Historically, the REST API would generate the entire response object, including running expensive filters, then it would apply the `_fields` parameter, discarding the fields that weren't specificed.
This change causes `_fields` to be applied earlier, so that only requested fields are processed.
Props danielbachhuber.
See #43874.
Built from https://develop.svn.wordpress.org/trunk@43087
git-svn-id: http://core.svn.wordpress.org/trunk@42916 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Any WordPress user who can `edit_posts` of a post type with `show_in_rest=true` can query for authors. This maps to current WordPress behavior where a WordPress user who can view the Manage Posts view for a post type can see any WordPress user assigned to a post (whether published or draft).
This implementation, over restricting `who=authors` to users with `list_users`, gives us future flexibility in displaying lists of posts. It still respects more restrictive permissions for `context=edit`.
Props danielbachhuber.
Fixes#42202.
Built from https://develop.svn.wordpress.org/trunk@43001
git-svn-id: http://core.svn.wordpress.org/trunk@42830 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This tag has been used in the past, but should no longer be used. Just using the `static` keyword in code is enough for PhpDocumentor on PHP5+ to recognize static variables and methods, and PhpDocumentor will mark them as static.
Props birgire.
See #42803.
Built from https://develop.svn.wordpress.org/trunk@42746
git-svn-id: http://core.svn.wordpress.org/trunk@42576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The permissions error message when a request tries to fetch post statuses unauthenticated is incorrect. It was a copy/paste from elsewhere, as indicated by the use of "in this post type" where this is no post type referenced.
Props schlessera.
Fixes#42303.
Built from https://develop.svn.wordpress.org/trunk@42356
git-svn-id: http://core.svn.wordpress.org/trunk@42185 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The 409 error code is intended for situations where it is expected that the user will resolve the conflict and resubmit the same request. We use 400 error codes for other routes when a duplicate request is made. The 400 status code tells the user they need to modify their request for it to be successful.
Props shooper.
Fixes#42781. See #41370.
Built from https://develop.svn.wordpress.org/trunk@42354
git-svn-id: http://core.svn.wordpress.org/trunk@42183 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.
See #38583.
Built from https://develop.svn.wordpress.org/trunk@42000
git-svn-id: http://core.svn.wordpress.org/trunk@41834 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Also remove `enum` for validating allowed templates to allow plugins to dynamically supply their own templates for specific posts, even when they are not in the theme.
Props TimothyBlynJacobs, jnylen0, swissspidy.
Fixes#39996.
Built from https://develop.svn.wordpress.org/trunk@41979
git-svn-id: http://core.svn.wordpress.org/trunk@41813 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds an "include_slug" orderby value for REST API collections to permit returning a collection filtered by slugs in the same order in which those slugs are specified.
Previously, the order of slugs provided with the ?slug query parameter had no effect on the order of the returned records.
Props wonderboymusic, ocean90, boonebgorges.
Fixes#40826.
Built from https://develop.svn.wordpress.org/trunk@41760
git-svn-id: http://core.svn.wordpress.org/trunk@41594 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Enables register_setting to accept an object as its schema value, allowing settings to accept non-scalar values through the REST API.
This whitelists the added type in the settings controller, and passes properties from argument registration into the validation functions.
Props joehoyle.
See #38583.
Built from https://develop.svn.wordpress.org/trunk@41758
git-svn-id: http://core.svn.wordpress.org/trunk@41592 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes an issue where submitting a well-formed request to create a term inappropriately returns a 500 error status if that term already exists.
HTTP 5xx error codes should be reserved for unexpected server errors, so "409 Conflict" is a more appropriate response.
Props alibasheer, guzzilar, shooper.
Fixes#41370.
Built from https://develop.svn.wordpress.org/trunk@41737
git-svn-id: http://core.svn.wordpress.org/trunk@41571 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When registering routes developers can now define their complex objects in the schema and benefit from the automatic validation and sanitization in the REST API. This also paves the way for support for complex object registration via register_meta and register_setting.
See #38583.
Props TimothyBlynJacobs5.
Built from https://develop.svn.wordpress.org/trunk@41727
git-svn-id: http://core.svn.wordpress.org/trunk@41561 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While site administrators cannot generally edit users in multisite, they have always been able to change the roles of users on their site. In the REST API however, this has not been possible so far. This changeset brings parity with how it is handled in the administration panel: A REST request to edit only a user's roles succeeds correctly, while a REST request to edit any further details of a user fails.
Props jnylen0.
Fixes#40263.
Built from https://develop.svn.wordpress.org/trunk@41226
git-svn-id: http://core.svn.wordpress.org/trunk@41066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Under certain circumstances, it can be necessary that a user should not be added to a site, beyond the restrictions that WordPress core applies. With the new `can_add_user_to_blog` filter, plugin developers can run custom checks and return an error in case of a failure, that will prevent the user from being added.
The user-facing parts and the REST API route that interact with `add_user_to_blog()` have been adjusted accordingly to provide appropriate error feedback when a user could not be added to a site. Furthermore, two existing error feedback messages in the site admin's "New User" screen have been adjusted to properly show inside an error notice instead of a success notice.
Props jmdodd.
Fixes#41101.
Built from https://develop.svn.wordpress.org/trunk@41225
git-svn-id: http://core.svn.wordpress.org/trunk@41065 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Prior to about 2013, many class methods lacked even access modifiers which made the `@access` notations that much more useful. Now that we've gotten to a point where the codebase is more mature from a maintenance perspective and we can finally remove these notations. Notable exceptions to this change include standalone functions notated as private as well as some classes still considered to represent "private" APIs.
See #41452.
Built from https://develop.svn.wordpress.org/trunk@41162
git-svn-id: http://core.svn.wordpress.org/trunk@41002 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Prior to this commit, `WP_Rest_Request::get_param()` traversed through the parameter order but `WP_Rest_Request::set_param()` did not. For JSON requests (and likely other situations as well), this meant that changing a parameter with `set_param()` would have no effect on `get_param()`.
Props TimothyBlynJacobs.
Fixes#40344.
Built from https://develop.svn.wordpress.org/trunk@40815
git-svn-id: http://core.svn.wordpress.org/trunk@40673 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit adds a new `WP_REST_Server#remove_header` method and uses it to clear the `Last-Modified` header when the "no caching" headers are sent (by default for all authenticated REST API requests). This matches the behavior of the `nocache_headers` function used in other parts of WordPress.
Previously, the REST API would send an empty `Last-Modified` header in this situation. Under some server and browser configurations, this causes browsers to cache authenticated REST API requests, which is undesirable.
Props iv3rson76, zinigor, rmccue, jnylen0.
Fixes#40444.
Built from https://develop.svn.wordpress.org/trunk@40805
git-svn-id: http://core.svn.wordpress.org/trunk@40663 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When headers are stored in WP_REST_Request internally they are canonicalized. This step already happens on setting / getting headers in any way, but was missed when implementing remove_header().
Props TimothyBlynJacobs.
Fixes#40347.
Built from https://develop.svn.wordpress.org/trunk@40577
git-svn-id: http://core.svn.wordpress.org/trunk@40447 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Avoid a PHP Error when attempting to embed the parent post of an attachment, when the parent post ID is invalid. Instead check if the parent post object exists before checking the read permission for the parent post.
Props GhostToast.
Fixes#39881.
Built from https://develop.svn.wordpress.org/trunk@40306
git-svn-id: http://core.svn.wordpress.org/trunk@40213 1a063a9b-81f0-0310-95a4-ce76da25c4cd