress.org/trunk@37692 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-16 14:59:28 +00:00
Peter Wilson 47d26cd9fb DOCS: Replace HTTP links with HTTPS.
Replaces unsecure links in documentation and translator comments with their secure versions.

Props johnpgreen, netweb

Fixes #36993

Built from https://develop.svn.wordpress.org/trunk@37674


git-svn-id: http://core.svn.wordpress.org/trunk@37640 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-10 04:50:33 +00:00
Rachel Baker 99cca27041 REST API: Create the general `wp_check_jsonp_callback()` function for validating JSONP callback functions.
Move the REST API JSONP callback validation check into a separate function named `wp_check_jsonp_callback()`. This allows plugins to use the built-in validation when handling JSONP callbacks.
Extremely Important Note: If you send JSONP in your custom response, make sure you prefix the response with `/**/`. This will mitigate the Rosetta Flash exploit. You should also send the `X-Content-Type-Options:nosniff` header, or even better, use the REST API infrastructure.

Props rmccue.
Fixes #28523.
Built from https://develop.svn.wordpress.org/trunk@37646


git-svn-id: http://core.svn.wordpress.org/trunk@37612 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-06 21:34:28 +00:00
Drew Jaynes f03eef071e Docs: Standardize hook docs in wp-includes/rest-api/* to use third-person singular verbs per the inline documentation standards for PHP.
See #36913.

Built from https://develop.svn.wordpress.org/trunk@37490


git-svn-id: http://core.svn.wordpress.org/trunk@37458 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:08:29 +00:00
Drew Jaynes b1804afeaf Docs: Standardize on 'backward compatibility/compatible' nomenclature in core inline docs.
Also use 'back-compat' in some inline comments where backward compatibility is the subject and shorthand feels more natural.

Note: 'backwards compatibility/compatibile' can also be considered correct, though it's primary seen in regular use in British English.

Props ocean90.
Fixes #36835.

Built from https://develop.svn.wordpress.org/trunk@37431


git-svn-id: http://core.svn.wordpress.org/trunk@37397 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-13 18:41:31 +00:00
Drew Jaynes fe3b007fdd Docs: Remove inline `@see` tags from function, class, and method references in inline docs.
Known functions, classes, and methods are now auto-linked in Code Reference pages following #meta1483.

Note: Hook references are still linked via inline `@see` tags due to the unlikelihood of reliably matching for known hooks based on a RegEx pattern.

See #32246.

Built from https://develop.svn.wordpress.org/trunk@37342


git-svn-id: http://core.svn.wordpress.org/trunk@37308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-02 04:00:28 +00:00
Mark Jaquith 31152de134 REST API: Deliver parameters unadulterated instead of slashed.
We goofed, and parameters accessed through the REST API's methods
were slashed (inconsistently, even). This unslashes the data, so
you get the un-messed-with data that was sent.

Props joehoyle.
Fixes #36419.
Built from https://develop.svn.wordpress.org/trunk@37163


git-svn-id: http://core.svn.wordpress.org/trunk@37130 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-04-06 21:02:28 +00:00
Joe Hoyle a07988c1c5 REST API: Provide better method for generating CURIEs
In [36533] CURIEs were added to the API responses for the link relation URIs, this makes
it a lot easier for clients to look up links by relation. That patch was functional, but
broke on edge cases such as embedded responses and collection items with links in the items.

This patch instead takes a less obtrusive approach by creating a new `get_compact_response_links`
to compliment `get_response_links` making both old and new functionality available.

Also the regex for curie relations has been relaxed to `.+` as rel names can have any uri-valid charector in it.

Fixes #34729.


Built from https://develop.svn.wordpress.org/trunk@37041


git-svn-id: http://core.svn.wordpress.org/trunk@37008 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-22 00:16:27 +00:00
Rachel Baker 6edbcc88ff REST API: Add `home_url` to API index to avoid confusion with `site_url`.
Confusion abound, the API index is the generic term `url` to display the `site_url`. New `home` key will display the `home_url` in the index as well.

Fixes #35647.
Built from https://develop.svn.wordpress.org/trunk@37031


git-svn-id: http://core.svn.wordpress.org/trunk@36998 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-17 19:16:29 +00:00
Rachel Baker 76d14c1d24 REST API: Remove unused variable `$api_root` from WP_Rest_Server->embed_links() method.
After [r36674] the variable `$api_root` is no longer used in this method and should be removed.

See #35803.
Built from https://develop.svn.wordpress.org/trunk@37021


git-svn-id: http://core.svn.wordpress.org/trunk@36988 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-16 21:41:28 +00:00
Drew Jaynes a65c79b3d2 Docs: Use a third-person singular verb in the DocBlock summary for `WP_REST_Response::get_curies()`, introduced in [36533].
Also adds a missing return description.

See #34729. See #35986.

Built from https://develop.svn.wordpress.org/trunk@37015


git-svn-id: http://core.svn.wordpress.org/trunk@36982 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-16 16:54:26 +00:00
Drew Jaynes ddf7375217 Docs: Improve parameter description syntax in the hook doc for the `rest_request_from_url` filter, introduced in [36673].
See #35803. See #35986,

Built from https://develop.svn.wordpress.org/trunk@37014


git-svn-id: http://core.svn.wordpress.org/trunk@36981 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-16 16:52:27 +00:00
Drew Jaynes 408da605e4 Docs: Improve the DocBlock for `WP_REST_Request::from_url()`, introduced in [36673].
See #35803. See #35986.

Built from https://develop.svn.wordpress.org/trunk@37013


git-svn-id: http://core.svn.wordpress.org/trunk@36980 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-16 16:50:27 +00:00
Ryan McCue 937b0c3241 REST API: Use WP_REST_Request::from_url() when embedding.
See #35803.

Built from https://develop.svn.wordpress.org/trunk@36674


git-svn-id: http://core.svn.wordpress.org/trunk@36641 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-24 04:20:25 +00:00
Ryan McCue 0b7e133054 REST API: Add WP_REST_Request::from_url()
Allows converting a REST URL into a Request object.

Props danielbachhuber.
Fixes #35803.

Built from https://develop.svn.wordpress.org/trunk@36673


git-svn-id: http://core.svn.wordpress.org/trunk@36640 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-24 04:01:26 +00:00
Drew Jaynes a0aa608970 Docs: Improve documentation for `WP_REST_Request` to highlight a caveat of ArrayAccess when it comes to passing similar arguments for multiple request methods.
Props danielbachhuber, DrewAPicture.
Fixes #35799.

Built from https://develop.svn.wordpress.org/trunk@36636


git-svn-id: http://core.svn.wordpress.org/trunk@36603 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-23 16:57:26 +00:00
Rachel Baker 9fdb970ceb Docs: Add missing @since and @access tags to `get_curies` method and filter from r36533
See #34729, #32246.
Built from https://develop.svn.wordpress.org/trunk@36593


git-svn-id: http://core.svn.wordpress.org/trunk@36560 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-19 23:42:27 +00:00
Drew Jaynes e020ccd081 Docs: Add formatting to a changelog entry in the hook doc for the `rest_dispatch_request` filter.
See [36534]. See #32246.

Built from https://develop.svn.wordpress.org/trunk@36576


git-svn-id: http://core.svn.wordpress.org/trunk@36543 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-18 18:18:25 +00:00
Ryan McCue 3e65236aa7 REST API: Apply rest_post_dispatch to embedded responses.
Fixes #35628.
Props @danielbachhuber.

Built from https://develop.svn.wordpress.org/trunk@36536


git-svn-id: http://core.svn.wordpress.org/trunk@36503 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-16 06:06:27 +00:00
Ryan McCue 03ba67a0b7 REST API: Allow explicit HEAD callbacks.
HEAD callbacks can now be registered independently, with the GET
callback still used as a fallback.

Fixes #34841.

Built from https://develop.svn.wordpress.org/trunk@36535


git-svn-id: http://core.svn.wordpress.org/trunk@36502 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-16 05:51:26 +00:00
Ryan McCue 0438795671 REST API: Add routing args to rest_dispatch_request filter.
This allows requests to be hijacked via the filter more easily.

Fixes #35507.

Built from https://develop.svn.wordpress.org/trunk@36534


git-svn-id: http://core.svn.wordpress.org/trunk@36501 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-16 04:40:26 +00:00
Ryan McCue 47bee5157b REST API: Add support for CURIEs.
CURIEs are Compact URIs, which provide a more usable way to use
custom relations in the API. The `wp` CURIE is registered by default
for `https://api.w.org/` URI relations.

Fixes #34729.
Props joehoyle.

Built from https://develop.svn.wordpress.org/trunk@36533


git-svn-id: http://core.svn.wordpress.org/trunk@36500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-16 02:19:27 +00:00
Joe Hoyle ee94a28953 REST API: Improve formatting of failed validation errors.
If a validation_callback returns a WP_Error it should give the same response format as if it returned `false`. This makes programmatically reading the validation errors better.

Props bradyvercher for initial patch.
Fixes #35028.

Built from https://develop.svn.wordpress.org/trunk@35890


git-svn-id: http://core.svn.wordpress.org/trunk@35854 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-12 18:23:28 +00:00
Scott Taylor 4ae83ec7ec REST API: Core typically sends nocache headers on all auth'ed responses, as in `wp`, `admin-ajax`, etc. Because the REST API infrastructure is hooked in pre-wp, we should be setting this ourselves.
Adds unit tests.

Props joehoyle.
Fixes #34832.

Built from https://develop.svn.wordpress.org/trunk@35773


git-svn-id: http://core.svn.wordpress.org/trunk@35737 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 23:36:25 +00:00
Mark Jaquith 6cc98e6fcd Route HEAD API requests through the GET callback method
fixes #34837
props danielbachhuber
Built from https://develop.svn.wordpress.org/trunk@35758


git-svn-id: http://core.svn.wordpress.org/trunk@35722 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-03 16:34:25 +00:00
Ryan McCue d1436af513 REST API: Unabbreviate error string.
Props daniel-koskinen.
Fixes #34818.

Built from https://develop.svn.wordpress.org/trunk@35750


git-svn-id: http://core.svn.wordpress.org/trunk@35714 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-30 09:51:27 +00:00
Ryan McCue 7ce9772866 REST API: Mark WP_REST_Server::get_raw_data as static.
This is just a utility function for getting the request body, not
tied to the server class.

Fixes #34768.

Built from https://develop.svn.wordpress.org/trunk@35741


git-svn-id: http://core.svn.wordpress.org/trunk@35705 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-25 22:22:25 +00:00
Andrew Nacin 1579e45d41 Simplify the include graph after work to split out classes.
see #33413. More details there.

Built from https://develop.svn.wordpress.org/trunk@35718


git-svn-id: http://core.svn.wordpress.org/trunk@35682 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-20 07:24:30 +00:00
John Blackbourn 16502d03f2 Remove `register_api_field()` from core. This is the only core function that utilises the `$wp_rest_additional_fields` global, and doesn't belong as part of the infrastructure.
See https://github.com/WP-API/WP-API/pull/1748

Fixes #34730

Built from https://develop.svn.wordpress.org/trunk@35687


git-svn-id: http://core.svn.wordpress.org/trunk@35651 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-18 20:39:26 +00:00
John Blackbourn 407f641cf3 Update `WP_REST_Response::as_error()` to handle the new format error responses introduced in [35653].
Props danielbachhuber
Fixes #34551

Built from https://develop.svn.wordpress.org/trunk@35671


git-svn-id: http://core.svn.wordpress.org/trunk@35635 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-18 18:29:26 +00:00
Ryan McCue 0801acbdd8 REST API: Remove redundant "0" parameter.
This is just an artifact of how we parse the URL, and is already available
via $request->get_route()

Props danielbachhuber.
Fixes #34647.

Built from https://develop.svn.wordpress.org/trunk@35659


git-svn-id: http://core.svn.wordpress.org/trunk@35623 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-18 07:24:28 +00:00
Ryan McCue 81ffd2492c REST API: Optimise for singular error instances.
Previously, the API returned a list of errors, as WP_Error can hold multiple
error codes internally. This isn't a particularly common use case, and it
makes handling errors on the client side more complex than it needs to be.

Fixes #34551.

Built from https://develop.svn.wordpress.org/trunk@35653


git-svn-id: http://core.svn.wordpress.org/trunk@35617 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-17 04:12:26 +00:00
Ryan McCue 9524ebb38e REST API: Include enum and description in help data.
Props lcherpit.
Fixes #34543.

Built from https://develop.svn.wordpress.org/trunk@35652


git-svn-id: http://core.svn.wordpress.org/trunk@35616 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-17 02:49:28 +00:00
Ryan McCue b03e036e94 REST API: Require namespace when registering routes.
Props danielbachhuber.
Fixes #34416.

Built from https://develop.svn.wordpress.org/trunk@35651


git-svn-id: http://core.svn.wordpress.org/trunk@35615 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-17 02:39:30 +00:00
Ryan McCue b0ee5efef2 REST API: Change link relations to api.w.org
Fixes #34303.

Built from https://develop.svn.wordpress.org/trunk@35650


git-svn-id: http://core.svn.wordpress.org/trunk@35614 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-17 02:24:27 +00:00
Dominik Schilling 5403b62a6a REST API: Use correct `@access` tag for `WP_REST_Request->get_parameter_order()`.
Props Frozzare.
Fixes #34624.
Built from https://develop.svn.wordpress.org/trunk@35612


git-svn-id: http://core.svn.wordpress.org/trunk@35576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-11 19:39:25 +00:00
Scott Taylor 16637eeee4 REST API: in `WP_REST_Server::dispatch()`, move `preg_match()` out of it's current loop, which doesn't affect the context passed to it.
Props TobiasBg.
Fixes #34488.

Built from https://develop.svn.wordpress.org/trunk@35514


git-svn-id: http://core.svn.wordpress.org/trunk@35478 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-04 21:23:25 +00:00
Scott Taylor a36900c076 REST API: remove the `@internal` annotation from `rest_api_default_filters()`.
Props swissspidy, rachelbaker.
Fixes #34219.

Built from https://develop.svn.wordpress.org/trunk@35474


git-svn-id: http://core.svn.wordpress.org/trunk@35438 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-31 20:08:25 +00:00
John Blackbourn 37c2054778 Remove trailing whitespace introduced in [35351].
Props rachelbaker
Unprops johnbillion
Fixes #34512

Built from https://develop.svn.wordpress.org/trunk@35462


git-svn-id: http://core.svn.wordpress.org/trunk@35426 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-30 21:39:25 +00:00
Sergey Biryukov 5d9dc4b8bf REST API: Use correct version in `_doing_it_wrong()` call.
Props TobiasBg.
Fixes #34490.
Built from https://develop.svn.wordpress.org/trunk@35434


git-svn-id: http://core.svn.wordpress.org/trunk@35398 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-29 20:12:24 +00:00
Sergey Biryukov e7082e31dd REST API: Add missing translator comments for deprecated function and argument strings.
Props akirk.
Fixes #34486.
Built from https://develop.svn.wordpress.org/trunk@35433


git-svn-id: http://core.svn.wordpress.org/trunk@35397 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-29 19:04:26 +00:00
Scott Taylor 31e0b06125 REST API: don't load `wp-admin/includes/admin.php` on every request.
Props swissspidy.
Fixes #34395.

Built from https://develop.svn.wordpress.org/trunk@35353


git-svn-id: http://core.svn.wordpress.org/trunk@35319 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-22 16:29:28 +00:00
John Blackbourn 7757d04ce3 Force the REST API URL to use `https` for its scheme when the current request is served over HTTPS and the host name matches that of the REST API URL.
This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.

Fixes #34299

Built from https://develop.svn.wordpress.org/trunk@35351


git-svn-id: http://core.svn.wordpress.org/trunk@35317 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-22 00:08:26 +00:00
John Blackbourn e552b77739 Revert [34352], pending investigation.
See #34299

Built from https://develop.svn.wordpress.org/trunk@35349


git-svn-id: http://core.svn.wordpress.org/trunk@35315 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 23:06:30 +00:00
John Blackbourn f7f5b64a7e Force the REST API URL to use `https` for its scheme when the current request is served over HTTPS and the host name matches that of the REST API URL.
This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.

Fixes #34299

Built from https://develop.svn.wordpress.org/trunk@35342


git-svn-id: http://core.svn.wordpress.org/trunk@35308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 20:38:50 +00:00
Drew Jaynes 6a51505a23 Docs: Improve the return description in the DocBlock for `rest_send_allow_header()`.
Props danielbachhuber.
Fixes #34374.

Built from https://develop.svn.wordpress.org/trunk@35324


git-svn-id: http://core.svn.wordpress.org/trunk@35290 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 13:48:27 +00:00