Ticket #48885: 48885.2.patch
| File 48885.2.patch, 8.7 KB (added by , 4 years ago) |
|---|
-
src/wp-includes/option.php
1907 1907 'blogname', 1908 1908 array( 1909 1909 'show_in_rest' => array( 1910 'name' => 'title', 1910 'name' => 'title', 1911 'public' => true, 1911 1912 ), 1912 1913 'type' => 'string', 1913 1914 'description' => __( 'Site title.' ), … … 1919 1920 'blogdescription', 1920 1921 array( 1921 1922 'show_in_rest' => array( 1922 'name' => 'description', 1923 'name' => 'description', 1924 'public' => true, 1923 1925 ), 1924 1926 'type' => 'string', 1925 1927 'description' => __( 'Site tagline.' ), … … 2091 2093 * 2092 2094 * @since 2.7.0 2093 2095 * @since 4.7.0 `$args` can be passed to set flags on the setting, similar to `register_meta()`. 2096 * @since 5.4.0 Added the `$public` parameter to the `$show_in_rest` member of `$args`. 2094 2097 * 2095 2098 * @global array $new_whitelist_options 2096 2099 * @global array $wp_registered_settings … … 2101 2104 * @param array $args { 2102 2105 * Data used to describe the setting when registered. 2103 2106 * 2104 * @type string $type The type of data associated with this setting. 2105 * Valid values are 'string', 'boolean', 'integer', and 'number'. 2106 * @type string $description A description of the data attached to this setting. 2107 * @type callable $sanitize_callback A callback function that sanitizes the option's value. 2108 * @type bool $show_in_rest Whether data associated with this setting should be included in the REST API. 2109 * @type mixed $default Default value when calling `get_option()`. 2107 * @type string $type The type of data associated with this setting. 2108 * Valid values are 'string', 'boolean', 'integer', and 'number'. 2109 * @type string $description A description of the data attached to this setting. 2110 * @type callable $sanitize_callback A callback function that sanitizes the option's value. 2111 * @type bool|array $show_in_rest { 2112 * Whether data associated with this setting should be included in the REST API. Optionally passing 2113 * an array will include the setting in the REST API, with additional optional configuration. 2114 * 2115 * @type string $name The name to display this setting in the REST API as. Default `$option_name`. 2116 * @type array $schema Additional schema data to be included for this option. 2117 * @type bool $public Whether this option can be shown to all users. Default false. 2118 * } 2119 * @type mixed $default Default value when calling `get_option()`. 2110 2120 * } 2111 2121 */ 2112 2122 function register_setting( $option_group, $option_name, $args = array() ) { -
src/wp-includes/rest-api/endpoints/class-wp-rest-settings-controller.php
40 40 '/' . $this->rest_base, 41 41 array( 42 42 array( 43 'methods' => WP_REST_Server::READABLE, 44 'callback' => array( $this, 'get_item' ), 45 'args' => array(), 46 'permission_callback' => array( $this, 'get_item_permissions_check' ), 43 'methods' => WP_REST_Server::READABLE, 44 'callback' => array( $this, 'get_item' ), 45 'args' => array( 46 'context' => $this->get_context_param( array( 'default' => 'view' ) ), 47 ), 47 48 ), 48 49 array( 49 50 'methods' => WP_REST_Server::EDITABLE, 50 51 'callback' => array( $this, 'update_item' ), 51 52 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ), 52 'permission_callback' => array( $this, ' get_item_permissions_check' ),53 'permission_callback' => array( $this, 'update_item_permissions_check' ), 53 54 ), 54 55 'schema' => array( $this, 'get_public_item_schema' ), 55 56 ) … … 58 59 } 59 60 60 61 /** 61 * Checks if a given request has access to read andmanage settings.62 * Checks if a given request has access to manage settings. 62 63 * 63 * @since 4.7.064 * @since 5.4.0 64 65 * 65 66 * @param WP_REST_Request $request Full details about the request. 66 * @return bool True if the request has readaccess for the item, otherwise false.67 * @return bool True if the request has write access for the item, otherwise false. 67 68 */ 68 public function get_item_permissions_check( $request ) {69 public function update_item_permissions_check( $request ) { 69 70 return current_user_can( 'manage_options' ); 70 71 } 71 72 … … 100 101 101 102 if ( is_null( $response[ $name ] ) ) { 102 103 // Default to a null value as "null" in the response means "not set". 103 $response[ $name ] = get_option( $args['option_name'], $args['schema']['default'] ); 104 $filter = ( 'edit' === $request['context'] ) ? 'raw' : 'display'; 105 $response[ $name ] = get_bloginfo( $args['name'], $filter ); 104 106 } 105 107 106 108 /* … … 212 214 * 213 215 * @since 4.7.0 214 216 * 217 * @param bool $return_non_public Optional. Returns options that are set with `show_in_rest`, 218 * but aren't marked public. Default false. 215 219 * @return array Array of registered options. 216 220 */ 217 protected function get_registered_options( ) {221 protected function get_registered_options( $return_non_public = false ) { 218 222 $rest_options = array(); 219 223 220 224 foreach ( get_registered_settings() as $name => $args ) { … … 228 232 $rest_args = $args['show_in_rest']; 229 233 } 230 234 235 // Users without manage_options can only see settings marked public. 236 if ( ! $return_non_public && ! current_user_can( 'manage_options' ) && empty( $rest_args['public'] ) ) { 237 continue; 238 } 239 231 240 $defaults = array( 232 241 'name' => ! empty( $rest_args['name'] ) ? $rest_args['name'] : $name, 233 242 'schema' => array(), … … 277 286 return $this->add_additional_fields_schema( $this->schema ); 278 287 } 279 288 280 $options = $this->get_registered_options( );289 $options = $this->get_registered_options( true ); 281 290 282 291 $schema = array( 283 292 '$schema' => 'http://json-schema.org/draft-04/schema#', -
tests/phpunit/tests/rest-api/rest-settings-controller.php
54 54 public function test_context_param() { 55 55 } 56 56 57 public function test_get_item_ is_not_public_not_authenticated() {57 public function test_get_item_shows_public_items_not_authenticated() { 58 58 $request = new WP_REST_Request( 'GET', '/wp/v2/settings' ); 59 59 $response = rest_get_server()->dispatch( $request ); 60 $this->assertEquals( 401, $response->get_status() ); 60 $data = $response->get_data(); 61 $actual = array_keys( $data ); 62 63 $expected = array( 64 'title', 65 'description', 66 ); 67 68 sort( $expected ); 69 sort( $actual ); 70 71 $this->assertEquals( 200, $response->get_status() ); 72 $this->assertEquals( $expected, $actual ); 61 73 } 62 74 63 public function test_get_item_ is_not_public_no_permission() {75 public function test_get_item_shows_public_items_no_permission() { 64 76 wp_set_current_user( self::$author ); 65 77 $request = new WP_REST_Request( 'GET', '/wp/v2/settings' ); 66 78 $response = rest_get_server()->dispatch( $request ); 67 $this->assertEquals( 403, $response->get_status() ); 79 $data = $response->get_data(); 80 $actual = array_keys( $data ); 81 82 $expected = array( 83 'title', 84 'description', 85 ); 86 87 sort( $expected ); 88 sort( $actual ); 89 90 $this->assertEquals( 200, $response->get_status() ); 91 $this->assertEquals( $expected, $actual ); 68 92 } 69 93 70 94 public function test_get_items() { … … 377 401 $this->assertEquals( get_option( 'blogname' ), $data['title'] ); 378 402 } 379 403 404 public function test_update_item_fails_not_authenticated() { 405 $request = new WP_REST_Request( 'PUT', '/wp/v2/settings' ); 406 $request->set_param( 'title', 'The new title!' ); 407 $response = rest_get_server()->dispatch( $request ); 408 $this->assertEquals( 401, $response->get_status() ); 409 } 410 411 public function test_update_item_fails_no_permission() { 412 wp_set_current_user( self::$author ); 413 $request = new WP_REST_Request( 'PUT', '/wp/v2/settings' ); 414 $request->set_param( 'title', 'The new title!' ); 415 $response = rest_get_server()->dispatch( $request ); 416 $this->assertEquals( 403, $response->get_status() ); 417 } 418 380 419 public function update_setting_custom_callback( $result, $name, $value, $args ) { 381 420 if ( 'title' === $name && 'The new title!' === $value ) { 382 421 // Do not allow changing the title in this case