Extend the check in 'rest_allow_anonymous_comments' to accept any falsy value (previously this was an explicit check for `false`).
One possible failure case is that a plugin developer forgets to include a return value for some code path in their callback for this filter, leading to a value of null which is currently treated like `true`.
Props joehoyle, jnylen0.
Merges [39487] to the 4.7 branch.
Fixes#39010.
Built from https://develop.svn.wordpress.org/branches/4.7@39566
git-svn-id: http://core.svn.wordpress.org/branches/4.7@39506 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If the `require_name_email` option is true, creating a comment with an empty string for the author name or email should not be accepted. Both values can be an empty string on update.
Merges [39444] into the 4.7 branch.
Props flixos90, hnle, dd32, rachelbaker, jnylen0, ChopinBach, joehoyle, pento.
Fixes#38971 for 4.7.
Built from https://develop.svn.wordpress.org/branches/4.7@39446
git-svn-id: http://core.svn.wordpress.org/branches/4.7@39386 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- 'orderby' => 'include' requires an array of post_ids via the include collection param.
- 'orderby' => 'id' and 'orderby' => 'slug' need map the correct WP_Query equivalents.
Merges [39440] to the 4.7 branch.
Props flixos90, hnle, dd32, rachelbaker, joehoyle, pento.
Fixes#38971 for 4.7.
Built from https://develop.svn.wordpress.org/branches/4.7@39441
git-svn-id: http://core.svn.wordpress.org/branches/4.7@39381 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In wp-admin, users are removed from individual sites rather than deleted. A user can only be deleted from the network admin.
Until support for a PUT request that removes a user's site and content associations is available, DELETE requests are disabled to avoid possible issues with lost content.
Merges [34938] onto 4.7 branch.
Props jnylen0, rachelbaker.
Fixes#38962 for 4.7.
Built from https://develop.svn.wordpress.org/branches/4.7@39439
git-svn-id: http://core.svn.wordpress.org/branches/4.7@39379 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When deleting a user through the WordPress admin, a specific decision is presented - whether to assign all of the user's posts to another user, or to delete all of the posts.
This change requires `reassign` as a parameter in the corresponding REST API endpoint, so that content isn't accidentally lost.
Merges [39426] to the 4.7 branch.
Props jeremyfelt.
Fixes#39000.
Built from https://develop.svn.wordpress.org/branches/4.7@39427
git-svn-id: http://core.svn.wordpress.org/branches/4.7@39367 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Change the capability check used in `WP_REST_Terms_Controller` when creating a new term is attempted, from `manage_terms` to `edit_terms`. This matches the behavior within the WordPress admin. See #35614.
Props johnbillion, rmccue, rachelbaker, helen, jorbin, SergeyBiryukov.
Merges [39402] to the 4.7 branch.
Fixes#38958 for 4.7.
Built from https://develop.svn.wordpress.org/branches/4.7@39403
git-svn-id: http://core.svn.wordpress.org/branches/4.7@39343 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In the `check_username()` and `check_password()` callbacks in the Users controller cast the provided request value to a string. The `rest_sanitize_value_from_schema()` function was being used incorrectly which was causing unintended request parsing.
In `rest_sanitize_request_arg()` do not pass nonexistent third parameter for the `rest_sanitize_value_from_schema()` function.
Props jnylen0, joehoyle, rachelbaker, ocean90.
Merges [39400] to the 4.7 branch.
Fixes#38984 for 4.7.
Built from https://develop.svn.wordpress.org/branches/4.7@39401
git-svn-id: http://core.svn.wordpress.org/branches/4.7@39341 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Core requires the post password to view and create comments on password protected posts, so we must support a “password” param on the comments endpoint when fetch comments for a specific post and creating a comment on a password protected post.
Props flixos90, jnylen0.
Fixes#38692.
Built from https://develop.svn.wordpress.org/trunk@39349
git-svn-id: http://core.svn.wordpress.org/trunk@39289 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Brings consistency to the `rest_insert_*` actions. Also includes some shuffling and clean-up as well including:
- Ensure we are passing the most current `$post` and `$user` objects to the `update_additional_fields_for_object()` callbacks.
- Changes the function signature of `handle_status_param()` in the Comments controller to accept just the comment_id as the 2nd parameter, instead of a full WP_Comment object. Only the comment_id is needed in the method, this avoids having to include another `get_comment()` call.
- Renames a variable in the `create_item()` method of the Posts controller from `$post` -> `$prepared_post` to be more explicit.
- Minor fixes/clarifications to the rest_insert_* hook docs
Props rachelbaker, joehoyle
Fixes#38905.
Built from https://develop.svn.wordpress.org/trunk@39348
git-svn-id: http://core.svn.wordpress.org/trunk@39288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adding a brand new anonymous comment method is a potential conduit for spam. Since it's still useful functionality, we're now hiding it behind a filter to allow plugins and themes to turn it on if they do want it.
Props helen, rachelbaker, joehoyle.
Fixes#38855.
Built from https://develop.svn.wordpress.org/trunk@39327
git-svn-id: http://core.svn.wordpress.org/trunk@39267 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Users without the moderate_comments capability can no longer set the `author_ip` property directly, and instead receive a `WP_Error` if they attempt to do so. Otherwise, the `author_ip property` is populated from `$_SERVER['REMOTE_ADDR']` if present and a valid IP value. Finally, fallback to 127.0.0.1 as a last resort.
Props dd32, rachelbaker, joehoyle.
Fixes#38819.
Built from https://develop.svn.wordpress.org/trunk@39302
git-svn-id: http://core.svn.wordpress.org/trunk@39242 1a063a9b-81f0-0310-95a4-ce76da25c4cd
WordPress has not used the `karma` property internally for the past 8 years. There is no need to expose it in the REST API endpoints. Sites that use `karma` can include it using the `register_rest_field()` function.
Props dd32, danielbachhuber.
Fixes#38821.
Built from https://develop.svn.wordpress.org/trunk@39292
git-svn-id: http://core.svn.wordpress.org/trunk@39232 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Of the default comment_types, only comments are expected to be created via the REST API endpoint. Comments do not have registered types the way that Posts do, so we do not have a method to accurately check permissions for arbitrary comment types.
Props dd32, boonebgorges, rachelbaker.
Fixes#38820.
Built from https://develop.svn.wordpress.org/trunk@39290
git-svn-id: http://core.svn.wordpress.org/trunk@39230 1a063a9b-81f0-0310-95a4-ce76da25c4cd
For developers wanting to add their own registered collection parameters, they can now use the `rest_$type_collection_params` filter. This brings consistency with the already existing `rest_$post_type_collection_params`.
Fixes#38710.
Props jnylen0.
Built from https://develop.svn.wordpress.org/trunk@39223
git-svn-id: http://core.svn.wordpress.org/trunk@39163 1a063a9b-81f0-0310-95a4-ce76da25c4cd