In WordPress 4.4 the REST API was first introduced. A few releases later in WordPress 4.7, the Content API endpoints were added, paving the way for Gutenberg and countless in-site experiences. In the intervening years, numerous plugins have built on top of the REST API. Many developers shared a common frustration, the lack of external authentication to the REST API.
This commit introduces Application Passwords to allow users to connect to external applications to their WordPress website. Users can generate individual passwords for each application, allowing for easy revocation and activity monitoring. An authorization flow is introduced to make the connection flow simple for users and application developers.
Application Passwords uses Basic Authentication, and by default is only available over an SSL connection.
Props georgestephanis, kasparsd, timothyblynjacobs, afercia, akkspro, andraganescu, arippberger, aristath, austyfrosty, ayesh, batmoo, bradyvercher, brianhenryie, helen, ipstenu, jeffmatson, jeffpaul, joostdevalk, joshlevinson, kadamwhite, kjbenk, koke, michael-arestad, Otto42, pekz0r, salzano, spacedmonkey, valendesigns.
Fixes#42790.
Built from https://develop.svn.wordpress.org/trunk@49109
git-svn-id: http://core.svn.wordpress.org/trunk@48871 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, the search controller infrastructure required that the id property was an integer. This prevents data models that use a string id from utilizing the search infrastructure.
This commit lifts the restraint that search handlers return integer ids. This will allow for the Post Formats search handler coming in 5.6 to use slugs instead of creating fake ids.
Props stoyangeorgiev.
Fixes#51131.
Built from https://develop.svn.wordpress.org/trunk@49088
git-svn-id: http://core.svn.wordpress.org/trunk@48850 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This method is useful whenever a JSON Schema needs to be converted to a format suitable for argument validation with `WP_REST_Request`. Moving the logic into a standalone function allows developers to use it outside of the `WP_REST_Controller` context.
Props pentatonicfunk.
Fixes#50876.
Built from https://develop.svn.wordpress.org/trunk@48951
git-svn-id: http://core.svn.wordpress.org/trunk@48713 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This brings `wp_count_terms()` in line with other taxonomy functions such as `get_terms()` which technically no longer require a taxonomy. Similar to the previously modified functions, no deprecation warning is triggered when using the legacy signature.
Fixes#36399.
Built from https://develop.svn.wordpress.org/trunk@48840
git-svn-id: http://core.svn.wordpress.org/trunk@48602 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Support for the `uniqueItems` keyword was added in [48357], but wasn't included in the list of permitted keywords for `WP_REST_Controller::get_endpoint_args_for_item_schema()`. This prevented the keyword from being automatically supported if specified in a controller's item schema.
Fixes#51021.
Built from https://develop.svn.wordpress.org/trunk@48796
git-svn-id: http://core.svn.wordpress.org/trunk@48558 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Gutenberg no longer uses the assets field to fetch the assets for the installed block so this field can be dropped from the endpoint. This allows us to reintroduce it at a later point without needing to worry about backward compatibility.
See #50732.
Built from https://develop.svn.wordpress.org/trunk@48656
git-svn-id: http://core.svn.wordpress.org/trunk@48418 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The REST API treats routes without a permission_callback as public. Because this happens without any warning to the user, if the permission callback is unintentionally omitted or misspelled, the endpoint can end up being available to the public. Such a scenario has happened multiple times in the wild, and the results can be catostrophic when it occurs.
For REST API routes that are intended to be public, it is recommended to set the permission callback to the `__return_true` built in function.
Fixes#50075.
Props rmccue, sorenbronsted, whyisjake, SergeyBiryukov, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@48526
git-svn-id: http://core.svn.wordpress.org/trunk@48288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- `post_title`,
- `post_content` (image description),
- `post_excerpt` (image caption as saved in the DB),
- `_wp_attachment_image_alt` meta (alt text for the img tag as saved in the DB).
Props spacedmonkey, joedolson, TimothyBlynJacobs, azaozz.
Fixes#50675.
Built from https://develop.svn.wordpress.org/trunk@48510
git-svn-id: http://core.svn.wordpress.org/trunk@48272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [48069] the Block Renderer was changed to register a single route for all dynamic blocks. Validation was dynamically applied based on the requested block, but sanitization was not. This commit adds the same sanitization back to the block attributes.
Props manooweb.
Fixes#50620. See #48079.
Built from https://develop.svn.wordpress.org/trunk@48437
git-svn-id: http://core.svn.wordpress.org/trunk@48206 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Multi-type schema handling was improved in [48306]. In particular, it now allows for sanitizing a multi-typed value that wouldn't validate. Removing this handling will make 3rd party registered theme features more robust.
Fixes#50562.
Built from https://develop.svn.wordpress.org/trunk@48308
git-svn-id: http://core.svn.wordpress.org/trunk@48077 1a063a9b-81f0-0310-95a4-ce76da25c4cd
To facilitate inline image editing in Gutenberg, a new endpoint at wp/v2/media/<id>/edit has been introduced. This is functionally similar to the existing ajax image editor, however the REST API editor creates a new attachment record instead of updating an existing attachment.
Fixes#44405.
Props ajlende, ellatrix, spacedmonkey, azaozz.
Built from https://develop.svn.wordpress.org/trunk@48291
git-svn-id: http://core.svn.wordpress.org/trunk@48060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
These endpoints facilitate the Block Directory Inserter feature in Gutenberg. Users can now install, activate, deactivate, and delete plugins over the REST API. The block directoryendpoint allows searching for available blocks from the WordPress.org block directory.
Props cklee, talldanwp, noisysocks, joen, soean, youknowriad, dufresnesteven, gziolo, dd32, tellyworth, ryelle, spacedmonkey, TimothyBlynJacobs.
Fixes#50321.
Built from https://develop.svn.wordpress.org/trunk@48242
git-svn-id: http://core.svn.wordpress.org/trunk@48011 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The filter is the callback function added with `add_filter()`, therefore the hook passes a value to the filter, and the filter returns a value to change its behaviour.
The documentation is referring to the latter.
Props johnbillion.
See #49572, #16557.
Built from https://develop.svn.wordpress.org/trunk@48185
git-svn-id: http://core.svn.wordpress.org/trunk@47954 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Currently themes can declare support for a given feature by using add_theme_support(). This commit adds a register_theme_feature() API that allows plugins and WordPress Core to declare a list of available features that themes can support.
The REST API uses this to expose a theme's supported features if the feature has been registered with "show_in_rest" set to true.
Props kadamwhite, spacedmonkey, williampatton, desrosj, TimothyBlynJacobs.
Fixes#49406.
Built from https://develop.svn.wordpress.org/trunk@48171
git-svn-id: http://core.svn.wordpress.org/trunk@47940 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `wp_update_comment_data` filter introduced in 4.7 allows comment data to be filtered before it is updated in the database.
The patch aims to handle `WP_Error` as the filter above return value in a similar manner as is done for `wp_new_comment()`.
Fixes#39732.
Props: enricosorcinelli, swissspidy, gkloveweb, jnylen0, jbpaul17, afercia, SergeyBiryukov, audrasjb, imath, davidbaumwald.
Built from https://develop.svn.wordpress.org/trunk@48154
git-svn-id: http://core.svn.wordpress.org/trunk@47923 1a063a9b-81f0-0310-95a4-ce76da25c4cd
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”
With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).
Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.
Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.
Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes#50413.
Built from https://develop.svn.wordpress.org/trunk@48121
git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Every block has a different set of attributes. These attributes are specified as a JSON Schema object. Previously, every block registered its own block renderer route using its attributes for the schema. This allowed for the attributes to be validated using the built in endpoint validation rules. It had the unfortunate side effect, however, of creating a large number of nearly identical REST API routes, one for each dynamic block. Each registered route has a performance impact. As the number of server side blocks goes up, this becomes more and more of an issue.
Now, we register a single block renderer route and dynamically validate the attributes based on the selected block.
Fixes#48079.
Props gziolo, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@48069
git-svn-id: http://core.svn.wordpress.org/trunk@47836 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Add new var $valid_schema_properties to match rest_validate_value_from_schema()
* Unit test to ensure all valid properties exists, and non-valid properties are ignored
Fixes: #50301.
Props: pentatonicfunk, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@47911
git-svn-id: http://core.svn.wordpress.org/trunk@47685 1a063a9b-81f0-0310-95a4-ce76da25c4cd