Commit Graph

289 Commits

Author SHA1 Message Date
davidbaumwald 7587053972 Grouped backports to the 5.0 branch.
- Comments: Prevent users who can not see a post from seeing comments on it.
- Shortcodes: Restrict media shortcode ajax to certain type.
- REST API: Ensure no-cache headers are sent when methods are overridden.
- REST API: Limit `search_columns` for users without `list_users`.
- Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], and [56838] to the 5.0 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/5.0@56871


git-svn-id: http://core.svn.wordpress.org/branches/5.0@56382 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-10-12 18:19:31 +00:00
Sergey Biryukov 892fb39abc Grouped backports to the 5.0 branch.
- Posts, Post types: Apply KSES to post-by-email content,
- General: Validate host on "Are you sure?" screen,
- Posts, Post types: Remove emails from post-by-email logs,
- Media: Refactor search by filename within the admin,
- Pings/trackbacks: Apply KSES to all trackbacks,
- Comments: Apply kses when editing comments,
- Customize: Escape blogname option in underscores templates,
- REST API: Lockdown post parameter of the terms endpoint,
- Mail: Reset PHPMailer properties between use,
- Query: Validate relation in `WP_Date_Query`,
- Widgets: Escape RSS error messages for display.

Merges [54521], [54522], [54523], [54524], [54525], [54526], [54527], [54528], [54529], [54530], [54541] to the 5.0 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, vortfu, davidbaumwald, tykoted, timothyblynjacobs, johnjamesjacoby, ehtis, matveb, talldanwp.

Built from https://develop.svn.wordpress.org/branches/5.0@54571


git-svn-id: http://core.svn.wordpress.org/branches/5.0@54125 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-10-17 18:16:15 +00:00
desrosj 9f95a91e28 Grouped merges for 5.0.12.
* REST API: Allow authors to read their own password protected posts.
* About page update.

Merges [50717] to the 5.0 branch.

Built from https://develop.svn.wordpress.org/branches/5.0@50731


git-svn-id: http://core.svn.wordpress.org/branches/5.0@50340 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-04-15 01:13:27 +00:00
whyisjake ee92e93f79 Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent  stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown,  SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.


Built from https://develop.svn.wordpress.org/branches/5.0@46915


git-svn-id: http://core.svn.wordpress.org/branches/5.0@46715 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:52:47 +00:00
Gary Pendergast 71044010f8 REST API: Remove a duplicate `require_once()`.
In `WP_REST_Attachments_Controller::create_item()`, `wp-admin/includes/image.php` was being `require_once()`-ed... twice. The superflous `require_once()` has been quietly removed.

Props david.binda.
See #45420.


Built from https://develop.svn.wordpress.org/branches/5.0@44206


git-svn-id: http://core.svn.wordpress.org/branches/5.0@44036 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-15 11:17:31 +00:00
danielbachhuber 6b781c6823 REST API: Preserve unknown, respect `null` in server-side block rendering.
* Skips validation where there is no attribute definition, but keeps the attribute value. Previously, the attribute would be omitted from the attributes passed to `render_callback`. Notably, this resolves an issue where `render_callback` cannot receive a block's `align` and `customClassName` attribute values, since these are defined as a client-side filter.
* Validates `null` as a proper value in its own right. Previously, a client implementation of a block could track `{"attribute":null}` as an explicitly empty value, and the server would wrongly initiate defaulting behavior. The new behavior will now only populate a default value if the attribute is not defined at all, including when unset in its being invalid per the attribute schema.

Props aduth, noisysocks, youknowriad.
See #45145 for the patch, #45098 for the original ticket.

Built from https://develop.svn.wordpress.org/branches/5.0@43918


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43750 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-11-21 14:44:48 +00:00
danielbachhuber ded3bf63b7 REST API: Always include `title.raw`/`content.raw` for Blocks in `context=view`.
Demarcations for reusable blocks are always expected to be accessible by clients.

Props noisysocks, youknowriad.
See #45145 for the patch, #45098 for the original ticket.

Built from https://develop.svn.wordpress.org/branches/5.0@43917


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43749 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-11-21 14:35:48 +00:00
danielbachhuber bcfb6d34f2 REST API: Include fields with null schema in `get_fields_for_response()`.
In [43736], we prevented rendering fields when not present in `?_fields=`. However, because `get_fields_for_response()` is dependent on `get_item_schema()`, any custom fields registered with a null schema would be incorrectly excluded from the response. Because the REST API permits a null schema for `register_rest_field()`, those fields should be included in the available fields for a response.

Fixes #45220.

Built from https://develop.svn.wordpress.org/branches/5.0@43908


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-11-19 14:10:50 +00:00
danielbachhuber 5cf84bd3f7 REST API: Avoid using 'parent' as path argument name for autosaves.
When 'parent' is set as the path argument name, it gets passed down through to the `create_item()` method and can erroneously reset the 'parent' value on the post itself. Instead, we rename the argument to 'id' and replicate the revision controller's `get_items_permissions_check()` to instead reference 'id'.

Also ensures revision query params (of which there are many) aren't exposed as the query params for autosaves (of which there are two).

Props TimothyBlynJacobs.
See #43316.

Built from https://develop.svn.wordpress.org/branches/5.0@43897


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43729 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-11-15 12:57:51 +00:00
danielbachhuber 56842f36aa REST API: Prevent duplicate firing of `rest(_after)?_insert_attachment` actions.
Props danielbachhuber, peterwilsoncc.
Fixes #45269.
See #42864.

Built from https://develop.svn.wordpress.org/branches/5.0@43862


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43691 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-11-03 14:14:49 +00:00
danielbachhuber d5e3670372 REST API: Restore access to audio/video metadata functions.
Ensures `wp_read_video_metadata()`/`wp_read_audio_metadata()` functions are available when uploading video and audio. Fixes error introduced in [43589].

Props ocean90.
See #43757.

Built from https://develop.svn.wordpress.org/branches/5.0@43850


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43679 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-31 18:17:35 +00:00
danielbachhuber 7136636db3 REST API: Improve performance by avoiding `call_user_func()`.
The `get_compact_response_links()` method was introduced in WP 4.5, and this conditional is no longer necessary.

Props schlessera, timothyblynjacobs.
Fixes #45189.

Built from https://develop.svn.wordpress.org/branches/5.0@43834


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43663 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-29 00:49:40 +00:00
danielbachhuber 4521b34dca Blocks: Fix coding standards introduced in [43804].
Props Presskopp, swissspidy.
See #45098

Built from https://develop.svn.wordpress.org/branches/5.0@43806


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43635 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-23 10:59:40 +00:00
Gary Pendergast b1f64a77d8 REST API: Add endpoints for blocks.
`WP_REST_Block_Renderer_Controller` allows rendering of server-side rendered blocks, whilst `WP_REST_Blocks_Controller` allows retrieving of reusable blocks.

Props desrosj, danielbachhuber, pento.
See #45065.


Built from https://develop.svn.wordpress.org/branches/5.0@43805


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43634 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-23 07:04:39 +00:00
Dominik Schilling 4caf9b7aaf Themes: Remove a stray slash and `gutenberg` text domain.
See #45125.
Built from https://develop.svn.wordpress.org/branches/5.0@43791


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43620 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-23 06:08:19 +00:00
danielbachhuber 8caf4f9260 Themes: Introduce responsive embeds support.
Responsive embeds is a way for a theme to opt in to WordPress dynamically scaling the width/height of an embed. When a theme supports responsive embeds, a `wp-embed-responsive` class is added to the `<body>` tag. This information is also presented through the REST API for clients to respect.

Props desrosj.
Fixes #45125.

Built from https://develop.svn.wordpress.org/branches/5.0@43790


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43619 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-23 06:07:39 +00:00
danielbachhuber 0a3bb63b8f REST API: Limit the scope of wp-admin files required in WP_REST_Attachments_Controller methods.
Narrow the scope of the included wp-admin files loaded for `wp_generate_attachment_metadata()`, `wp_handle_upload()`, `wp_tempnam()`, and `wp_handle_sideload()`. Requires only `wp-admin/includes/file.php` and `wp-admin/includes/image.php` instead of `wp-admin/includes/admin.php`.

Props ocean90, lonelyvegan, soulseekah, pratikthink.
Merges [43589], [43604] to the 5.0 branch.
Fixes #43757.

Built from https://develop.svn.wordpress.org/branches/5.0@43773


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43602 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-19 18:53:41 +00:00
danielbachhuber 58ea8c82e4 REST API: Include `block_version` on Post `content` object.
The `block_version` denotes which version of Blocks the `post_content` contains. Introduces new `block_version()` function for versioning Blocks.

Props danielbachhuber, birgire.
Fixes #43887.

Built from https://develop.svn.wordpress.org/branches/5.0@43770


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43599 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-19 17:58:39 +00:00
danielbachhuber 50b0bf94c4 REST API: Introduce Autosaves controller and endpoint.
* Adds `WP_REST_Autosaves_Controller` which extends `WP_REST_Revisions_Controller`.
* Autosaves endpoint is registered for all post types except `attachment` because even post types without revisions enabled are expected to autosave.
* Because setting the `DOING_AUTOSAVE` constant pollutes the test suite, autosaves tests are run last. We may want to improve upon this later.

Props adamsilverstein, aduth, azaozz, danielbachhuber, rmccue.
Fixes #43316.

Built from https://develop.svn.wordpress.org/branches/5.0@43768


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43597 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-19 13:49:41 +00:00
danielbachhuber 699bf044ef REST API: Correct HTTP status code in error for requests to create a duplicate term.
The 409 error code is intended for situations where it is expected that the user will resolve the conflict and resubmit the same request. We use 400 error codes for other routes when a duplicate request is made. The 400 status code tells the user they need to modify their request for it to be successful.

Props shooper.
Merges [42354] to the 5.0 branch.
Fixes #42781. See #41370.

Built from https://develop.svn.wordpress.org/branches/5.0@43756


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43585 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-18 20:32:27 +00:00
danielbachhuber 8023795f7d REST API: Fix permissions error message in post statuses controller.
The permissions error message when a request tries to fetch post statuses unauthenticated is incorrect. It was a copy/paste from elsewhere, as indicated by the use of "in this post type" where this is no post type referenced.

Props schlessera.
Merges [42356] to the 5.0 branch.
Fixes #42303.

Built from https://develop.svn.wordpress.org/branches/5.0@43755


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-18 20:26:25 +00:00
danielbachhuber e4b0ddbf4d REST API: Fix version number in `_doing_it_wrong()` call.
`_doing_it_wrong()`, indeed.

Props joehoyle.
See #39965.

Built from https://develop.svn.wordpress.org/branches/5.0@43741


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43570 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-17 22:20:25 +00:00
K. Adam White a943d902c1 REST API: Slash existing meta values when comparing with incoming meta upates.
When comparing the old and new values for a meta key being set, ensure both values are sanitized using the same logic so that equal values match.

props boonebgorges, dcavins, MattGeri, pilou69, TimothyBlynJacobs.
Fixes #42069.

Built from https://develop.svn.wordpress.org/branches/5.0@43740


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43569 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-17 20:10:25 +00:00
danielbachhuber a2d601024f REST API: Introduce controller for searching across post types.
Introduces a `WP_REST_Search_Controller` class which registers a `/wp/v2/search` endpoint. Search types are handled by extending `WP_REST_Search_Handler`. The default search type is `WP_REST_Post_Search_Handler` but can be filtered by plugins or a theme.

Props danielbachhuber, flixos90, pento, rmccue.
Fixes #39965.

Built from https://develop.svn.wordpress.org/branches/5.0@43739


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43568 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-17 17:03:26 +00:00
danielbachhuber fbd004bbbd REST API: Fire actions after items are completely updated/inserted.
The existing `rest_insert_*` actions are fired before meta and additional fields are updated. These new `rest_after_*` actions fire after all write operations have completed.

Props timothyblynjacobs.
Fixes #42864.

Built from https://develop.svn.wordpress.org/branches/5.0@43737


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43566 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-17 11:20:26 +00:00
danielbachhuber 12b674fb3a REST API: Don't add fields to object when not included in `?_fields=`.
In [43087], we improved REST API performance by only rendering the fields specified in the request. Similarly, any fields registered with `register_rest_field()` should only be rendered when included in `?_fields=`.

Props dlh.
Fixes #45099.

Built from https://develop.svn.wordpress.org/branches/5.0@43736


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43565 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-17 02:41:27 +00:00
K. Adam White 9cafddd841 REST API: Add new class file and tests missed in [43734].
See #45016.

Built from https://develop.svn.wordpress.org/branches/5.0@43735


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43564 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-16 22:50:26 +00:00
danielbachhuber bab0d57578 REST API: Include `permalink_template`/`generated_slug` for Posts
In order for clients to present permalink previews, the REST API must share the computed results of `get_sample_permalink()`. These two values are now exposed as `permalink_template` and `generated_slug` for public, viewable post types, but only for `context=edit`.

Props danielbachhuber, rahulsprajapati.
Fixes #45017.

Built from https://develop.svn.wordpress.org/branches/5.0@43720


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43549 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-13 03:49:57 +00:00
Sergey Biryukov a6a20b29d8 REST API: Support pagination, order, search and other common query parameters for revisions.
The original REST API revisions controller relied on `wp_get_post_revisions()`, getting all revisions of a post without any possibility to restrict the result. This changeset replaces that function call with a proper `WP_Query` setup, replicating how `wp_get_post_revisions()` works while offering parameters to alter the default behavior.

Props adamsilverstein, birgire, flixos90.
Merges [43584-43586], [43647] to the 5.0 branch.
Fixes #40510.
Built from https://develop.svn.wordpress.org/branches/5.0@43716


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43545 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-11 07:16:46 +00:00
Sergey Biryukov c288d39db2 REST API: Pass correct ID to `meta->update_value` to permit setting term meta during term creation.
Props joehoyle.
Merges [43636] to the 5.0 branch.
Fixes #44834.
Built from https://develop.svn.wordpress.org/branches/5.0@43714


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43543 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-11 06:35:23 +00:00
danielbachhuber 4bf87727a4 REST API: Enable users with `read_private_posts` to query for them.
An authorized request with the `read_private_posts` capability for a post type should be able to `GET /wp/v2/posts` for posts of `status=private`. This query is further sanity-checked by `WP_REST_Posts_Controller->check_read_permission()`, which is unchanged.

Props rachelbaker, soulseekah, twoelevenjay.
Fixes #43701.

Built from https://develop.svn.wordpress.org/branches/5.0@43694


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43523 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-10 20:49:23 +00:00
danielbachhuber 8a5e5b0cf9 REST API: Load missing required file for multisite users
Requires wp-admin/includes/ms.php to make `upload_is_user_over_quota()` function available to multisite users uploading files.

Props JakePT, rachelbaker.
Merges [43603] to the 5.0 branch.
Fixes #44864.

Built from https://develop.svn.wordpress.org/branches/5.0@43691


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43520 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-10 12:37:24 +00:00
danielbachhuber bc07c9dd9f REST API: Declare `unfiltered_html` capability in links.
Because user capabilities can be modified at runtime, the REST API needs to expose them in some evaluated but declarative manner for clients to interpret. JSON Hyper Schema `targetSchema` provides an appropriate paradigm for doing so.

Props timothyblynjacobs.
Fixes #45014.

Built from https://develop.svn.wordpress.org/branches/5.0@43682


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43511 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-08 22:45:25 +00:00
danielbachhuber c1ddf45869 REST API: Persist attributes for attachment links
In [43437], the link definition implementation caused attachment links to be unexpectedly nested under an `attributes` key. This changeset restores the prior behavior.

Props TimothyBlynJacobs.
Fixes #44750.

Built from https://develop.svn.wordpress.org/branches/5.0@43681


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43510 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-08 18:19:28 +00:00
danielbachhuber 62a35c8545 REST API: Define taxonomy visibility settings in schema
For Gutenberg and other admin-type interfaces, it's
useful to be able to see the visibility settings for
taxonomies.

The original changeset was partially included in [43445].

Merges [42729], [42730], [42973] to the 5.0 branch.
Props joehoyle, TimothyBlynJacobs, pento.
Fixes #42707

Built from https://develop.svn.wordpress.org/branches/5.0@43680


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43509 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-08 13:50:27 +00:00
Sergey Biryukov 4c11410c58 REST API: Ensure attachments created with `WP_REST_Attachments_Controller::create_item()` on Windows have a relative path.
Props ocean90, SergeyBiryukov, redcastor.
Merges [43529] to the 4.9 branch.
Fixes #40861.
Built from https://develop.svn.wordpress.org/branches/4.9@43530


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43359 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-24 16:54:26 +00:00
K. Adam White 2afa2b446f REST API: Support meta registration for specific object subtypes.
Introduce an object_subtype argument to the args array for register_meta() which can be used to limit meta registration to a single subtype (e.g. a custom post type or taxonomy, vs all posts or taxonomies).

Introduce register_post_meta() and register_term_meta() wrapper methods for register_meta to provide a convenient interface for the common case of registering meta for a specific taxonomy or post type. These methods work the way plugin developers have often expected register_meta to function, and should be used in place of direct register_meta where possible.

Props flixos90, tharsheblows, spacedmonkey.

Merges [43378] to the 4.9 branch.
Fixes #38323.

Built from https://develop.svn.wordpress.org/branches/4.9@43510


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43339 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-19 18:49:25 +00:00
Sergey Biryukov 63779784f3 REST API: Fix some incorrect `@since` tags.
[43437] included some new methods, which were incorrectly tagged as being `@since 4.9.7`. This updates them to `4.9.8`.

Props danielbachhuber.
Merges [43463] to the 4.9 branch.
Fixes #44287.
Built from https://develop.svn.wordpress.org/branches/4.9@43490


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43317 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-17 16:16:26 +00:00
Sergey Biryukov d413bb103d REST API: Attachments controller should respect upload limits.
When the REST API is in use on WordPress multisite, the `WP_REST_Attachments_Controller` should respect the "Max upload file size" and "Site upload space" site options.

Props flixos90, danielbachhuber.
Merges [43462] to the 4.9 branch.
Fixes #43751.
Built from https://develop.svn.wordpress.org/branches/4.9@43489


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43316 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-17 16:12:27 +00:00
Gary Pendergast 595cd450eb REST API: Filter responses based on the `_fields` parameter, before data is processed.
Historically, the REST API would generate the entire response object, including running expensive filters, then it would apply the `_fields` parameter, discarding the fields that weren't specificed.

This change causes `_fields` to be applied earlier, so that only requested fields are processed.

Merges [43087] to the 4.9 branch.

Props danielbachhuber.
See #43874.


Built from https://develop.svn.wordpress.org/branches/4.9@43445


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-13 06:51:27 +00:00
Gary Pendergast 547a500699 REST API: Tweak permission checks for taxonomy and term endpoints
To match behaviour in the Classic Editor, we need to slightly loosen permissions on taxonomy and term endpoints. This allows users to create terms to assign to a post that they're editing.

Merges [43440] to the 4.9 branch.

Props danielbachhuber.
Fixes #44096.


Built from https://develop.svn.wordpress.org/branches/4.9@43443


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43270 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-13 06:29:25 +00:00
Gary Pendergast d802d709c7 REST API: Expose revision count and last revision ID on Post response
So that REST API clients can show appropriate UI for a post's revisions, it needs to know how many revisions the post has, and what the latest revision ID is.

Merge of [43439] and [43441] to the 4.9 branch.

Props kadamwhite, danielbachhuber, birgire, TimothyBlynJacobs, pento.
Fixes #44321.


Built from https://develop.svn.wordpress.org/branches/4.9@43442


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43269 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-13 06:14:25 +00:00
Gary Pendergast 26f6aeaeea REST API: Declare user capabilities using JSON Hyper Schema's "targetSchema".
There are a variety of operations a WordPress user can only perform if they have the correct capabilities. A REST API client should only display UI for one of these operations if the WordPress user can perform the operation.

Rather than requiring REST API clients to calculate whether to display UI based on potentially complicated combinations of user capabilities, `targetSchema` allows us to expose a single flag to show whether the corresponding UI should be displayed.

This change also includes flags on post objects for the following actions:

- `action-publish`: The current user can publish this post.
- `action-sticky`: The current user can make this post sticky, and the post type supports sticking.
- `action-assign-author': The current user can change the author on this post.
- `action-assign-{$taxonomy}`: The current user can assign terms from the "$taxonomy" taxonomy to this post.
- `action-create-{$taxonomy}`: The current user can create terms int the "$taxonomy" taxonomy.

Merges [43437] to the 4.9 branch.

Props TimothyBlynJacobs, danielbachhuber.
Fixes #44287.


Built from https://develop.svn.wordpress.org/branches/4.9@43438


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43265 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-11 09:21:29 +00:00
Sergey Biryukov 17c256df0b REST API: When handling `who=authors` query parameter for `GET wp/v2/users`, only check `edit_posts` for post types that support `author`.
Props danielbachhuber.
Merges [43137] to the 4.9 branch.
Fixes #42202.
Built from https://develop.svn.wordpress.org/branches/4.9@43138


git-svn-id: http://core.svn.wordpress.org/branches/4.9@42967 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-05-03 06:54:25 +00:00
Sergey Biryukov 59a7fbddde REST API: Add `who=authors` as a query parameter for `GET wp/v2/users`.
Any WordPress user who can `edit_posts` of a post type with `show_in_rest=true` can query for authors. This maps to current WordPress behavior where a WordPress user who can view the Manage Posts view for a post type can see any WordPress user assigned to a post (whether published or draft).

This implementation, over restricting `who=authors` to users with `list_users`, gives us future flexibility in displaying lists of posts. It still respects more restrictive permissions for `context=edit`.

Props danielbachhuber.
Merges [43001] to the 4.9 branch.
Fixes #42202.
Built from https://develop.svn.wordpress.org/branches/4.9@43067


git-svn-id: http://core.svn.wordpress.org/branches/4.9@42896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-05-01 22:18:26 +00:00
Sergey Biryukov f04d84149f REST API: Include `viewable` attribute on Post Type resource for `edit` context.
For the block editor to be able to expose the Preview button correctly, it needs to know the `is_post_type_viewable()` setting, this change adds it to the Post Type response.

Props danielbachhuber.
Merges [43007] to the 4.9 branch.
Fixes #43739.
Built from https://develop.svn.wordpress.org/branches/4.9@43038


git-svn-id: http://core.svn.wordpress.org/branches/4.9@42867 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-30 04:31:25 +00:00
Aaron Jorbin 4aee92bb1c REST API: Add existing term_id to the error data object when attempting to create a duplicate term.
Merges [42350] into 4.9

Props shooper, coleh, rachelbaker.
Fixes #42597. See #41370.

Built from https://develop.svn.wordpress.org/branches/4.9@42578


git-svn-id: http://core.svn.wordpress.org/branches/4.9@42407 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-23 20:22:39 +00:00
Sergey Biryukov 9026b41b3b Media: Bring consistency to `getimagesize()` error suppression.
Props chasewg, joemcgill, jeremyfelt.
Merges [42449] to the 4.9 branch.
Fixes #42480.
Built from https://develop.svn.wordpress.org/branches/4.9@42450


git-svn-id: http://core.svn.wordpress.org/branches/4.9@42280 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-15 20:02:39 +00:00
Rachel Baker 25bfff959f REST API: Return the proper status code for failed permission callbacks in WP_REST_Server->dispatch().
Use the rest_authorization_required_code() function to return a 401 status code when a permission callback fails due to a user not being logged in.

Merges [42421] to the 4.9 branch.

Props jaswrks.
Fixes #42828.

Built from https://develop.svn.wordpress.org/branches/4.9@42422


git-svn-id: http://core.svn.wordpress.org/branches/4.9@42253 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-12-30 20:49:40 +00:00
Joe Hoyle bebb0b0d82 REST API: Don’t remove unregistered properties from objects in schema.
In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.

See #38583.
Built from https://develop.svn.wordpress.org/trunk@42000


git-svn-id: http://core.svn.wordpress.org/trunk@41834 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-24 21:05:49 +00:00