This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.
Follow-up to [11383], [13096], [51597], [53452].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes#55852.
Built from https://develop.svn.wordpress.org/trunk@53455
git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While a custom post type can define a custom route by using the `rest_base` argument, a namespace of `wp/v2` was assumed. This commit introduces support for a `rest_namespace` argument.
A new `rest_get_route_for_post_type_items` function has been introduced and the `rest_get_route_for_post` function updated to facilitate getting the correct route for custom post types.
While the WordPress Core Block Editor bootstrap code has been updated to use these API functions, for maximum compatibility sticking with the default `wp/v2` namespace is recommended until the API functions see wider use.
Props spacedmonkey, swissspidy.
Fixes#53656.
Built from https://develop.svn.wordpress.org/trunk@51962
git-svn-id: http://core.svn.wordpress.org/trunk@51551 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, only the first error message for each parameter was made available. Now, all error messages for a parameter are concatenated. Additionally, the detailed error for each parameter is made available in a new `details` section of the validation error. Each error is formatted following the standard REST API error formatting.
The `WP_REST_Server::error_to_response` method has been abstracted out into a standalone function `rest_convert_error_to_response` to allow for reuse by `WP_REST_Request`. The formatted errors now also contain an `additional_data` property which contains the additional error data provided by `WP_Error::get_all_error_data`.
Props dlh, xkon, TimothyBlynJacobs.
Fixes#46191.
Built from https://develop.svn.wordpress.org/trunk@50150
git-svn-id: http://core.svn.wordpress.org/trunk@49829 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, only the active theme was made available. This commit allows for all themes to be queried if the user has the `switch_themes` or `manage_network_themes` capabilities.
This commit also no longer exposes the `page`, `per_page`, `search` and `context` query parameters since they are not supported by this controller.
Props spacedmonkey, lpawlik, TimothyBlynJacobs.
Fixes#50152.
Built from https://develop.svn.wordpress.org/trunk@49925
git-svn-id: http://core.svn.wordpress.org/trunk@49624 1a063a9b-81f0-0310-95a4-ce76da25c4cd
A new route is introduced, `batch/v1`, that accepts a list of API requests to run. Each request runs in sequence, and the responses are returned in the order they've been received.
Optionally, the `require-all-validate` validation mode can be used to first validate each request's parameters and only proceed with processing if each request validates successfully.
By default, the batch size is limited to 25 requests. This can be controlled using the `rest_get_max_batch_size` filter. Clients are strongly encouraged to discover the maximum batch size supported by the server by making an OPTIONS request to the `batch/v1` endpoint and inspecting the described arguments.
Additionally, the two new methods, `match_request_to_handler` and `respond_to_request` introduced in [48947] now have a `protected` visibility as we don't want to expose the inner workings of the `WP_REST_Server::dispatch` API.
Batching is not currently supported for GET requests.
Fixes#50244.
Props andraganescu, zieladam, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@49252
git-svn-id: http://core.svn.wordpress.org/trunk@49014 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In WordPress 4.4 the REST API was first introduced. A few releases later in WordPress 4.7, the Content API endpoints were added, paving the way for Gutenberg and countless in-site experiences. In the intervening years, numerous plugins have built on top of the REST API. Many developers shared a common frustration, the lack of external authentication to the REST API.
This commit introduces Application Passwords to allow users to connect to external applications to their WordPress website. Users can generate individual passwords for each application, allowing for easy revocation and activity monitoring. An authorization flow is introduced to make the connection flow simple for users and application developers.
Application Passwords uses Basic Authentication, and by default is only available over an SSL connection.
Props georgestephanis, kasparsd, timothyblynjacobs, afercia, akkspro, andraganescu, arippberger, aristath, austyfrosty, ayesh, batmoo, bradyvercher, brianhenryie, helen, ipstenu, jeffmatson, jeffpaul, joostdevalk, joshlevinson, kadamwhite, kjbenk, koke, michael-arestad, Otto42, pekz0r, salzano, spacedmonkey, valendesigns.
Fixes#42790.
Built from https://develop.svn.wordpress.org/trunk@49109
git-svn-id: http://core.svn.wordpress.org/trunk@48871 1a063a9b-81f0-0310-95a4-ce76da25c4cd
#50244 aims to introduce batch processing in the REST API. An important feature is the ability to enforce that all requests have valid data before executing the route callbacks in "pre-validate" mode.
This necessitates splitting `WP_REST_Server::dispatch()` into two methods so the batch controller can determine the request handler to perform pre-validation and then respond to the requests.
The two new methods, `match_request_to_handler` and `respond_to_request`, have a public visibility, but are marked as `@access private`. This is to allow for iteration on the batch controller to happen in the Gutenberg repository. Developers should not rely upon these methods, their visibility may change in the future.
See #50244.
Props andraganescu, zieladam, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@48947
git-svn-id: http://core.svn.wordpress.org/trunk@48709 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The Content-Disposition and Content-MD5 headers allow for easier file uploading across domains by using a File/Blob object directly. The X-WP-Nonce header is allowed for making cross-origin and same-origin authenticated requests consistent.
Additionally a filter is introduced, "rest_allowed_cors_headers", to simplify the process of allowing additional request headers.
Props rmccue, TimothyBlynJacobs.
Fixes#41696.
Built from https://develop.svn.wordpress.org/trunk@48452
git-svn-id: http://core.svn.wordpress.org/trunk@48221 1a063a9b-81f0-0310-95a4-ce76da25c4cd
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”
With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).
Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.
Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.
Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes#50413.
Built from https://develop.svn.wordpress.org/trunk@48121
git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Currently, only the X-WP-Total and X-WP-TotalPages headers are exposed which means that clients have to manually construct the URL to implement pagination instead of using the "prev" and "next" Links.
Additionally, a filter "rest_exposed_cors_headers" is introduced to make it simpler for plugins to expose additional headers.
Props Toro_Unit, ayeshrajans.
Fixes#50369.
Built from https://develop.svn.wordpress.org/trunk@48112
git-svn-id: http://core.svn.wordpress.org/trunk@47881 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `$HTTP_RAW_POST_DATA` global was deprecated in PHP 5.6 and removed completely in PHP 7.0. In general, `php://input` should be used instead of `$HTTP_RAW_POST_DATA`.
Because WordPress Core still supports PHP 5.6, some plugins or sites may still rely on this variable being present and populated with the expected data. For that reason, occurrences of the variable will remain with updated inline documentation until support for PHP 5.6 is officially dropped in WordPress.
Props skoskie, jrf, desrosj, TimothyBlynJacobs.
See #49922.
Fixes#49810.
Built from https://develop.svn.wordpress.org/trunk@47926
git-svn-id: http://core.svn.wordpress.org/trunk@47700 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Following [47260] a namespace such as "test-ns" prevents any namespace such as "test-ns/v1" from being found when matching routes.
While not best practice, this was an unintentional back-compat break; this patch restores the original behavior.
Props david.binda, TimothyBlynJacobs.
Fixes#48530.
Built from https://develop.svn.wordpress.org/trunk@47351
git-svn-id: http://core.svn.wordpress.org/trunk@47138 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously the REST API did not account for server configurations where the Authorization header must be added using ModRewrite. This caused major DUX issues when trying to use custom authentication mechanisms.
Fixes#47077.
Props dshanske, cklosows.
Built from https://develop.svn.wordpress.org/trunk@47239
git-svn-id: http://core.svn.wordpress.org/trunk@47039 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously the _embed flag would embed all embeddable links in a response even if only a subset of the links were necessary. Now, a list of link relations can be passed in the _embed parameter to restrict the list of embedded objects.
Props rheinardkorf, adamsilverstein, jnylen0, cklosows, chrisvanpatten, TimothyBlynJacobs.
Fixes#39696.
Built from https://develop.svn.wordpress.org/trunk@47224
git-svn-id: http://core.svn.wordpress.org/trunk@47024 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Store each generated embedded object in a temporary cache when querying for linked resources so that repeated links to the same resource do not trigger repeated queries or processing.
Props TimothyBlynJacobs.
Fixes#48838.
Built from https://develop.svn.wordpress.org/trunk@47138
git-svn-id: http://core.svn.wordpress.org/trunk@46938 1a063a9b-81f0-0310-95a4-ce76da25c4cd