Commit Graph

116 Commits

Author SHA1 Message Date
K. Adam White f028b4e781 REST API: Expose current $request object to cors_header filters in WP_REST_SERVER->serve_request().
Allows headers to be more easily set on a per-response basis when more or less security is needed on a specific route.

Props bor0, rachelbaker, spacedmonkey, chaion07, oglekler, SergeyBiryukov.
Fixes #57752.


Built from https://develop.svn.wordpress.org/trunk@56096


git-svn-id: http://core.svn.wordpress.org/trunk@55608 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-06-28 17:39:29 +00:00
Sergey Biryukov ad16732d27 Code Modernization: Use `str_contains()` in a few more places.
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).

WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.

This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.

Follow-up to [55988], [56021].

See #58206.
Built from https://develop.svn.wordpress.org/trunk@56031


git-svn-id: http://core.svn.wordpress.org/trunk@55543 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-06-26 10:17:25 +00:00
Sergey Biryukov 2ec23a82ed Code Modernization: Replace usage of `strpos()` with `str_starts_with()`.
`str_starts_with()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins with the given substring (needle).

WordPress core includes a polyfill for `str_starts_with()` on PHP < 8.0 as of WordPress 5.9.

This commit replaces `0 === strpos( ... )` with `str_starts_with()` in core files, making the code more readable and consistent, as well as improving performance.

While `strpos()` is slightly faster than the polyfill on PHP < 8.0, `str_starts_with()` is noticeably faster on PHP 8.0+, as it is optimized to avoid unnecessarily searching along the whole haystack if it does not find the needle.

Follow-up to [52039], [52040], [52326].

Props spacedmonkey, costdev, sabernhardt, mukesh27, desrosj, jorbin, TobiasBg, ayeshrajans, lgadzhev, SergeyBiryukov.
Fixes #58012.
Built from https://develop.svn.wordpress.org/trunk@55703


git-svn-id: http://core.svn.wordpress.org/trunk@55215 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-05-02 15:45:22 +00:00
John Blackbourn cc24b047eb Docs: Correct and improve various documented types for properties, functions, and hooks.
See #57840

Built from https://develop.svn.wordpress.org/trunk@55693


git-svn-id: http://core.svn.wordpress.org/trunk@55205 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-04-27 22:29:18 +00:00
TimothyBlynJacobs 42b25d58ea REST API: Normalize WP_REST_Server::dispatch() to return a response object.
Previously, the `rest_pre_dispatch` filter could be used to return a `WP_Error` instance. This would cause a fatal error for `rest_post_dispath` 
filters that were rightly expecting a `WP_REST_Response` object to be passed instead.

Props DaveFX, felipeelia.
Fixes #56566.

Built from https://develop.svn.wordpress.org/trunk@55361


git-svn-id: http://core.svn.wordpress.org/trunk@54894 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-02-17 15:45:24 +00:00
Sergey Biryukov 0230731505 Code Modernization: Rename parameters that use reserved keywords in `wp-includes/rest-api/class-wp-rest-server.php`.
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.

This commit renames the `$namespace` parameter to `$route_namespace` in:
* `WP_REST_Server::register_route()`
* `WP_REST_Server::get_routes()`

Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284], [53285], [53287], [53364], [53365], [54927], [54929], [54930], [54931], [54932], [54933], [54938], [54943], [54944], [54945], [54946], [54947], [54948], [54950], [54951], [54952], [54956], [54959], [54960], [54961], [54962], [54964].

Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
Built from https://develop.svn.wordpress.org/trunk@54965


git-svn-id: http://core.svn.wordpress.org/trunk@54517 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-12-13 18:34:12 +00:00
Sergey Biryukov 25ea9680ae Docs: Update various DocBlocks and inline comments per the documentation standards.
Includes minor formatting edits for consistency.

Follow-up to [53/tests], [12179], [12946], [35288], [37884], [38810], [38928], [46596], [48131], [52955], [53548], [53813], [53873], [54118], [54316], [54420], [54421], [54803].

See #56792.
Built from https://develop.svn.wordpress.org/trunk@54855


git-svn-id: http://core.svn.wordpress.org/trunk@54407 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-11-17 18:15:19 +00:00
audrasjb 823517e1de Docs: Align spelling with American English.
This changeset replaces "behaviour" with "behavior" in various docblocks.

Props kebbet, jrf.
See #56811, #56792.

Built from https://develop.svn.wordpress.org/trunk@54663


git-svn-id: http://core.svn.wordpress.org/trunk@54215 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-10-21 21:12:14 +00:00
davidbaumwald 7a15b3353a REST API: Ensure `args` is an array of arrays in `register_rest_route()`.
When calling `register_rest_route()`, the `args` parameter for a route should be an array of arrays.  However, some plugins/themes have passed an array of strings or key-value pairs which produces a PHP warning when `array_intersect_key` is used to filter the array keys based on an allowed list of schema keywords.

This change adds a check of the `args` parameter to ensure it's an array of arrays, presenting a `_doing_it_wrong` if any element of `args` is not an array and restructuring to an array of arrays.  This change also adds a unit test for the incorrect usage described above, expecting that a `_doing_it_wrong` is produced.

Props slaFFik, desrosj, apermo, AndrewNZ, aristath, poena, dovyp, timothyblynjacobs, Hinjiriyo, johnmark8080, nateallen.
Fixes #51986.
Built from https://develop.svn.wordpress.org/trunk@54339


git-svn-id: http://core.svn.wordpress.org/trunk@53898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-27 20:13:13 +00:00
Sergey Biryukov c03305852e Code Modernization: Add `AllowDynamicProperties` attribute to all (parent) classes.
Dynamic (non-explicitly declared) properties are deprecated as of PHP 8.2 and are expected to become a fatal error in PHP 9.0.

There are a number of ways to mitigate this:
* If it is an accidental typo for a declared property: fix the typo.
* For known properties: declare them on the class.
* For unknown properties: add the magic `__get()`, `__set()`, et al. methods to the class or let the class extend `stdClass` which has highly optimized versions of these magic methods built in.
* For unknown ''use'' of dynamic properties, the `#[AllowDynamicProperties]` attribute can be added to the class. The attribute will automatically be inherited by child classes.

Trac ticket #56034 is open to investigate and handle the third and fourth type of situations, however it has become clear this will need more time and will not be ready in time for WP 6.1.

To reduce “noise” in the meantime, both in the error logs of WP users moving onto PHP 8.2, in the test run logs of WP itself, in test runs of plugins and themes, as well as to prevent duplicate tickets from being opened for the same issue, this commit adds the `#[AllowDynamicProperties]` attribute to all “parent” classes in WP.

The logic used for this commit is as follows:
* If a class already has the attribute: no action needed.
* If a class does not `extend`: add the attribute.
* If a class does `extend`:
 - If it extends `stdClass`: no action needed (as `stdClass` supports dynamic properties).
 - If it extends a PHP native class: add the attribute.
 - If it extends a class from one of WP's external dependencies: add the attribute.
* In all other cases: no action — the attribute should not be needed as child classes inherit from the parent.

Whether or not a class contains magic methods has not been taken into account, as a review of the currently existing magic methods has shown that those are generally not sturdy enough and often even set dynamic properties (which they should not). See the [https://www.youtube.com/watch?v=vDZWepDQQVE live stream from August 16, 2022] for more details.

This commit only affects classes in the `src` directory of WordPress core.
* Tests should not get this attribute, but should be fixed to not use dynamic properties instead. Patches for this are already being committed under ticket #56033.
* While a number bundled themes (2014, 2019, 2020, 2021) contain classes, they are not a part of this commit and may be updated separately.

Reference: [https://wiki.php.net/rfc/deprecate_dynamic_properties PHP RFC: Deprecate dynamic properties].

Follow-up to [53922].

Props jrf, hellofromTonya, markjaquith, peterwilsoncc, costdev, knutsp, aristath.
See #56513, #56034.
Built from https://develop.svn.wordpress.org/trunk@54133


git-svn-id: http://core.svn.wordpress.org/trunk@53692 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-12 15:47:14 +00:00
K. Adam White bd607c1118 REST API: Introduce _pretty query parameter to opt in to JSON_PRETTY_PRINT.
Add support for a "_pretty" meta-parameter on all REST controllers which instructs WordPress to return pretty-printed JSON, for better readability when inspecting endpoint responses in curl output or certain developer tools.

Introduce the "rest_json_encode_options" filter to permit site owners to control this behavior globally.

Props Viper007Bond, TimothyBlynJacobs, chrisguitarguy, johnbillion, swissspidy, adamsilverstein, danielbachhuber, rmccue.
Fixes #41998.

Built from https://develop.svn.wordpress.org/trunk@54127


git-svn-id: http://core.svn.wordpress.org/trunk@53686 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-11 22:02:09 +00:00
Sergey Biryukov 6e26f8f8c7 REST API: Add the missing `site_icon_url` to the index.
The `site_icon_url` index was supposed to ship with WordPress 5.6, but was [https://github.com/WordPress/gutenberg/pull/22952 never backported to core].

This commit backports the original PR from Gutenberg repository:
* [https://github.com/WordPress/gutenberg/pull/42957 #42957: REST API: Add the missing 'site_icon_url' to the index]

Follow-up to [52080].

Props Mamaduka, bernhard-reiter, TimothyBlynJacobs.
See #56467.
Built from https://develop.svn.wordpress.org/trunk@54083


git-svn-id: http://core.svn.wordpress.org/trunk@53642 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-06 14:43:09 +00:00
Sergey Biryukov 01d172b581 General: Replace all `esc_url_raw()` calls in core with `sanitize_url()`.
This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.

Follow-up to [11383], [13096], [51597], [53452].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes #55852.
Built from https://develop.svn.wordpress.org/trunk@53455


git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-06-01 18:14:10 +00:00
spacedmonkey 06ab86cee6 REST API: Use `rest_parse_embed_param` function in `WP_REST_Server` class.
Ensure that the value get parameter `_embed ` that is passed to the `envelope_response` method, is run through the `rest_parse_embed_param` function. 

Props Spacedmonkey, johnbillion, TimothyBlynJacobs. 
Fixes #54015.


Built from https://develop.svn.wordpress.org/trunk@53110


git-svn-id: http://core.svn.wordpress.org/trunk@52699 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-04-08 17:29:01 +00:00
spacedmonkey 2ae4784ca0 REST API: Pass `WP_REST_Request` object to the rest_index filter.
Props johnregan3, TimothyBlynJacobs, Spacedmonkey, hasanuzzamanshamim.
Fixes #48638. 

Built from https://develop.svn.wordpress.org/trunk@52796


git-svn-id: http://core.svn.wordpress.org/trunk@52385 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-02-24 22:36:01 +00:00
Sergey Biryukov 2eaeae58ff Docs: Update spelling for inline comments in a few files.
Per the [https://make.wordpress.org/core/handbook/best-practices/spelling/ spelling] and [https://make.wordpress.org/docs/style-guide/language-grammar/word-choice/ word choice] documentation guidelines, American (US) spelling should be preferred.

Props mohadeseghasemi, subrataemfluence, rehanali, SergeyBiryukov.
Fixes #46837.
Built from https://develop.svn.wordpress.org/trunk@52640


git-svn-id: http://core.svn.wordpress.org/trunk@52229 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-01-25 13:55:05 +00:00
John Blackbourn c9746ab584 Docs: Various corrections and improvements relating to types used in inline documentation.
See #53399

Built from https://develop.svn.wordpress.org/trunk@52204


git-svn-id: http://core.svn.wordpress.org/trunk@51796 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-18 13:50:05 +00:00
TimothyBlynJacobs d224b7cf10 REST API: Expose the site icon in the REST API index.
Props spacedmonkey, palmiak.
Fixes #52321.

Built from https://develop.svn.wordpress.org/trunk@52080


git-svn-id: http://core.svn.wordpress.org/trunk@51672 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-09 20:37:59 +00:00
TimothyBlynJacobs 84dae82fd3 REST API: Add batch support for posts and terms controllers.
This also exposes the value of `allow_batch` in `OPTIONS` requests to a route.

A future commit will add batch support to more resources.

Props spacedmonkey, chrisvanpatten.
See #53063.

Built from https://develop.svn.wordpress.org/trunk@52068


git-svn-id: http://core.svn.wordpress.org/trunk@51660 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-09 01:59:02 +00:00
TimothyBlynJacobs bac6e41c85 REST API: Support custom namespaces for custom post types.
While a custom post type can define a custom route by using the `rest_base` argument, a namespace of `wp/v2` was assumed. This commit introduces support for a `rest_namespace` argument. 

A new `rest_get_route_for_post_type_items` function has been introduced and the `rest_get_route_for_post` function updated to facilitate getting the correct route for custom post types.

While the WordPress Core Block Editor bootstrap code has been updated to use these API functions, for maximum compatibility sticking with the default `wp/v2` namespace is recommended until the API functions see wider use.

Props spacedmonkey, swissspidy.
Fixes #53656.

Built from https://develop.svn.wordpress.org/trunk@51962


git-svn-id: http://core.svn.wordpress.org/trunk@51551 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-31 23:16:58 +00:00
TimothyBlynJacobs af212ad9b3 REST API: Send a 500 status code when JSON encoding fails.
Previously, a 200 status code would be sent despite the 500 status code present in the response body.

Props hermpheus, lalitjalandhar.
Fixes #53056.

Built from https://develop.svn.wordpress.org/trunk@51960


git-svn-id: http://core.svn.wordpress.org/trunk@51549 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-31 06:07:56 +00:00
John Blackbourn 00b914db08 REST API: Correct the order of the parameters documented for `WP_REST_Server::respond_to_request()`.
See #53399

Built from https://develop.svn.wordpress.org/trunk@51915


git-svn-id: http://core.svn.wordpress.org/trunk@51508 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-18 11:14:57 +00:00
Sergey Biryukov 1b749d971a Docs: Remove an empty line between `@param` and `@return` tags in some newly added REST API methods, per the documentation standards.
Follow-up to [48242], [49925], [51003], [51021].

See #52628, #53461.
Built from https://develop.svn.wordpress.org/trunk@51289


git-svn-id: http://core.svn.wordpress.org/trunk@50898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-06-30 18:43:58 +00:00
youknowriad be0d5b2534 Block Editor: Update the packages with a number of fixes targeted for Beta 4.
It includes fixes from these two backport PRs: 

 - https://github.com/WordPress/gutenberg/pull/32992
 - https://github.com/WordPress/gutenberg/pull/32956

Props gziolo, ryelle, ntsekouras, desrosj, jorgefilipecosta.
See #53397

Built from https://develop.svn.wordpress.org/trunk@51241


git-svn-id: http://core.svn.wordpress.org/trunk@50850 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-06-25 15:52:22 +00:00
davidbaumwald 9cd6547f13 Docs: Update `help` key documentation link in REST API response.
Props dd32, mukesh27, audrasjb, SergeyBiryukov.
Fixes #53162.
Built from https://develop.svn.wordpress.org/trunk@50840


git-svn-id: http://core.svn.wordpress.org/trunk@50449 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-11 18:05:02 +00:00
Rachel Baker 3d04a220be REST API: Move the `rest_jsonp_enabled` filter before setting the Content-Type header.
Fixes an issue where if JSONP was disabled the `Content-Type` HTTP header was still set to `application/javascript`.  

Props dd32, TimothyBlynJacobs.
Fixes #52691.
Built from https://develop.svn.wordpress.org/trunk@50695


git-svn-id: http://core.svn.wordpress.org/trunk@50304 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-04-09 21:28:08 +00:00
TimothyBlynJacobs 8a51ab57e0 REST API: Return detailed error information from request validation.
Previously, only the first error message for each parameter was made available. Now, all error messages for a parameter are concatenated. Additionally, the detailed error for each parameter is made available in a new `details` section of the validation error. Each error is formatted following the standard REST API error formatting.

The `WP_REST_Server::error_to_response` method has been abstracted out into a standalone function `rest_convert_error_to_response` to allow for reuse by `WP_REST_Request`. The formatted errors now also contain an `additional_data` property which contains the additional error data provided by `WP_Error::get_all_error_data`.

Props dlh, xkon, TimothyBlynJacobs.
Fixes #46191.

Built from https://develop.svn.wordpress.org/trunk@50150


git-svn-id: http://core.svn.wordpress.org/trunk@49829 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-02 17:28:02 +00:00
John Blackbourn 35e1b34f8e REST API: Corrections and improvements to docblocks for REST API filters.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49955


git-svn-id: http://core.svn.wordpress.org/trunk@49654 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-10 22:23:09 +00:00
John Blackbourn 6f3a940e64 Plugins: Replace usage of `$this` in action and filter parameter docblocks with more appropriate variable names.
See #51800, #52217

Fixes #52243

Built from https://develop.svn.wordpress.org/trunk@49946


git-svn-id: http://core.svn.wordpress.org/trunk@49645 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-08 14:30:14 +00:00
John Blackbourn dfe1f9b322 Docs: Promote many `bool` types to `true` or `false` where only that value is used.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49927


git-svn-id: http://core.svn.wordpress.org/trunk@49626 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-03 22:04:04 +00:00
TimothyBlynJacobs bf51961e7e REST API: Expose all themes in the themes controller.
Previously, only the active theme was made available. This commit allows for all themes to be queried if the user has the `switch_themes` or `manage_network_themes` capabilities.

This commit also no longer exposes the `page`, `per_page`, `search` and `context` query parameters since they are not supported by this controller.

Props spacedmonkey, lpawlik, TimothyBlynJacobs.
Fixes #50152.

Built from https://develop.svn.wordpress.org/trunk@49925


git-svn-id: http://core.svn.wordpress.org/trunk@49624 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-03 21:47:05 +00:00
TimothyBlynJacobs c56eb69d7d REST API: Properly display JSON encoding errors.
Previously `null` was returned because the server was accessing the incorrect variable.

Props atimmer, technosailor.
Fixes #52106.

Built from https://develop.svn.wordpress.org/trunk@49918


git-svn-id: http://core.svn.wordpress.org/trunk@49617 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-02 20:36:06 +00:00
John Blackbourn 1ead0719b7 Docs: Fix some docblock issues introduced in 5.6.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49787


git-svn-id: http://core.svn.wordpress.org/trunk@49510 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-10 23:27:06 +00:00
Sergey Biryukov 4a69dfa63a Docs: Fix typo in some DocBlocks.
See #51800.
Built from https://develop.svn.wordpress.org/trunk@49785


git-svn-id: http://core.svn.wordpress.org/trunk@49508 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-10 18:12:03 +00:00
John Blackbourn 753ae723ad Docs: Corrections and improvements to inline docs relating to the REST API.
See #50768

Built from https://develop.svn.wordpress.org/trunk@49610


git-svn-id: http://core.svn.wordpress.org/trunk@49348 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-16 11:04:12 +00:00
TimothyBlynJacobs 7fe78e2f18 REST API: Make sure all supported JSON Schema keywords are output in the index.
Previously, only a small subset of keywords were exposed which limited the utility of `OPTIONS` requests.

Props raubvogel, TimothyBlynJacobs.
Fixes #51020.

Built from https://develop.svn.wordpress.org/trunk@49257


git-svn-id: http://core.svn.wordpress.org/trunk@49019 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-20 20:19:09 +00:00
TimothyBlynJacobs 499e4e9053 REST API: Introduce support for batching API requests.
A new route is introduced, `batch/v1`, that accepts a list of API requests to run. Each request runs in sequence, and the responses are returned in the order they've been received.

Optionally, the `require-all-validate` validation mode can be used to first validate each request's parameters and only proceed with processing if each request validates successfully.

By default, the batch size is limited to 25 requests. This can be controlled using the `rest_get_max_batch_size` filter. Clients are strongly encouraged to discover the maximum batch size supported by the server by making an OPTIONS request to the `batch/v1` endpoint and inspecting the described arguments.

Additionally, the two new methods, `match_request_to_handler` and `respond_to_request` introduced in [48947] now have a `protected` visibility as we don't want to expose the inner workings of the `WP_REST_Server::dispatch` API.

Batching is not currently supported for GET requests.

Fixes #50244.
Props andraganescu, zieladam, TimothyBlynJacobs.

Built from https://develop.svn.wordpress.org/trunk@49252


git-svn-id: http://core.svn.wordpress.org/trunk@49014 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-20 19:10:08 +00:00
TimothyBlynJacobs d5ebe12f11 REST API: Introduce Application Passwords for API authentication.
In WordPress 4.4 the REST API was first introduced. A few releases later in WordPress 4.7, the Content API endpoints were added, paving the way for Gutenberg and countless in-site experiences. In the intervening years, numerous plugins have built on top of the REST API. Many developers shared a common frustration, the lack of external authentication to the REST API.

This commit introduces Application Passwords to allow users to connect to external applications to their WordPress website. Users can generate individual passwords for each application, allowing for easy revocation and activity monitoring. An authorization flow is introduced to make the connection flow simple for users and application developers.

Application Passwords uses Basic Authentication, and by default is only available over an SSL connection.

Props georgestephanis, kasparsd, timothyblynjacobs, afercia, akkspro, andraganescu, arippberger, aristath, austyfrosty, ayesh, batmoo, bradyvercher, brianhenryie, helen, ipstenu, jeffmatson, jeffpaul, joostdevalk, joshlevinson, kadamwhite, kjbenk, koke, michael-arestad, Otto42, pekz0r, salzano, spacedmonkey, valendesigns.
Fixes #42790.

Built from https://develop.svn.wordpress.org/trunk@49109


git-svn-id: http://core.svn.wordpress.org/trunk@48871 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-08 22:14:06 +00:00
Sergey Biryukov 09570be924 Docs: Fix typos in some DocBlocks in `js/_enqueues/wp/api.js`.
Additionally, rename a variable for clarity.

Props mukesh27.
Fixes #51420.
Built from https://develop.svn.wordpress.org/trunk@49075


git-svn-id: http://core.svn.wordpress.org/trunk@48837 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-09-30 13:54:06 +00:00
Helen Hou-Sandí 75262781d9 i18n: Ensure block type strings in the REST API end with a full stop.
Props ramiy, justinahinon.
Fixes #50805.


Built from https://develop.svn.wordpress.org/trunk@48982


git-svn-id: http://core.svn.wordpress.org/trunk@48744 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-09-16 19:23:07 +00:00
TimothyBlynJacobs a63708debf REST API: Refactor `WP_REST_Server::dispatch()` to make internal logic reusable.
#50244 aims to introduce batch processing in the REST API. An important feature is the ability to enforce that all requests have valid data before executing the route callbacks in "pre-validate" mode.

This necessitates splitting `WP_REST_Server::dispatch()` into two methods so the batch controller can determine the request handler to perform pre-validation and then respond to the requests.

The two new methods, `match_request_to_handler` and `respond_to_request`, have a public visibility, but are marked as `@access private`. This is to allow for iteration on the batch controller to happen in the Gutenberg repository. Developers should not rely upon these methods, their visibility may change in the future.

See #50244.
Props andraganescu, zieladam, TimothyBlynJacobs.

Built from https://develop.svn.wordpress.org/trunk@48947


git-svn-id: http://core.svn.wordpress.org/trunk@48709 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-09-05 21:52:07 +00:00
John Blackbourn 124972f2c6 Docs: Further corrections and improvements to various inline docblocks.
See #49572
Built from https://develop.svn.wordpress.org/trunk@48576


git-svn-id: http://core.svn.wordpress.org/trunk@48338 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-23 07:39:02 +00:00
TimothyBlynJacobs df2b9b1689 REST API: Add Content-Disposition, Content-MD5 and X-WP-Nonce as allowed cors headers.
The Content-Disposition and Content-MD5 headers allow for easier file uploading across domains by using a File/Blob object directly. The X-WP-Nonce header is allowed for making cross-origin and same-origin authenticated requests consistent.

Additionally a filter is introduced, "rest_allowed_cors_headers", to simplify the process of allowing additional request headers.

Props rmccue, TimothyBlynJacobs.
Fixes #41696.

Built from https://develop.svn.wordpress.org/trunk@48452


git-svn-id: http://core.svn.wordpress.org/trunk@48221 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-12 19:37:12 +00:00
Sergey Biryukov c892c420b7 Docs: Miscellaneous DocBlock corrections.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48198


git-svn-id: http://core.svn.wordpress.org/trunk@47967 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-28 11:53:04 +00:00
desrosj 4b60af1a6a General: Remove “whitelist” and “blacklist” in favor of more clear and inclusive language.
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”

With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).

Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.

Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.

Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes #50413.
Built from https://develop.svn.wordpress.org/trunk@48121


git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-22 17:26:13 +00:00
TimothyBlynJacobs 88f54b22ba REST API: Add "Link" to the list of exposed cors headers.
Currently, only the X-WP-Total and X-WP-TotalPages headers are exposed which means that clients have to manually construct the URL to implement pagination instead of using the "prev" and "next" Links.

Additionally, a filter "rest_exposed_cors_headers" is introduced to make it simpler for plugins to expose additional headers.

Props Toro_Unit, ayeshrajans.
Fixes #50369.

Built from https://develop.svn.wordpress.org/trunk@48112


git-svn-id: http://core.svn.wordpress.org/trunk@47881 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-20 23:56:12 +00:00
desrosj c591d94cc5 General: Remove or add inline comments to `$HTTP_RAW_POST_DATA` occurrences.
The `$HTTP_RAW_POST_DATA` global was deprecated in PHP 5.6 and removed completely in PHP 7.0. In general, `php://input` should be used instead of `$HTTP_RAW_POST_DATA`.

Because WordPress Core still supports PHP 5.6, some plugins or sites may still rely on this variable being present and populated with the expected data. For that reason, occurrences of the variable will remain with updated inline documentation until support for PHP 5.6 is officially dropped in WordPress.

Props skoskie, jrf, desrosj, TimothyBlynJacobs.
See #49922.
Fixes #49810.
Built from https://develop.svn.wordpress.org/trunk@47926


git-svn-id: http://core.svn.wordpress.org/trunk@47700 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-08 19:55:10 +00:00
Dominik Schilling aaeab2f3f5 Rest API: Ensure `rest_ensure_response()` upgrades `WP_HTTP_Response` to `WP_REST_Response`.
An instance of `WP_HTTP_Response` doesn't ensure that the required methods used in `WP_REST_Server::dispatch()` exist, currently causing a fatal error.

Props ali11007, TimothyBlynJacobs, ocean90.
Fixes #49495.
Built from https://develop.svn.wordpress.org/trunk@47849


git-svn-id: http://core.svn.wordpress.org/trunk@47625 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-23 14:36:09 +00:00
K. Adam White 480372b07c REST API: Fix namespace shadowing issue in route matching logic.
Following [47260] a namespace such as "test-ns" prevents any namespace such as "test-ns/v1" from being found when matching routes.
While not best practice, this was an unintentional back-compat break; this patch restores the original behavior.

Props david.binda, TimothyBlynJacobs.
Fixes #48530.


Built from https://develop.svn.wordpress.org/trunk@47351


git-svn-id: http://core.svn.wordpress.org/trunk@47138 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-02-24 18:07:08 +00:00
TimothyBlynJacobs 450d49183b REST API: Fix links format in OPTIONS requests for non-variable routes.
Props nsundberg, johnwatkins0, birgire.
Fixes #49149.

Built from https://develop.svn.wordpress.org/trunk@47326


git-svn-id: http://core.svn.wordpress.org/trunk@47120 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-02-20 00:55:05 +00:00