Similar to the existing `role`/`role__in`/`role__not_in` query arguments, this adds support for three new query arguments in `WP_User_Query`:
* `capability`
* `capability__in`
* `capability__not_in`
These can be used to fetch users with (or without) a specific set of capabilities, for example to get all users
with the capability to edit a certain post type.
Under the hood, this will check all existing roles on the site and perform a `LIKE` query against the `capabilities` user meta field to find:
* all users with a role that has this capability
* all users with the capability being assigned directly
Note: In WordPress, not all capabilities are stored in the database. Capabilities can also be modified using filters like `map_meta_cap`. These new query arguments do NOT work for such capabilities.
The prime use case for capability queries is to get all "authors", i.e. users with the capability to edit a certain post type.
Until now, `'who' => 'authors'` was used for this, which relies on user levels. However, user levels were deprecated a long time ago and thus never added to custom roles. This led to constant frustration due to users with custom roles missing from places like author dropdowns.
This updates any usage of `'who' => 'authors'` in core to use capability queries instead.
Subsequently, `'who' => 'authors'` queries are being **deprecated** in favor of these new query arguments.
Also adds a new `capabilities` parameter (mapping to `capability__in` in `WP_User_Query`) to the REST API users controller.
Also updates `twentyfourteen_list_authors()` in Twenty Fourteen to make use of this new functionality, adding a new `twentyfourteen_list_authors_query_args` filter to make it easier to override this behavior.
Props scribu, lgladdly, boonebgorges, spacedmonkey, peterwilsoncc, SergeyBiryukov, swissspidy.
Fixes#16841.
Built from https://develop.svn.wordpress.org/trunk@51943
git-svn-id: http://core.svn.wordpress.org/trunk@51532 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In each child and grandchild class, renames the first parameter to match the parent's method signature.
Why? PHP 8 introduces the ability to pass named arguments to function/method calls. This means the child and parent method signatures (i.e. parameter names) need to match.
Changes for readability:
- `@since` clearly specifies the original parameter name and its new name as well as why the change happened.
- In methods longer than a single line, the generic parameter is reassigned to the original parameter restoring it for context for use within the method. An inline comment is added to explain why this reassignment is made.
Follow-up to [38832], [39011], [39015], [39021], [39024], [39025], [39031], [39036], [43519], [43735], [43739], [43768], [46821], [48173], [48242], [49088], [50995], [51003], [51021].
Props jrf, hellofromTonya, sergeybiryukov, azaozz, desrosj, johnbillion.
See #51553.
Built from https://develop.svn.wordpress.org/trunk@51786
git-svn-id: http://core.svn.wordpress.org/trunk@51393 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The REST API treats routes without a permission_callback as public. Because this happens without any warning to the user, if the permission callback is unintentionally omitted or misspelled, the endpoint can end up being available to the public. Such a scenario has happened multiple times in the wild, and the results can be catostrophic when it occurs.
For REST API routes that are intended to be public, it is recommended to set the permission callback to the `__return_true` built in function.
Fixes#50075.
Props rmccue, sorenbronsted, whyisjake, SergeyBiryukov, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@48526
git-svn-id: http://core.svn.wordpress.org/trunk@48288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Only query post types with `'show_in_rest' => true` instead of looping over all post types and checking the `show_in_rest` property separately.
* Return from the `foreach()` loop as soon as the permission check succeeded.
Props pbiron, TimothyBlynJacobs, SergeyBiryukov.
Fixes#49118.
Built from https://develop.svn.wordpress.org/trunk@47034
git-svn-id: http://core.svn.wordpress.org/trunk@46834 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Caches the output of get_item_schema() to avoid redundant recomputation of translatable strings and other computed values. This method is called many times per item in each REST request, and the results of the method should not vary between calls.
Additional schema fields are not cached.
Props kadamwhite, joehoyle, TimothyBlynJacobs.
Fixes#47871.
Built from https://develop.svn.wordpress.org/trunk@45811
git-svn-id: http://core.svn.wordpress.org/trunk@45622 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Use of `date()` in core depends on PHP timezone set to UTC and not changed by third party code (which cannot be guaranteed).
`gmdate()` is functionally equivalent, but is not affected by PHP timezone setting: it's always UTC, which is the exact behavior the core needs.
Props nielsdeblaauw, Rarst.
Fixes#46438. See #44491.
Built from https://develop.svn.wordpress.org/trunk@45424
git-svn-id: http://core.svn.wordpress.org/trunk@45235 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When a `PUT` request is performed to update a user, a `rest_user_invalid_email` error is incorrectly being returned when the email exists with different letter casing, even if it belongs to the user being updated. `email_exists()` performs a case insensitive lookup, but the conditional statement following that lookup was performing a strict comparison between the new email and the user’s current email.
This changes that comparison to instead compare the user ID returned by `email_exists()` with the user ID being updated. This more closely matches the logic used in `edit_user()` and allows a user to change the letter casing of their email.
Props fuchsws, rachelbaker, desrosj.
Fixes#44672.
Built from https://develop.svn.wordpress.org/trunk@44641
git-svn-id: http://core.svn.wordpress.org/trunk@44472 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The existing `rest_insert_*` actions are fired before meta and additional fields are updated. These new `rest_after_*` actions fire after all write operations have completed.
Props timothyblynjacobs, danielbachhuber.
Merges [43737] to trunk.
Fixes#42864.
Built from https://develop.svn.wordpress.org/trunk@43987
git-svn-id: http://core.svn.wordpress.org/trunk@43819 1a063a9b-81f0-0310-95a4-ce76da25c4cd
WPCS 1.0.0 includes a bunch of new auto-fixers, which drops the number of coding standards issues across WordPress significantly. Prior to running the auto-fixers, there were 15,312 issues detected. With this commit, we now drop to 4,769 issues.
This change includes three notable additions:
- Multiline function calls must now put each parameter on a new line.
- Auto-formatting files is now part of the `grunt precommit` script.
- Auto-fixable coding standards issues will now cause Travis failures.
Fixes#44600.
Built from https://develop.svn.wordpress.org/trunk@43571
git-svn-id: http://core.svn.wordpress.org/trunk@43400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Historically, the REST API would generate the entire response object, including running expensive filters, then it would apply the `_fields` parameter, discarding the fields that weren't specificed.
This change causes `_fields` to be applied earlier, so that only requested fields are processed.
Props danielbachhuber.
See #43874.
Built from https://develop.svn.wordpress.org/trunk@43087
git-svn-id: http://core.svn.wordpress.org/trunk@42916 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Any WordPress user who can `edit_posts` of a post type with `show_in_rest=true` can query for authors. This maps to current WordPress behavior where a WordPress user who can view the Manage Posts view for a post type can see any WordPress user assigned to a post (whether published or draft).
This implementation, over restricting `who=authors` to users with `list_users`, gives us future flexibility in displaying lists of posts. It still respects more restrictive permissions for `context=edit`.
Props danielbachhuber.
Fixes#42202.
Built from https://develop.svn.wordpress.org/trunk@43001
git-svn-id: http://core.svn.wordpress.org/trunk@42830 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds an "include_slug" orderby value for REST API collections to permit returning a collection filtered by slugs in the same order in which those slugs are specified.
Previously, the order of slugs provided with the ?slug query parameter had no effect on the order of the returned records.
Props wonderboymusic, ocean90, boonebgorges.
Fixes#40826.
Built from https://develop.svn.wordpress.org/trunk@41760
git-svn-id: http://core.svn.wordpress.org/trunk@41594 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While site administrators cannot generally edit users in multisite, they have always been able to change the roles of users on their site. In the REST API however, this has not been possible so far. This changeset brings parity with how it is handled in the administration panel: A REST request to edit only a user's roles succeeds correctly, while a REST request to edit any further details of a user fails.
Props jnylen0.
Fixes#40263.
Built from https://develop.svn.wordpress.org/trunk@41226
git-svn-id: http://core.svn.wordpress.org/trunk@41066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Under certain circumstances, it can be necessary that a user should not be added to a site, beyond the restrictions that WordPress core applies. With the new `can_add_user_to_blog` filter, plugin developers can run custom checks and return an error in case of a failure, that will prevent the user from being added.
The user-facing parts and the REST API route that interact with `add_user_to_blog()` have been adjusted accordingly to provide appropriate error feedback when a user could not be added to a site. Furthermore, two existing error feedback messages in the site admin's "New User" screen have been adjusted to properly show inside an error notice instead of a success notice.
Props jmdodd.
Fixes#41101.
Built from https://develop.svn.wordpress.org/trunk@41225
git-svn-id: http://core.svn.wordpress.org/trunk@41065 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Prior to about 2013, many class methods lacked even access modifiers which made the `@access` notations that much more useful. Now that we've gotten to a point where the codebase is more mature from a maintenance perspective and we can finally remove these notations. Notable exceptions to this change include standalone functions notated as private as well as some classes still considered to represent "private" APIs.
See #41452.
Built from https://develop.svn.wordpress.org/trunk@41162
git-svn-id: http://core.svn.wordpress.org/trunk@41002 1a063a9b-81f0-0310-95a4-ce76da25c4cd
It has been unintendedly possible to both view and edit users from a different site than the current site in multisite environments. Moreover, when passing roles to a user in an update request, that user would implicitly be added to the current site.
This changeset removes the incorrect behavior for now in order to be able to provide a proper REST API workflow for managing multisite users in the near future. Related unit tests have been adjusted as well.
Props jnylen0, jeremyfelt, johnjamesjacoby.
Fixes#39701.
Built from https://develop.svn.wordpress.org/trunk@40106
git-svn-id: http://core.svn.wordpress.org/trunk@40043 1a063a9b-81f0-0310-95a4-ce76da25c4cd