Commit Graph

64 Commits

Author SHA1 Message Date
davidbaumwald ab61d84ae4 Grouped backports to the 5.2 branch.
- Comments: Prevent users who can not see a post from seeing comments on it.
- Shortcodes: Restrict media shortcode ajax to certain type.
- REST API: Ensure no-cache headers are sent when methods are overridden.
- REST API: Limit `search_columns` for users without `list_users`.
- Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], and [56838] to the 5.2 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/5.2@56876


git-svn-id: http://core.svn.wordpress.org/branches/5.2@56387 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-10-12 18:23:19 +00:00
whyisjake 42a430a0a9 REST API: Allow for multiple Vary: Origin headers in GET responses.
Simple fix, we pass false as the second parameter to the header function.

This is something that we added downstream of the 5.2.4 release, but we missed in 5.2/trunk.

Fixes #48309, see also [46544].
Props xknown, whyisjake.

Built from https://develop.svn.wordpress.org/branches/5.2@46545


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46342 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-15 15:54:53 +00:00
whyisjake e9ecfd078e REST API: Send a Vary: Origin header on GET requests.
Add this header on all GET requests to prevent cached requests.

Fixes some code dulication from [46484] and backports the changes from [46484] to the 5.2 branch.
Props darthhexx, davidbinda, nickdaugherty, whyisjake.

Built from https://develop.svn.wordpress.org/branches/5.2@46487


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46285 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 17:44:54 +00:00
whyisjake cbc773dcbb Filesystem API: Prevent directory travelersals when creating new folders.
Reject file paths that contain sub-directory paths.

Props iandunn, xknown, sstoqnov, whyisjake.

Built from https://develop.svn.wordpress.org/branches/5.2@46484


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46282 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 16:34:53 +00:00
K. Adam White 391d481fe1 REST API: Ensure "Allow" header is returned for OPTIONS requests.
This changeset ensures `$request->set_url_params()` is called while fulfilling OPTIONS requests, where previously it was skipped because OPTIONS requests short-circuit the logic in `dispatch` which handles this setup for other request methods. Omitting the URL parameters prevented the Allow header from being set.

Props killua99, noisysocks.
Fixes #45753.

Built from https://develop.svn.wordpress.org/trunk@44933


git-svn-id: http://core.svn.wordpress.org/trunk@44764 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-19 03:22:51 +00:00
Dominik Schilling fe73f310d4 REST API: Prevent translating the hook name in a `_doing_it_wrong()` message by using a placeholder.
See #45265.
Built from https://develop.svn.wordpress.org/trunk@44698


git-svn-id: http://core.svn.wordpress.org/trunk@44529 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-01-26 12:29:54 +00:00
desrosj 2785313bf2 REST API: Encourage proper usage of `register_rest_route()`.
Calling `register_rest_route()` too early in the loading process has the potential to cause some unintentional problems and pitfalls. Because `register_rest_route()` calls `rest_get_server()` (which creates the `WP_REST_Server` instance), calling the function directly and/or before `rest_api_init` should be discouraged.

For example, if `register_rest_route ()` is called on `init`, the REST API server instance is set up (and all functions added to `rest_api_init` and other related hooks are invoked), even though the current request may not be a REST request. Also, if `register_rest_route()` is called even earlier (say, in an `mu-plugin` file), required endpoints may be missing since normal plugins have not yet been loaded and have not had a chance to register their own action hooks.

This adds a `_doing_it_wrong()` notice the first time `register_rest_route()` is called before `rest_api_init` in a request to encourage best practices for registering REST API routes.

Props kraftbj, desrosj, timothyblynjacobs.
Fixes #45265.
Built from https://develop.svn.wordpress.org/trunk@44568


git-svn-id: http://core.svn.wordpress.org/trunk@44399 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-01-11 18:19:49 +00:00
Felix Arntz a71d208785 General: Fix problematic string to array parsing.
WordPress has historically often used code like `preg_split( '/[\s,]+/', $var )` to parse a string of comma-separated values into an array. However, this approach was causing an empty string to not be parsed into an empty array as expected, but rather into an array with the empty string as its sole element.

This was among other areas causing problems in the REST API where passing an empty request parameter could cause that request to fail because, instead of it being ignored, that parameter would be compared against the valid values for it, which typically do not include an empty string.

Props david.binda, sstoqnov.
Fixes #43977.

Built from https://develop.svn.wordpress.org/trunk@44546


git-svn-id: http://core.svn.wordpress.org/trunk@44377 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-01-10 21:06:49 +00:00
Gary Pendergast d2782aabc5 REST API: Improve performance by avoiding `call_user_func()`.
The `get_compact_response_links()` method was introduced in WP 4.5, and this conditional is no longer necessary.

Merges [43834] from the 5.0 branch to trunk.

Props schlessera, timothyblynjacobs.
Fixes #45189.

Built from https://develop.svn.wordpress.org/trunk@44173


git-svn-id: http://core.svn.wordpress.org/trunk@44003 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-14 06:04:55 +00:00
Gary Pendergast d8863244cb Block Editor: Preload `wp/v2/media` with OPTIONS for caps check.
Also introduces a `block_editor_preload_paths` filter for plugins and themes to preload additional data.

Merges [43833] from the 5.0 branch to trunk.

Props imath, mattheu, danielbachhuber.
Fixes #45194.


Built from https://develop.svn.wordpress.org/trunk@44172


git-svn-id: http://core.svn.wordpress.org/trunk@44002 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-14 06:02:52 +00:00
Jeremy Felt c3e927d2c8 REST API: Add endpoints for blocks.
`WP_REST_Block_Renderer_Controller` allows rendering of server-side rendered blocks, whilst `WP_REST_Blocks_Controller` allows retrieving of reusable blocks.

Merges [43805] and [43806] from the 5.0 branch to trunk.

Props desrosj, danielbachhuber, pento, Presskopp, swissspidy.
See #45065, #45098.

Built from https://develop.svn.wordpress.org/trunk@44150


git-svn-id: http://core.svn.wordpress.org/trunk@43980 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-14 02:35:38 +00:00
desrosj d4d16ec083 REST API: Introduce Autosaves controller and endpoint.
- Adds `WP_REST_Autosaves_Controller` which extends `WP_REST_Revisions_Controller`.
- Autosaves endpoint is registered for all post types except attachment because even post types without revisions enabled are expected to autosave.
- Because setting the `DOING_AUTOSAVE` constant pollutes the test suite, autosaves tests are run last. We may want to improve upon this later. 

Also, use a truly impossibly high number in User Controller tests. The number `100`, (or `7777` in `trunk`), could be valid in certain test run configurations. The `REST_TESTS_IMPOSSIBLY_HIGH_NUMBER` constant is impossibly high for this very reason.

Finally, Skip Autosaves controller test for multisite. There's a PHP 5.2 edge case where paths calculated differently, possibly caused by differing version of PHPUnit.

Props adamsilverstein, aduth, azaozz, danielbachhuber, rmccue, danielbachhuber.

Merges [43767], [43768], [43769] to trunk.

See #45132, #45131.
Fixes #45128, #43316.
Built from https://develop.svn.wordpress.org/trunk@44126


git-svn-id: http://core.svn.wordpress.org/trunk@43956 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 22:42:38 +00:00
desrosj d16e6740d5 REST API: Introduce the `rest_preload_api_request()` function.
This function helps perform multiple REST API requests, for the purpose of preloading data into a page.

Props pento.

Merges [43763] to trunk.

See #45110.
Built from https://develop.svn.wordpress.org/trunk@44123


git-svn-id: http://core.svn.wordpress.org/trunk@43953 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 22:25:49 +00:00
Gary Pendergast 6cbb6f9bd2 REST API: Introduce controller for searching across post types.
Introduces a `WP_REST_Search_Controller` class which registers a `/wp/v2/search` endpoint. Search types are handled by extending `WP_REST_Search_Handler`. The default search type is `WP_REST_Post_Search_Handler` but can be filtered by plugins or a theme.

Merges [43739,43741] from the 5.0 branch to trunk.

Props danielbachhuber, flixos90, pento, rmccue, joehoyle.
Fixes #39965.


Built from https://develop.svn.wordpress.org/trunk@44107


git-svn-id: http://core.svn.wordpress.org/trunk@43937 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 09:38:25 +00:00
Jeremy Felt c108cbfa52 REST API: Introduce themes endpoint to expose theme-supports values for the active theme.
In order to correctly render parts of its UI, the new editor needs to be aware of the active theme's post-formats and post-thumbnails support. This data is exposed by querying for the active theme on a new /wp/v2/themes endpoint for sufficiently privileged users.

Merges [43734], [43735] to trunk.

props desrosj.
Fixes #45016.

Built from https://develop.svn.wordpress.org/trunk@43985


git-svn-id: http://core.svn.wordpress.org/trunk@43817 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 03:33:24 +00:00
desrosj a36830c4cb REST API: Enable users with read_private_posts to query for them.
An authorized request with the read_private_posts capability for a post type should be able to GET /wp/v2/posts for posts of status=private. This query is further sanity-checked by WP_REST_Posts_Controller->check_read_permission(), which is unchanged.

Props rachelbaker, soulseekah, twoelevenjay.

Moves [43694] from the 5.0 branch to trunk.

Fixes #43701.
Built from https://develop.svn.wordpress.org/trunk@43979


git-svn-id: http://core.svn.wordpress.org/trunk@43811 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-11 22:30:24 +00:00
Gary Pendergast aaf99e6913 Code is Poetry.
WordPress' code just... wasn't.
This is now dealt with.

Props jrf, pento, netweb, GaryJ, jdgrimes, westonruter, Greg Sherwood from PHPCS, and everyone who's ever contributed to WPCS and PHPCS.
Fixes #41057.


Built from https://develop.svn.wordpress.org/trunk@42343


git-svn-id: http://core.svn.wordpress.org/trunk@42172 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-30 23:11:00 +00:00
Ryan McCue 9b68e59534 REST API: Ensure rest_url() consistently has leading slash.
`rest_url()` inconsistent addes slashes to the passed path depending on whether the site has pretty permalinks enabled. Apart from being inconsistent, this also caused the unit tests to fail when pretty permalinks are enabled.

Props frank-klein.
Fixes #42452. See #41451.

Built from https://develop.svn.wordpress.org/trunk@42250


git-svn-id: http://core.svn.wordpress.org/trunk@42079 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-28 07:10:46 +00:00
Joe Hoyle bebb0b0d82 REST API: Don’t remove unregistered properties from objects in schema.
In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.

See #38583.
Built from https://develop.svn.wordpress.org/trunk@42000


git-svn-id: http://core.svn.wordpress.org/trunk@41834 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-24 21:05:49 +00:00
K. Adam White 37ec288f71 REST API: Add _fields parameter to selectively include fields in response JSON.
Allows REST API consumers to specify the specific fields needed in their application code, whitelisting those fields and omitting all others from the returned JSON response object.
This permits applications that only need for example the ID and title of posts to avoid having to transfer the entire rendered post content over the wire alongside the desired fields.
While this whitelisting has no affect on the queries run when preparing the response, it can yield significant reductions in the bandwidth required to transfer a response payload for simple applications.

Props adamsilverstein, TimothyBlynJacobs, svrooij.
Fixes #38131.


Built from https://develop.svn.wordpress.org/trunk@41744


git-svn-id: http://core.svn.wordpress.org/trunk@41578 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-04 18:46:38 +00:00
Joe Hoyle f276b4901b REST API: Support for objects in schema validation and sanitization.
When registering routes developers can now define their complex objects in the schema and benefit from the automatic validation and sanitization in the REST API. This also paves the way for support for complex object registration via register_meta and register_setting.

See #38583.
Props TimothyBlynJacobs5.
Built from https://develop.svn.wordpress.org/trunk@41727


git-svn-id: http://core.svn.wordpress.org/trunk@41561 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-04 08:27:47 +00:00
James Nylen fce0b2dcd9 REST API: Always call `rest_get_server()` instead of accessing the `$wp_rest_server` global.
This is a consistency improvement and also a bug fix for fairly obscure cases involving modified WP load order.

Fixes #41555.

Built from https://develop.svn.wordpress.org/trunk@41238


git-svn-id: http://core.svn.wordpress.org/trunk@41078 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-08-10 01:38:43 +00:00
Gary Pendergast 7819daefd2 REST API: Always add `index.php` to the REST URL when pretty permalinks are disabled.
When pretty permalinks are disabled, the web server will internally forward requests to `index.php`. Unfortunately, nginx only forwards HTTP/1.0 methods: `PUT`, `PATCH`, and `DELETE` methods will return a 405 error.

To work around this nginx behaviour, including `index.php` in the REST URL skips the internal redirect.

Fixes #40886.


Built from https://develop.svn.wordpress.org/trunk@41139


git-svn-id: http://core.svn.wordpress.org/trunk@40979 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-07-25 00:50:43 +00:00
John Blackbourn f750a800d0 REST API: In the admin area, ensure the REST API endpoint URL is forced to `https` when necessary.
In this situation, a site which uses `http` on the front end but `https` in the admin area is more likely to have a working REST API endpoint URL when used in the admin area.

Props mohanjith, westonruter, jnylen0

Fixes #36451

Built from https://develop.svn.wordpress.org/trunk@40843


git-svn-id: http://core.svn.wordpress.org/trunk@40694 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-25 18:02:41 +00:00
James Nylen 21b1135b1c REST API: Do not set `X-WP-Deprecated*` headers as often.
Only set these headers if (1) `WP_DEBUG` is enabled and (2) headers have not already been sent.

Previously, this code could generate warnings by trying to set a header after response data has already been sent.  This happens when code attached to the `shutdown` filter calls a deprecated function, for example.

Also, these headers are unlikely to be useful in the majority of cases; let's only send them if `WP_DEBUG` is enabled.

Props kraftbj, jnylen0, ocean90, rmccue.
Fixes #40787.

Built from https://develop.svn.wordpress.org/trunk@40782


git-svn-id: http://core.svn.wordpress.org/trunk@40640 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-18 17:49:42 +00:00
Rachel Baker 195b227357 Formatting: Increase minimum characters allowed in `is_email()` to 6.
Brings the minimum characters expected for a valid email address to six, which matches the expectations in `wp_handle_comment_submission()` and REST API email arguments.

Props rmccue, lukecavanagh, rachelbaker, desrosj, sudar.
Fixes #38708.

Built from https://develop.svn.wordpress.org/trunk@40667


git-svn-id: http://core.svn.wordpress.org/trunk@40530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-14 04:20:43 +00:00
Ryan McCue 027e8d9218 REST API: Allow "Origin: null" from file: URLs.
Browsers send an "Origin: null" header value for file and data URLs, as they can be generated by any document, and their origin is not guaranteed. Since we want to allow any URL to access the API (intentionally disabling the CORS protections), we need to special-case the non-URL "null" value.

Props joehoyle.
Fixes #40011.

Built from https://develop.svn.wordpress.org/trunk@40600


git-svn-id: http://core.svn.wordpress.org/trunk@40470 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-10 04:22:43 +00:00
James Nylen b6ce4e2830 REST API: Fix multiple issues with setting dates of posts and comments.
This commit modifies the `rest_get_date_with_gmt` function to correctly parse local and UTC timestamps with or without timezone information.

It also ensures that the REST API can edit the dates of draft posts by setting the `edit_date` flag to `wp_update_post`.

Overall this commit ensures that post and comment dates can be set and updated as expected.

Fixes #39256.

Built from https://develop.svn.wordpress.org/trunk@40101


git-svn-id: http://core.svn.wordpress.org/trunk@40038 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-02-21 18:18:45 +00:00
Sergey Biryukov 234f2040a8 Docs: Use third-person singular verb for `rest_avatar_sizes` filter description.
See #39130.
Built from https://develop.svn.wordpress.org/trunk@40047


git-svn-id: http://core.svn.wordpress.org/trunk@39984 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-02-06 02:58:40 +00:00
Joe Hoyle e357195ce3 REST API: Unify object access handling for simplicity.
Rather than repeating ourselves, unifying the access into a single method keeps everything tidy. While we're at it, add in additional schema handling for common parameters.

See #38792.
Built from https://develop.svn.wordpress.org/trunk@39954


git-svn-id: http://core.svn.wordpress.org/trunk@39891 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 13:39:41 +00:00
Ryan McCue 1326d9e2c7 REST API: Correctly serve the index with PATH_INFO
When hitting the index, untrailingslashit() would make the REST route empty, which would then use the fallback inside WP_REST_Server. This isn't a problem most of the time, but WP_REST_Server contains a fallback to PATH_INFO. Combined with PATH_INFO permalinks, this would give a 404 on the API index, as it attempts to look up a route for "/wp-json/".

Props ccprog.
Fixes #39432.

Built from https://develop.svn.wordpress.org/trunk@39923


git-svn-id: http://core.svn.wordpress.org/trunk@39860 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-17 05:40:40 +00:00
Sergey Biryukov b3c28838f7 REST API: Improve error messages for number relational validation.
Props jblz.
Fixes #39054.
Built from https://develop.svn.wordpress.org/trunk@39896


git-svn-id: http://core.svn.wordpress.org/trunk@39833 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-13 04:38:40 +00:00
John Blackbourn d327c92e4b Docs: Add and correct `@since` docs for a variety of functions and methods.
Props keesiemeijer, chris_dev
Fixes #39343, #39357, #39344
See #39130

Built from https://develop.svn.wordpress.org/trunk@39638


git-svn-id: http://core.svn.wordpress.org/trunk@39578 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-12-27 09:21:44 +00:00
Rachel Baker 606c9905ef REST API: Fix incorrect uses of `rest_sanitize_value_from_schema()`.
In the `check_username()` and `check_password()` callbacks in the Users controller cast the provided request value to a string. The `rest_sanitize_value_from_schema()` function was being used incorrectly which was causing unintended request parsing. 
In `rest_sanitize_request_arg()` do not pass nonexistent third parameter for the `rest_sanitize_value_from_schema()` function.

Props jnylen0, joehoyle, rachelbaker, ocean90.
Fixes #38984.
Built from https://develop.svn.wordpress.org/trunk@39400


git-svn-id: http://core.svn.wordpress.org/trunk@39340 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-12-01 02:12:41 +00:00
Ryan McCue 863505cf81 REST API: Trim trailing slashes from routes.
WordPress' rewrites do this usually, but the behaviour was inconsistent when using non-pretty permalinks.

Props joehoyle.
Fixes #38873.

Built from https://develop.svn.wordpress.org/trunk@39329


git-svn-id: http://core.svn.wordpress.org/trunk@39269 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-21 05:46:30 +00:00
Joe Hoyle a38b863ae4 REST API: Change “ipv4” types to “ip” to support ipv6.
Stop presuming IP address are IPv4, instead make the type “ip” to be agnostic of IP version. This fixes requests with ipv6 addresses for comments in core.

Props dd32, schlessera, danielbachhuber.
Fixes #38818.
Built from https://develop.svn.wordpress.org/trunk@39296


git-svn-id: http://core.svn.wordpress.org/trunk@39236 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-18 19:33:31 +00:00
Sergey Biryukov acc30b09d7 Text Changes: Merge some duplicate strings with the same meaning in error messages, adjust some other strings for consistency and accuracy.
Props ramiy, SergeyBiryukov.
Fixes #38808.
Built from https://develop.svn.wordpress.org/trunk@39278


git-svn-id: http://core.svn.wordpress.org/trunk@39218 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-17 15:53:33 +00:00
Ryan McCue 0f5a44e093 REST API: Move translator comments to preceding line.
Inline translator comments break POT file generation.

Props dd32.
See #38791.

Built from https://develop.svn.wordpress.org/trunk@39239


git-svn-id: http://core.svn.wordpress.org/trunk@39179 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-15 05:39:32 +00:00
Ryan McCue 705f17cea2 REST API: Add translator comments to text with placeholders.
Props dimadin.
Fixes #38791.

Built from https://develop.svn.wordpress.org/trunk@39238


git-svn-id: http://core.svn.wordpress.org/trunk@39178 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-15 04:28:31 +00:00
Joe Hoyle 5c90d9ed8e REST API: Validate and Sanitize registered meta based off the schema.
With the addition of Array support in our schema validation functions, it's now possible to use these in the meta validation and sanitization steps. Also, this increases the test coverage of using registered via meta the API significantly.

Fixes #38531.
Props rachelbaker, tharsheblows.

Built from https://develop.svn.wordpress.org/trunk@39222


git-svn-id: http://core.svn.wordpress.org/trunk@39162 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-14 16:36:33 +00:00
Ryan McCue d6a5c68516 REST API: Require 6 characters for comment email addresses.
The regular comments API requires 6 characters rather than 3, so we need to match this.

Props mangeshp, dd32.
Fixes #38506.

Built from https://develop.svn.wordpress.org/trunk@39158


git-svn-id: http://core.svn.wordpress.org/trunk@39098 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-08 06:42:32 +00:00
Joe Hoyle 6ee8f33660 REST API: Sanitize arrays being sent as CSVs.
In #38586 the ability to parse arrays as csv was introduced, however it didn't add any support for validating csv arrays. This adds such sanitization, and also a good amount of unit tests for all sanitization baed off schema.

See #38586.

Built from https://develop.svn.wordpress.org/trunk@39061


git-svn-id: http://core.svn.wordpress.org/trunk@39003 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-31 17:08:31 +00:00
Gary Pendergast 54b378e411 REST API: Allow parameters defined as `array` to be sent as CSVs.
This allows parameters that are often handled as CSVs to be properly parsed.

Fixes #38586.


Built from https://develop.svn.wordpress.org/trunk@39048


git-svn-id: http://core.svn.wordpress.org/trunk@38990 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-31 05:45:32 +00:00
Gary Pendergast 6c1e98d1fb REST API: Add support for arrays in schema validation and sanitization.
By allowing more fine-grained validation and sanitisation of endpoint args, we can ensure the correct data is being passed to endpoints.

This can easily be extended to support new data types, such as CSV fields or objects.

Props joehoyle, rachelbaker, pento.
Fixes #38531.


Built from https://develop.svn.wordpress.org/trunk@39046


git-svn-id: http://core.svn.wordpress.org/trunk@38988 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-31 01:48:41 +00:00
Gary Pendergast 69539eb2a7 REST API: Add `PATCH` to CORS allowed methods.
Editable resources in the REST API accept the `PATCH` method, but the CORS headers don't mention it.

Props jnylen0.
Fixes #38546.


Built from https://develop.svn.wordpress.org/trunk@39042


git-svn-id: http://core.svn.wordpress.org/trunk@38984 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-31 00:19:30 +00:00
Drew Jaynes 0181e937c5 Docs: Add a slightly less ambiguous list of return types for `rest_ensure_response()`.
See #38398.

Built from https://develop.svn.wordpress.org/trunk@39037


git-svn-id: http://core.svn.wordpress.org/trunk@38979 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-30 18:53:29 +00:00
Rachel Baker e4a7c0a397 REST API: Introduce the Content API endpoints.
REST API endpoints for your WordPress content. These endpoints provide machine-readable external access to your WordPress site with a clear, standards-driven interface, allowing new and innovative apps for interacting with your site. These endpoints support all of the following:
- Posts: Read and write access to all post data, for all types of post-based data, including pages and media.
- Comments: Read and write access to all comment data. This includes pingbacks and trackbacks.
- Terms: Read and write access to all term data.
- Users: Read and write access to all user data. This includes public access to some data for post authors.
- Meta: Read and write access to metadata for posts, comments, terms, and users, on an opt-in basis from plugins.
- Settings: Read and write access to settings, on an opt-in basis from plugins and core. This enables API management of key site content values that are technically stored in options, such as site title and byline.

Love your REST API, WordPress!  The infrastructure says, "Let's do lunch!" but the content API endpoints say, "You're paying!"

Props rmccue, rachelbaker, danielbachhuber, joehoyle, adamsilverstein, afurculita, ahmadawais, airesvsg, alisspers, antisilent, apokalyptik, artoliukkonen, attitude, boonebgorges, bradyvercher, brianhogg, caseypatrickdriscoll, chopinbach, chredd, christianesperar, chrisvanpatten, claudiolabarbera, claudiosmweb, cmmarslender, codebykat, coderkevin, codfish, codonnell822, daggerhart, danielpunkass, davidbhayes, delphinus, desrosj, dimadin, dotancohen, DrewAPicture, Dudo1985, duncanjbrown, eherman24, eivhyl, eliorivero, elyobo, en-alis, ericandrewlewis, ericpedia, evansobkowicz, fjarrett, frozzare, georgestephanis, greatislander, guavaworks, hideokamoto, hkdobrev, hubdotcom, hurtige, iandunn, ircrash, ironpaperweight, iseulde, Japh, jaredcobb, JDGrimes, jdolan, jdoubleu, jeremyfelt, jimt, jjeaton, jmusal, jnylen0, johanmynhardt, johnbillion, jonathanbardo, jorbin, joshkadis, JPry, jshreve, jtsternberg, JustinSainton, kacperszurek, kadamwhite, kalenjohnson, kellbot, kjbenk, kokarn, krogsgard, kuchenundkakao, kuldipem, kwight, lgedeon, lukepettway, mantismamita, markoheijnen, matrixik, mattheu, mauteri, maxcutler, mayukojpn, michael-arestad, miyauchi, mjbanks, modemlooper, mrbobbybryant, NateWr, nathanrice, netweb, NikV, nullvariable, oskosk, oso96_2000, oxymoron, pcfreak30, pento, peterwilsoncc, Pezzab, phh, pippinsplugins, pjgalbraith, pkevan, pollyplummer, pushred, quasel, QWp6t, schlessera, schrapel, Shelob9, shprink, simonlampen, Soean, solal, tapsboy, tfrommen, tharsheblows, thenbrent, tierra, tlovett1, tnegri, tobych, Toddses, toro_unit, traversal, vanillalounge, vishalkakadiya, wanecek, web2style, webbgaraget, websupporter, westonruter, whyisjake, wonderboymusic, wpsmith, xknown, zyphonic.
Fixes #38373.
Built from https://develop.svn.wordpress.org/trunk@38832


git-svn-id: http://core.svn.wordpress.org/trunk@38775 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-20 02:55:32 +00:00
Aaron Jorbin 969e4255a9 REST API: Include `Vary: Origin` in cors headers
`vary: origin` is a W3 CORS implementation recommendation( https://www.w3.org/TR/cors/#resource-implementation ). It's used by default in frameworks such as hapi and Laravel-cors. Overall, it helps sites siting behind a cache such as varnish.

Fixes #38060.
Props procodewp, pdufour for research.


Built from https://develop.svn.wordpress.org/trunk@38806


git-svn-id: http://core.svn.wordpress.org/trunk@38749 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-17 16:11:30 +00:00
Rachel Baker a6f0fb6d2a REST API: Support sites with index-style permalinks in `get_rest_url()`.
Support the index-style permalinks (http://example.com/index.php/postName) when registering the REST API rewrite rules and within the `get_rest_url()` function. This allows sites that do not have mod_rewrite support to have almost pretty urls and have access to their REST API endpoints.

Props kraftbj.
Fixes #38182.
Built from https://develop.svn.wordpress.org/trunk@38790


git-svn-id: http://core.svn.wordpress.org/trunk@38733 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-14 19:30:29 +00:00
Scott Taylor 778d794e4f REST API: remove unnecessary variable assignments in `rest_handle_options_request()`.
See #37771.

Built from https://develop.svn.wordpress.org/trunk@38310


git-svn-id: http://core.svn.wordpress.org/trunk@38251 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-22 20:56:28 +00:00