Make WordPress Core

Changeset 39038


Ignore:
Timestamp:
10/30/2016 08:20:54 PM (8 years ago)
Author:
westonruter
Message:

Customize: Prevent auto-draft post/page stubs from being saved with empty slugs or published with non-unique slugs.

  • Allow WP_Customize_Nav_Menus::insert_auto_draft_post() to take full post array to pass to wp_insert_post(), except for post_status. Require post_title.
  • Ensure empty post_name gets explicitly set to slugified post_title.
  • Explicitly allow only post_type and post_title params in WP_Customize_Nav_Menus::ajax_insert_auto_draft_post().
  • Use wp_update_post() instead of wp_publish_post() to ensure unique slugs are assigned to published auto-draft posts.
  • Re-use WP_Customize_Nav_Menus::insert_auto_draft_post() when inserting stubs from starter content.


See #38114, #38013, #34923.
Fixes #38539.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-manager.php

    r39003 r39038  
    960960        if ( ! empty( $posts ) ) {
    961961            foreach ( array_keys( $posts ) as $post_symbol ) {
    962                 $posts[ $post_symbol ]['ID'] = wp_insert_post( wp_slash( array_merge(
    963                     $posts[ $post_symbol ],
    964                     array( 'post_status' => 'auto-draft' )
    965                 ) ) );
     962                $r = $this->nav_menus->insert_auto_draft_post( $posts[ $post_symbol ] );
     963                if ( $r instanceof WP_Post ) {
     964                    $posts[ $post_symbol ]['ID'] = $r->ID;
     965                }
    966966            }
    967967            $this->set_post_value( 'nav_menus_created_posts', wp_list_pluck( $posts, 'ID' ) ); // This is why nav_menus component is dependency for adding posts.
  • trunk/src/wp-includes/class-wp-customize-nav-menus.php

    r38979 r39038  
    735735     *
    736736     * @param array $postarr {
    737      *     Abbreviated post array.
    738      *
    739      *     @var string $post_title Post title.
    740      *     @var string $post_type  Post type.
     737     *     Post array. Note that post_status is overridden to be `auto-draft`.
     738     *
     739     *     @var string $post_title   Post title. Required.
     740     *     @var string $post_type    Post type. Required.
     741     *     @var string $post_name    Post name.
     742     *     @var string $post_content Post content.
    741743     * }
    742744     * @return WP_Post|WP_Error Inserted auto-draft post object or error.
     
    746748            return new WP_Error( 'unknown_post_type', __( 'Unknown post type' ) );
    747749        }
    748         if ( ! isset( $postarr['post_title'] ) ) {
    749             $postarr['post_title'] = '';
     750        if ( empty( $postarr['post_title'] ) ) {
     751            return new WP_Error( 'empty_title', __( 'Empty title' ) );
     752        }
     753        if ( ! empty( $postarr['post_status'] ) ) {
     754            return new WP_Error( 'status_forbidden', __( 'Status is forbidden' ) );
     755        }
     756
     757        $postarr['post_status'] = 'auto-draft';
     758
     759        // Auto-drafts are allowed to have empty post_names, so it has to be explicitly set.
     760        if ( empty( $postarr['post_name'] ) ) {
     761            $postarr['post_name'] = sanitize_title( $postarr['post_title'] );
    750762        }
    751763
    752764        add_filter( 'wp_insert_post_empty_content', '__return_false', 1000 );
    753         $args = array(
    754             'post_status' => 'auto-draft',
    755             'post_type'   => $postarr['post_type'],
    756             'post_title'  => $postarr['post_title'],
    757             'post_name'   => sanitize_title( $postarr['post_title'] ), // Auto-drafts are allowed to have empty post_names, so we need to explicitly set it.
    758         );
    759         $r = wp_insert_post( wp_slash( $args ), true );
     765        $r = wp_insert_post( wp_slash( $postarr ), true );
    760766        remove_filter( 'wp_insert_post_empty_content', '__return_false', 1000 );
    761767
     
    786792        }
    787793
    788         $params = wp_array_slice_assoc(
    789             array_merge(
    790                 array(
    791                     'post_type' => '',
    792                     'post_title' => '',
    793                 ),
    794                 wp_unslash( $_POST['params'] )
     794        $params = wp_unslash( $_POST['params'] );
     795        $illegal_params = array_diff( array_keys( $params ), array( 'post_type', 'post_title' ) );
     796        if ( ! empty( $illegal_params ) ) {
     797            wp_send_json_error( 'illegal_params', 400 );
     798        }
     799
     800        $params = array_merge(
     801            array(
     802                'post_type' => '',
     803                'post_title' => '',
    795804            ),
    796             array( 'post_type', 'post_title' )
     805            $params
    797806        );
    798807
     
    11401149        if ( ! empty( $post_ids ) ) {
    11411150            foreach ( $post_ids as $post_id ) {
    1142                 wp_publish_post( $post_id );
     1151                // Note that wp_publish_post() cannot be used because unique slugs need to be assigned.
     1152                wp_update_post( array( 'ID' => $post_id, 'post_status' => 'publish' ) );
    11431153            }
    11441154        }
  • trunk/tests/phpunit/tests/ajax/CustomizeMenus.php

    r38436 r39038  
    548548        $this->assertArrayHasKey( 'post_id', $response['data'] );
    549549        $this->assertArrayHasKey( 'url', $response['data'] );
     550        $post = get_post( $response['data']['post_id'] );
     551        $this->assertEquals( 'Hello World', $post->post_title );
     552        $this->assertEquals( 'post', $post->post_type );
     553        $this->assertEquals( 'hello-world', $post->post_name );
    550554    }
    551555
     
    636640        $this->assertFalse( $response['success'] );
    637641        $this->assertEquals( 'missing_post_title', $response['data'] );
     642
     643        // illegal_params.
     644        $_POST = wp_slash( array(
     645            'customize-menus-nonce' => wp_create_nonce( 'customize-menus' ),
     646            'params' => array(
     647                'post_type' => 'post',
     648                'post_title' => 'OK',
     649                'post_name' => 'bad',
     650                'post_content' => 'bad',
     651            ),
     652        ) );
     653        $this->_last_response = '';
     654        $this->make_ajax_call( 'customize-nav-menus-insert-auto-draft' );
     655        $response = json_decode( $this->_last_response, true );
     656        $this->assertFalse( $response['success'] );
     657        $this->assertEquals( 'illegal_params', $response['data'] );
    638658    }
    639659}
  • trunk/tests/phpunit/tests/customize/nav-menus.php

    r38858 r39038  
    543543        $this->assertEquals( 'unknown_post_type', $r->get_error_code() );
    544544
     545        $r = $menus->insert_auto_draft_post( array( 'post_status' => 'publish', 'post_title' => 'Bad', 'post_type' => 'post' ) );
     546        $this->assertInstanceOf( 'WP_Error', $r );
     547        $this->assertEquals( 'status_forbidden', $r->get_error_code() );
     548
    545549        $r = $menus->insert_auto_draft_post( array( 'post_title' => 'Hello World', 'post_type' => 'post' ) );
    546550        $this->assertInstanceOf( 'WP_Post', $r );
    547551        $this->assertEquals( 'Hello World', $r->post_title );
     552        $this->assertEquals( 'hello-world', $r->post_name );
    548553        $this->assertEquals( 'post', $r->post_type );
    549         $this->assertEquals( sanitize_title( $r->post_title ), $r->post_name );
     554
     555        $r = $menus->insert_auto_draft_post( array( 'post_title' => 'Hello World', 'post_type' => 'post', 'post_name' => 'greetings-world', 'post_content' => 'Hi World' ) );
     556        $this->assertInstanceOf( 'WP_Post', $r );
     557        $this->assertEquals( 'Hello World', $r->post_title );
     558        $this->assertEquals( 'post', $r->post_type );
     559        $this->assertEquals( 'greetings-world', $r->post_name );
     560        $this->assertEquals( 'Hi World', $r->post_content );
    550561    }
    551562
     
    732743            'post_status' => 'auto-draft',
    733744            'post_type' => 'post',
     745            'post_name' => 'auto-draft',
    734746        ) );
    735747        $pre_published_post_id = $this->factory()->post->create( array( 'post_status' => 'publish' ) );
     
    751763            $this->assertEquals( 'publish', get_post_status( $post_id ) );
    752764        }
     765
     766        // Ensure that unique slugs were assigned.
     767        $posts = array_map( 'get_post', $post_ids );
     768        $post_names = wp_list_pluck( $posts, 'post_name' );
     769        $this->assertEqualSets( $post_names, array_unique( $post_names ) );
    753770    }
    754771
Note: See TracChangeset for help on using the changeset viewer.