- Comments: Prevent users who can not see a post from seeing comments on it.
- Shortcodes: Restrict media shortcode ajax to certain type.
- REST API: Ensure no-cache headers are sent when methods are overridden.
- REST API: Limit `search_columns` for users without `list_users`.
- Prevent unintended behavior when certain objects are unserialized.
Merges [56833], [56834], [56835], [56836], and [56838] to the 5.0 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/5.0@56871
git-svn-id: http://core.svn.wordpress.org/branches/5.0@56382 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.
Built from https://develop.svn.wordpress.org/branches/5.0@46915
git-svn-id: http://core.svn.wordpress.org/branches/5.0@46715 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Skips validation where there is no attribute definition, but keeps the attribute value. Previously, the attribute would be omitted from the attributes passed to `render_callback`. Notably, this resolves an issue where `render_callback` cannot receive a block's `align` and `customClassName` attribute values, since these are defined as a client-side filter.
* Validates `null` as a proper value in its own right. Previously, a client implementation of a block could track `{"attribute":null}` as an explicitly empty value, and the server would wrongly initiate defaulting behavior. The new behavior will now only populate a default value if the attribute is not defined at all, including when unset in its being invalid per the attribute schema.
Props aduth, noisysocks, youknowriad.
See #45145 for the patch, #45098 for the original ticket.
Built from https://develop.svn.wordpress.org/branches/5.0@43918
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43750 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [43736], we prevented rendering fields when not present in `?_fields=`. However, because `get_fields_for_response()` is dependent on `get_item_schema()`, any custom fields registered with a null schema would be incorrectly excluded from the response. Because the REST API permits a null schema for `register_rest_field()`, those fields should be included in the available fields for a response.
Fixes#45220.
Built from https://develop.svn.wordpress.org/branches/5.0@43908
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When 'parent' is set as the path argument name, it gets passed down through to the `create_item()` method and can erroneously reset the 'parent' value on the post itself. Instead, we rename the argument to 'id' and replicate the revision controller's `get_items_permissions_check()` to instead reference 'id'.
Also ensures revision query params (of which there are many) aren't exposed as the query params for autosaves (of which there are two).
Props TimothyBlynJacobs.
See #43316.
Built from https://develop.svn.wordpress.org/branches/5.0@43897
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43729 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Responsive embeds is a way for a theme to opt in to WordPress dynamically scaling the width/height of an embed. When a theme supports responsive embeds, a `wp-embed-responsive` class is added to the `<body>` tag. This information is also presented through the REST API for clients to respect.
Props desrosj.
Fixes#45125.
Built from https://develop.svn.wordpress.org/branches/5.0@43790
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43619 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Narrow the scope of the included wp-admin files loaded for `wp_generate_attachment_metadata()`, `wp_handle_upload()`, `wp_tempnam()`, and `wp_handle_sideload()`. Requires only `wp-admin/includes/file.php` and `wp-admin/includes/image.php` instead of `wp-admin/includes/admin.php`.
Props ocean90, lonelyvegan, soulseekah, pratikthink.
Merges [43589], [43604] to the 5.0 branch.
Fixes#43757.
Built from https://develop.svn.wordpress.org/branches/5.0@43773
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43602 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Adds `WP_REST_Autosaves_Controller` which extends `WP_REST_Revisions_Controller`.
* Autosaves endpoint is registered for all post types except `attachment` because even post types without revisions enabled are expected to autosave.
* Because setting the `DOING_AUTOSAVE` constant pollutes the test suite, autosaves tests are run last. We may want to improve upon this later.
Props adamsilverstein, aduth, azaozz, danielbachhuber, rmccue.
Fixes#43316.
Built from https://develop.svn.wordpress.org/branches/5.0@43768
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43597 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The 409 error code is intended for situations where it is expected that the user will resolve the conflict and resubmit the same request. We use 400 error codes for other routes when a duplicate request is made. The 400 status code tells the user they need to modify their request for it to be successful.
Props shooper.
Merges [42354] to the 5.0 branch.
Fixes#42781. See #41370.
Built from https://develop.svn.wordpress.org/branches/5.0@43756
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43585 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The permissions error message when a request tries to fetch post statuses unauthenticated is incorrect. It was a copy/paste from elsewhere, as indicated by the use of "in this post type" where this is no post type referenced.
Props schlessera.
Merges [42356] to the 5.0 branch.
Fixes#42303.
Built from https://develop.svn.wordpress.org/branches/5.0@43755
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces a `WP_REST_Search_Controller` class which registers a `/wp/v2/search` endpoint. Search types are handled by extending `WP_REST_Search_Handler`. The default search type is `WP_REST_Post_Search_Handler` but can be filtered by plugins or a theme.
Props danielbachhuber, flixos90, pento, rmccue.
Fixes#39965.
Built from https://develop.svn.wordpress.org/branches/5.0@43739
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43568 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In order for clients to present permalink previews, the REST API must share the computed results of `get_sample_permalink()`. These two values are now exposed as `permalink_template` and `generated_slug` for public, viewable post types, but only for `context=edit`.
Props danielbachhuber, rahulsprajapati.
Fixes#45017.
Built from https://develop.svn.wordpress.org/branches/5.0@43720
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43549 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The original REST API revisions controller relied on `wp_get_post_revisions()`, getting all revisions of a post without any possibility to restrict the result. This changeset replaces that function call with a proper `WP_Query` setup, replicating how `wp_get_post_revisions()` works while offering parameters to alter the default behavior.
Props adamsilverstein, birgire, flixos90.
Merges [43584-43586], [43647] to the 5.0 branch.
Fixes#40510.
Built from https://develop.svn.wordpress.org/branches/5.0@43716
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43545 1a063a9b-81f0-0310-95a4-ce76da25c4cd
An authorized request with the `read_private_posts` capability for a post type should be able to `GET /wp/v2/posts` for posts of `status=private`. This query is further sanity-checked by `WP_REST_Posts_Controller->check_read_permission()`, which is unchanged.
Props rachelbaker, soulseekah, twoelevenjay.
Fixes#43701.
Built from https://develop.svn.wordpress.org/branches/5.0@43694
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43523 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Because user capabilities can be modified at runtime, the REST API needs to expose them in some evaluated but declarative manner for clients to interpret. JSON Hyper Schema `targetSchema` provides an appropriate paradigm for doing so.
Props timothyblynjacobs.
Fixes#45014.
Built from https://develop.svn.wordpress.org/branches/5.0@43682
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43511 1a063a9b-81f0-0310-95a4-ce76da25c4cd
For Gutenberg and other admin-type interfaces, it's
useful to be able to see the visibility settings for
taxonomies.
The original changeset was partially included in [43445].
Merges [42729], [42730], [42973] to the 5.0 branch.
Props joehoyle, TimothyBlynJacobs, pento.
Fixes#42707
Built from https://develop.svn.wordpress.org/branches/5.0@43680
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43509 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduce an object_subtype argument to the args array for register_meta() which can be used to limit meta registration to a single subtype (e.g. a custom post type or taxonomy, vs all posts or taxonomies).
Introduce register_post_meta() and register_term_meta() wrapper methods for register_meta to provide a convenient interface for the common case of registering meta for a specific taxonomy or post type. These methods work the way plugin developers have often expected register_meta to function, and should be used in place of direct register_meta where possible.
Props flixos90, tharsheblows, spacedmonkey.
Merges [43378] to the 4.9 branch.
Fixes#38323.
Built from https://develop.svn.wordpress.org/branches/4.9@43510
git-svn-id: http://core.svn.wordpress.org/branches/4.9@43339 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Historically, the REST API would generate the entire response object, including running expensive filters, then it would apply the `_fields` parameter, discarding the fields that weren't specificed.
This change causes `_fields` to be applied earlier, so that only requested fields are processed.
Merges [43087] to the 4.9 branch.
Props danielbachhuber.
See #43874.
Built from https://develop.svn.wordpress.org/branches/4.9@43445
git-svn-id: http://core.svn.wordpress.org/branches/4.9@43272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
So that REST API clients can show appropriate UI for a post's revisions, it needs to know how many revisions the post has, and what the latest revision ID is.
Merge of [43439] and [43441] to the 4.9 branch.
Props kadamwhite, danielbachhuber, birgire, TimothyBlynJacobs, pento.
Fixes#44321.
Built from https://develop.svn.wordpress.org/branches/4.9@43442
git-svn-id: http://core.svn.wordpress.org/branches/4.9@43269 1a063a9b-81f0-0310-95a4-ce76da25c4cd
There are a variety of operations a WordPress user can only perform if they have the correct capabilities. A REST API client should only display UI for one of these operations if the WordPress user can perform the operation.
Rather than requiring REST API clients to calculate whether to display UI based on potentially complicated combinations of user capabilities, `targetSchema` allows us to expose a single flag to show whether the corresponding UI should be displayed.
This change also includes flags on post objects for the following actions:
- `action-publish`: The current user can publish this post.
- `action-sticky`: The current user can make this post sticky, and the post type supports sticking.
- `action-assign-author': The current user can change the author on this post.
- `action-assign-{$taxonomy}`: The current user can assign terms from the "$taxonomy" taxonomy to this post.
- `action-create-{$taxonomy}`: The current user can create terms int the "$taxonomy" taxonomy.
Merges [43437] to the 4.9 branch.
Props TimothyBlynJacobs, danielbachhuber.
Fixes#44287.
Built from https://develop.svn.wordpress.org/branches/4.9@43438
git-svn-id: http://core.svn.wordpress.org/branches/4.9@43265 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Any WordPress user who can `edit_posts` of a post type with `show_in_rest=true` can query for authors. This maps to current WordPress behavior where a WordPress user who can view the Manage Posts view for a post type can see any WordPress user assigned to a post (whether published or draft).
This implementation, over restricting `who=authors` to users with `list_users`, gives us future flexibility in displaying lists of posts. It still respects more restrictive permissions for `context=edit`.
Props danielbachhuber.
Merges [43001] to the 4.9 branch.
Fixes#42202.
Built from https://develop.svn.wordpress.org/branches/4.9@43067
git-svn-id: http://core.svn.wordpress.org/branches/4.9@42896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.
See #38583.
Built from https://develop.svn.wordpress.org/trunk@42000
git-svn-id: http://core.svn.wordpress.org/trunk@41834 1a063a9b-81f0-0310-95a4-ce76da25c4cd