Make WordPress Core

Changeset 43974


Ignore:
Timestamp:
12/11/2018 04:12:56 AM (5 years ago)
Author:
jorbin
Message:

REST API: Declare unfiltered_html capability in links.

Because user capabilities can be modified at runtime, the REST API needs to expose them in some evaluated but declarative manner for clients to interpret. JSON Hyper Schema targetSchema provides an appropriate paradigm for doing so.

Merges [43682] to trunk.

Props timothyblynjacobs.

Fixes #45014.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk

  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r43584 r43974  
    17801780        if ( 'attachment' !== $this->post_type && current_user_can( $post_type->cap->publish_posts ) ) {
    17811781            $rels[] = 'https://api.w.org/action-publish';
     1782        }
     1783
     1784        if ( current_user_can( 'unfiltered_html' ) ) {
     1785            $rels[] = 'https://api.w.org/action-unfiltered-html';
    17821786        }
    17831787
     
    21912195        }
    21922196
     2197        $links[] = array(
     2198            'rel'          => 'https://api.w.org/action-unfiltered-html',
     2199            'title'        => __( 'The current user can post unfiltered HTML markup and JavaScript.' ),
     2200            'href'         => $href,
     2201            'targetSchema' => array(
     2202                'type'       => 'object',
     2203                'properties' => array(
     2204                    'content' => array(
     2205                        'raw' => array(
     2206                            'type' => 'string',
     2207                        ),
     2208                    ),
     2209                ),
     2210            ),
     2211        );
     2212
    21932213        if ( 'post' === $this->post_type ) {
    21942214            $links[] = array(
  • trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php

    r43571 r43974  
    39933993    }
    39943994
     3995    public function test_assign_unfiltered_html_action_superadmin() {
     3996        $post_id = self::factory()->post->create();
     3997        wp_set_current_user( self::$superadmin_id );
     3998        $request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . $post_id );
     3999        $request->set_param( 'context', 'edit' );
     4000        $response = rest_do_request( $request );
     4001        $links    = $response->get_links();
     4002        $this->assertArrayHasKey( 'https://api.w.org/action-unfiltered-html', $links );
     4003    }
     4004
     4005    public function test_assign_unfiltered_html_action_editor() {
     4006        $post_id = self::factory()->post->create();
     4007        wp_set_current_user( self::$editor_id );
     4008        $request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . $post_id );
     4009        $request->set_param( 'context', 'edit' );
     4010        $response = rest_do_request( $request );
     4011        $links    = $response->get_links();
     4012        // Editors can only unfiltered html on single site.
     4013        if ( is_multisite() ) {
     4014            $this->assertArrayNotHasKey( 'https://api.w.org/action-unfiltered-html', $links );
     4015        } else {
     4016            $this->assertArrayHasKey( 'https://api.w.org/action-unfiltered-html', $links );
     4017        }
     4018    }
     4019
     4020    public function test_assign_unfiltered_html_action_author() {
     4021        $post_id = self::factory()->post->create();
     4022        wp_set_current_user( self::$author_id );
     4023        $request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . $post_id );
     4024        $request->set_param( 'context', 'edit' );
     4025        $response = rest_do_request( $request );
     4026        $links    = $response->get_links();
     4027        // Authors can't ever unfiltered html
     4028        $this->assertArrayNotHasKey( 'https://api.w.org/action-unfiltered-html', $links );
     4029    }
     4030
    39954031    public function tearDown() {
    39964032        _unregister_post_type( 'youseeeme' );
Note: See TracChangeset for help on using the changeset viewer.