In [49752] a check was added to prevent creating new Application Passwords if Basic Auth credentials were detected to prevent conflicts. This check takes place in WP-Admin, though a conflict would only arise if Basic Auth was used on the website's front-end.
This commit extracts the Basic Auth check into a reusable function, `wp_is_site_protected_by_basic_auth()`, which can be adjusted using a filter of the same name. This way, a site that uses Basic Auth to protect WP-Admin can still use the Application Passwords feature.
In the future, instead of requiring the use of a filter, WordPress could make a loopback request and check for a `WWW-Authenticate` header to make this detection more robust out of the box.
Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov, TimothyBlynJacobs.
Fixes#52066.
Built from https://develop.svn.wordpress.org/trunk@50006
git-svn-id: http://core.svn.wordpress.org/trunk@49707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
To be able to disable jQuery Migrate as step 3 of updating the jQuery version shipped with WordPress, all `JQMIGRATE` warnings in the browser console will have to be addressed.
This includes many minor adjustments to a wide array of core files.
Follow-up to:
* Step 1: Disabling jQuery Migrate 1.4.1 in WordPress 5.5: [48323], [48324]
* Step 2: Updating jQuery to 3.5.1 and adding jQuery Migrate 3.3.x in WordPress 5.6: [49101], [49338], [49615], [49649]
Props Clorith, azaozz.
See #51812.
Built from https://develop.svn.wordpress.org/trunk@50001
git-svn-id: http://core.svn.wordpress.org/trunk@49702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
TinyMCE was not implemented on the accessibility mode for widgets, disabling text editing fields. Change ensures that TinyMCE is initialized when accessibility mode is set up. Prior implementation hid the text widget fields if they were empty, which they always were for new widgets.
Props MadtownLems, alexstine, hareesh-pillai, dariak
Built from https://develop.svn.wordpress.org/trunk@49973
git-svn-id: http://core.svn.wordpress.org/trunk@49674 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This allows for the string to be distinguished from a post status of the same name, which is useful for better translations in languages were "public" can be masculine or feminine depending on context.
Props audrasjb.
Fixes#52309.
Built from https://develop.svn.wordpress.org/trunk@49962
git-svn-id: http://core.svn.wordpress.org/trunk@49663 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds a border along the side of admin menu links when hovering or focusing on them, as color should not be the only indicator of link state.
Props accessiblejoe florianziegler afercia rianrietveld michael-arestad ryan hedgefield audrasjb ibdz.
Fixes#28599.
Built from https://develop.svn.wordpress.org/trunk@49961
git-svn-id: http://core.svn.wordpress.org/trunk@49660 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If every single label is emphasized with a `<strong>` tag, none of them is really emphasized anymore.
This removes the tags in favor of CSS styling, for consistency with the other labels on the screen.
Props chemiker, audrasjb, mukesh27, paaljoachim, estelaris, ibdz, SergeyBiryukov.
Fixes#52232.
Built from https://develop.svn.wordpress.org/trunk@49958
git-svn-id: http://core.svn.wordpress.org/trunk@49657 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This joyous marriage means that users will no longer find a selected top bulk action on a list table unexpectedly being applied instead of their selected bottom bulk action. The top and bottom controls for changing user roles are equally wedded forever too.
Props clayray, subrataemfluence, garrett-eclipse, pbiron, hareesh-pillai
Fixes#46872
Built from https://develop.svn.wordpress.org/trunk@49944
git-svn-id: http://core.svn.wordpress.org/trunk@49643 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the following packages to the latest versions.
Updated packages:
- `copy-webpack-plugin` from `5.1.1` to `5.1.2`.
- `grunt` from `1.1.0` to `1.3.0`.
- `grunt-contrib-jshint` from `2.1.0` to `3.0.0`.
- `grunt-contrib-qunit` from `3.1.0` to `4.0.0`.
- `grunt-rtlcss` from `2.0.1` to `2.0.2`.
- `qunit` from `2.9.0` to `2.13.0`.
- `sinon` from `9.0.0` to `9.2.2`.
- `source-map-loader` from `0.2.4` to `1.1.3`.
- `uuid` from `8.2.0` to `8.3.2`.
- `webpack-dev-server` from `3.11.0` to `3.11.1`.
See #51801.
Built from https://develop.svn.wordpress.org/trunk@49939
git-svn-id: http://core.svn.wordpress.org/trunk@49638 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When App Passwords was introduced, the `wp_authorize_application_password_form` and `wp_application_passwords_approve_app_request_success` hook were mistakenly duplicated and incorrectly documented. This commit corrects the hook names and ensures the correct parameters are passed.
Props johnbillion, engahmeds3ed.
Fixes#52013.
Built from https://develop.svn.wordpress.org/trunk@49920
git-svn-id: http://core.svn.wordpress.org/trunk@49619 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [49154] the async Site Health tests were changed to use the REST API instead of admin-ajax. An unintended side effect of this change was that the loopback tests which tried to ping the site's `admin_url()` were no longer authenticated because admin-cookies aren't provided to the REST API.
This commit adjusts the loopback test to use the front-end `site_url` which checks that cron will function properly. A follow-up ticket will focus on tests that will cover the file editor checks.
Props Clorith.
Fixes#52097.
See #48105.
Built from https://develop.svn.wordpress.org/trunk@49917
git-svn-id: http://core.svn.wordpress.org/trunk@49616 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This allows for more flexibility when determining which version of a post is the latest one, and makes it possible to implement import logic involving updating and adding revisions to existing posts or pages.
Props jmdodd.
Fixes#52180.
Built from https://develop.svn.wordpress.org/trunk@49910
git-svn-id: http://core.svn.wordpress.org/trunk@49609 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This brings the accessibility improvements previously made for other areas of the admin in WordPress 5.3 to the installation screens too.
Follow-up to [46241-46244], [46247], [46248], [46293], [46425].
Props Maigret, audrasjb.
Fixes#51854.
Built from https://develop.svn.wordpress.org/trunk@49907
git-svn-id: http://core.svn.wordpress.org/trunk@49606 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset modifies the Site Health panel for HTTPS to provide more accurate recommendations based on whether the environment is already set up for HTTPS.
* Introduces `wp_is_using_https()` to check whether the site is configured to use HTTPS (via its Site Address and WordPress Address).
* Introduces `wp_is_https_supported()` to check whether the environment supports HTTPS. This relies on a cron job which periodically checks support using a loopback request.
Props Clorith, flixos90, miinasikk, westonruter.
Fixes#47577.
Built from https://develop.svn.wordpress.org/trunk@49904
git-svn-id: http://core.svn.wordpress.org/trunk@49603 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Whether App Passwords are being used is a global featurel, not a per-network feature. This fixes issues on Multi Network installs if App Passwords are used on a different network from where they were created.
Props spacedmonkey.
Fixes#51939.
See [49752].
Built from https://develop.svn.wordpress.org/trunk@49764
git-svn-id: http://core.svn.wordpress.org/trunk@49487 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Application Passwords uses Basic Authentication to transfer authentication details. If the site is already using Basic Auth, for instance to implement a private staging environment, then the REST API will treat this as an authentication attempt and would end up generating an error for any REST API request.
Now, Application Password authentication will only be attempted if Application Passwords is in use by a site. This is flagged by setting an option whenever an Application Password is created. An upgrade routine is added to set this option if any App Passwords already exist.
Lastly, creating an Application Password will be prevented if the site appears to already be using Basic Authentication.
Props chexwarrior, georgestephanis, adamsilverstein, helen, Clorith, marybaum, TimothyBlynJacobs.
Fixes#51939.
Built from https://develop.svn.wordpress.org/trunk@49752
git-svn-id: http://core.svn.wordpress.org/trunk@49475 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `date_i18n` function is now used when formatting the dates in PHP instead of `gmdate` which doesn't handle localization properly.
Additionally, we now use a translation to get the date format to use instead of pulling from the `date_format` option which is only supposed to affect the front-end.
Lastly, when passing the date format to the Backbone JS template, we now use `wp_json_encode()` to format the value for JavaScript. This ensures that backslashes are properly preserved which are used by some locales to escape date formatting control characters.
Props pedromendonca, TimothyBlynJacobs, ocean90, hellofromtonya, SergeyBiryukov, antpb.
Fixes#51918.
See [35811].
Built from https://develop.svn.wordpress.org/trunk@49746
git-svn-id: http://core.svn.wordpress.org/trunk@49469 1a063a9b-81f0-0310-95a4-ce76da25c4cd
r49212 greatly improved the performance of `get_dirsize()`, but also changed the structure of the data stored in the `dirsize_cache` transient. It stored relative paths instead of absolute ones, and also removed the unnecessary `size` array.
That difference in data structures led to a fatal error in the following environment:
* PHP 8
* Multisite
* A custom `WP_CONTENT_DIR` which is not a child of WP's `ABSPATH` folder (e.g., [https://roots.io/bedrock/ Bedrock])
* The `upload_space_check_disabled` option set to `0`
After upgrading to WP 5.6, the `dirsize_cache` transient still had data in the old format. When `wp-admin.php/index.php` was visited, `get_space_used()` received an `array` instead of an `int`, and tried to divide it by another `int`. PHP 7 would silently cast the arguments to match data types, but [https://wiki.php.net/rfc/arithmetic_operator_type_checks PHP 8 throws a fatal error]:
`Uncaught TypeError: Unsupported operand types: array / int`
`recurse_dirsize()` was using `ABSPATH` to convert the absolute paths to relative ones, but some upload locations are not located under `ABSPATH`. In those cases, `$directory` and `$cache_path` were identical, and that triggered the early return of the old `array`, instead of the expected `int`.
In order to avoid that, this commit restores the absolute paths, but without the `size` array. It also adds a type check when returning cached values. Using absolute paths without `size` has the result of overwriting the old data, so that it matches the new format. The type check and upgrade routine are additional safety measures.
Props peterwilsoncc, janthiel, helen, hellofromtonya, francina, pbiron.
Fixes#51913. See #19879.
Built from https://develop.svn.wordpress.org/trunk@49744
git-svn-id: http://core.svn.wordpress.org/trunk@49467 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This brings some consistency with the same check in `core_upgrade_preamble()` and avoids a PHP warning if `$cur->version` is not set.
Additionally, remove the check for `$cur->url` property, unused since [8595].
Follow-up to [49708], [49709].
Props pbiron, afragen, audrasjb.
Fixes#51892.
Built from https://develop.svn.wordpress.org/trunk@49736
git-svn-id: http://core.svn.wordpress.org/trunk@49459 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This enables, for example, the previous post status to be used by this hook without the need to first capture it on an earlier hook.
This also fixes the value of the `$fire_after_hooks` parameter in `get_default_post_to_edit()` so the `wp_after_insert_post` action correctly fires just once on the new post screen.
Props Collizo4sky, peterwilsoncc, hellofromTonya, TimothyBlynJacobs, SergeyBiryukov
Fixes#45114
Built from https://develop.svn.wordpress.org/trunk@49731
git-svn-id: http://core.svn.wordpress.org/trunk@49454 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The REST API requests in Site Health and App Passwords now include `_locale=user` in the request URL to ensure the user's locale is used instead of the site locale. Additionally, the `apiRequest` library now sends a JSON `Accept` header which is required by `determine_locale()` to respect the `_locale` query parameter.
The Site Health REST API controllers now manually load the default admin textdomain if not `is_admin()`. This allows for the Site Health tests to be translated even though the translations are part of the administration project and the REST API is not.
Props oglekler, kebbet, Clorith, TimothyBlynJacobs, ocean90, SergeyBiryukov, adamsilverstein.
Fixes#51871.
Built from https://develop.svn.wordpress.org/trunk@49716
git-svn-id: http://core.svn.wordpress.org/trunk@49439 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This ensures that the message is displayed when the `WP_AUTO_UPDATE_CORE` constant is set to `beta` or `rc` and the user is on a development version.
Follow-up to [49245], [49254], [49292], [49638], [49708].
Props afragen, audrasjb, azaozz, SergeyBiryukov.
Fixes#51822.
Built from https://develop.svn.wordpress.org/trunk@49709
git-svn-id: http://core.svn.wordpress.org/trunk@49432 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Replace the placeholder links now that the posts have been published. This also updates the jQuery plugin links to to local-site links, if the user can install plugins.
Follow-up to [49640].
Props mukesh27, ocean90.
See #51415.
Built from https://develop.svn.wordpress.org/trunk@49702
git-svn-id: http://core.svn.wordpress.org/trunk@49425 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Captions are uploaded in the block editor, and not created in the editor.
* Avoid making an invalid claim of WCAG 2.1 conformance or trivialize the efforts still required to build an accessible and compliant site.
Follow-up to [49640].
Props joedolson.
See #51415.
Built from https://develop.svn.wordpress.org/trunk@49674
git-svn-id: http://core.svn.wordpress.org/trunk@49397 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Clarifies that if you are on maintenance/security auto-updates that you are only on those and therefore there are more options available.
* Adds a message if a version control system has been detected, as automatic updates are disabled in that case.
* Ensures only one heading between `update available`, `you are on a dev version`, and `you are on latest` appears at any given time, falling back to `you are on latest` if something strange happens with the returned update data.
* Removes some older strings related to auto-updates, which greatly simplifies the above.
* Strips the `core-major-auto-updates-saved` query arg from the URL, as it is related to a dismissible notice.
Props audrasjb, pbiron, helen.
Fixes#51742.
Built from https://develop.svn.wordpress.org/trunk@49638
git-svn-id: http://core.svn.wordpress.org/trunk@49376 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Application Passwords introduced a new Rewrite Rule to handle the Authorization header on certain systems.
This bumps the database version and updates the file so the change is applied to sites upon upgrading to 5.6.
Follow-up to [49534].
Props pbiron, TimothyBlynJacobs, SergeyBiryukov.
Fixes#51723.
Built from https://develop.svn.wordpress.org/trunk@49632
git-svn-id: http://core.svn.wordpress.org/trunk@49370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes the "There is a more recent autosave of your changes" notice from not
being removed when the dismiss button is clicked.
The problem is caused by the notice being initialized twice: once by the
`common` script and then again by the `customize-controls` script.
This temporary fix prevents `customize-controls` from initializing a notice if
it has already been initialized.
A better fix would be to not initialize notices twice. This can be done by
removing `common` as a dependency of `updates` when `deprecateL10nObject` is
removed.
When this happens (est: 5.7), this temporary fix should be reverted.
Fixes#51425.
See #51317.
Props karthikbhatb, dlh, SergeyBiryukov.
Built from https://develop.svn.wordpress.org/trunk@49625
git-svn-id: http://core.svn.wordpress.org/trunk@49363 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously App Passwords used a mix of "enabled" and "available". We've now standardized on using "available".
Additionally, we now use a 501 status code when indicating that App Passwords is not available.
Props SergeyBiryukov, ocean90, TimothyBlynJacobs.
Fixes#51513.
Built from https://develop.svn.wordpress.org/trunk@49617
git-svn-id: http://core.svn.wordpress.org/trunk@49355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds clearer messages about what your current settings mean for updates, uses a more compact link-based action instead of a checkbox to change the setting, and respects constants and filters.
Props audrasjb, karmatosed, helen, azaozz, hedgefield, marybaum.
Fixes#51742.
Built from https://develop.svn.wordpress.org/trunk@49587
git-svn-id: http://core.svn.wordpress.org/trunk@49325 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Its presence may conflict with `WP_Post::__get()`, which should generally fill the non-existent `post_category` property, but is not triggered if the column exists in the database.
Follow-up to [10895].
Props leogermani, davidbaumwald, hellofromTonya.
Fixes#51288.
Built from https://develop.svn.wordpress.org/trunk@49572
git-svn-id: http://core.svn.wordpress.org/trunk@49310 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Deleting all visible items on the last page of the media library previously left a blank page with no media items available. Using `wp_count_attachements` instead of `found_posts` solves the problem.
Props donsony, karmatosed, desrosj, mista-flo, justinahinon.
Fixes#39968.
Built from https://develop.svn.wordpress.org/trunk@49567
git-svn-id: http://core.svn.wordpress.org/trunk@49305 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Sets a defined size for text alongside the media browser uploader button fixing alignment on popular browsers.
Props krupajnanda, mikeschroder, aaroncampbell, lucagrandicelli, andraganescu, samful, sabernhardt, andystitt829, kburgoine.
Fixes#41648
Built from https://develop.svn.wordpress.org/trunk@49553
git-svn-id: http://core.svn.wordpress.org/trunk@49291 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Add a label to the readonly password input.
- Handle focus loss after revoking app passwords.
- Handle focus loss after dismissing notices.
- Mark app name as `aria-required`.
- Use `aria-label` for detailed revoke button text instead of `title`.
- Use `-1` for `tabindex` instead of `0`.
Props alexstine, afercia, sabernhardt, audrasjb, joedolson, TimothyBlynJacobs.
Fixes#51580.
Built from https://develop.svn.wordpress.org/trunk@49549
git-svn-id: http://core.svn.wordpress.org/trunk@49287 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This will discard any invalid responses instead of causing fatal errors.
It also makes badges optional, on the same basis as actions are optional. They are expected, but there may be situations where they are not present.
Props Clorith, dogwithblog, kraftbj, whyisjake, SergeyBiryukov.
Fixes#50145.
Built from https://develop.svn.wordpress.org/trunk@49537
git-svn-id: http://core.svn.wordpress.org/trunk@49275 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This switches to using `wp_parse_args()` instead of a combination of `array_merge()` and `array_intersect_key()` when ensuring that all expected default keys are present in the update information for a plugin.
This prevents non-default data returned by 3rd-party plugins from being unintentionally stripped out.
Props peterwilsoncc, chriscct7.
Fixes#51609.
Built from https://develop.svn.wordpress.org/trunk@49477
git-svn-id: http://core.svn.wordpress.org/trunk@49236 1a063a9b-81f0-0310-95a4-ce76da25c4cd
App Passwords rely on the Authorization header to transport the Basic Auth credentials. For Apache web servers, WordPress automatically includes a RewriteRule to populate the value for servers running in CGI or FastCGI that wouldn't ordinarily populate the value.
This tests if the header is being filled with the expected values. For Apache users, we direct the user to visit the Permalinks settings to flush their permalinks. For all other users, we direct them to a help document on developer.wordpress.org.
Props Clorith, marybaum, TimothyBlynJacobs.
Fixes#51638.
Built from https://develop.svn.wordpress.org/trunk@49334
git-svn-id: http://core.svn.wordpress.org/trunk@49095 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This stems from longer translations on the User table, but this will apply to any posts column in a list table. Hyphenation should typically just apply to the column header, as the cell contents are just a count.
This does appear to have some browser inconsistencies, so may need further adjustment in the future.
Props audrasjb, justinahinon.
Fixes#50838.
Built from https://develop.svn.wordpress.org/trunk@49317
git-svn-id: http://core.svn.wordpress.org/trunk@49079 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Make form inputs stacked instead of inline.
- Provide a visible label for the app name.
- Add screen reader text to dismiss button.
- Make "Revoke" button label more descriptive.
- Use aria-disabled instead of disabled to avoid focus loss.
- Display password in a readonly input to assist copy and paste.
- Remove large sections of italic text.
- Use `.form-wrap` and `.form-field` to give consistent form styling.
- Improve labeling and placeholder text.
Props alexstine, georgestephanis, afercia, TimothyBlynJacobs.
Fixes#51580.
Built from https://develop.svn.wordpress.org/trunk@49294
git-svn-id: http://core.svn.wordpress.org/trunk@49056 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates `core_auto_updates_settings()` to account for the new `beta` and `rc` values for the `WP_AUTO_UPDATE_CORE` constant.
Additionally, recognize these new values as acceptable in Site Health tests.
Follow-up to [48804], [49245], [49254].
Fixes#51319. See #50907.
Built from https://develop.svn.wordpress.org/trunk@49292
git-svn-id: http://core.svn.wordpress.org/trunk@49054 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, any `input` or `select` inside of a `.form-invalid` wrapper would get the red border highlighting, including submit buttons which was not visually correct. This now only applies to form elements with a class of `.form-required` inside of the `.form-invalid` wrapper. It also continues to apply the border to elements with both classes (`.form-invalid.form-required`) as that is how some of the admin markup is structured.
Plugin authors may need to do the same sort of class application seen in this commit, i.e. add `.form-required` to certain form elements.
Props sabernhardt, dilipbheda, helen.
Fixes#50686.
Built from https://develop.svn.wordpress.org/trunk@49283
git-svn-id: http://core.svn.wordpress.org/trunk@49045 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Apps may now optionally include an `app_id` parameter when directing the user to the Authorize Application screen. This allows for instances of an application to be identified and potentially revoked or blocked.
Props TimothyBlynJacobs, georgestephanis.
Fixes#51583.
Built from https://develop.svn.wordpress.org/trunk@49276
git-svn-id: http://core.svn.wordpress.org/trunk@49038 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Sergey Biryukov
TimothyBlynJacobs
desrosj
joedolson
Dominik Schilling
ryelle
John Blackbourn
Felix Arntz
Andrew Ozz
Helen Hou-Sandí
iandunn
noisysocks
antpb
Adam Silverstein
Aaron Campbell