- Timestamp:
- 11/03/2016 01:45:48 AM (8 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
r39093 r39104 2121 2121 $params['status'] = array( 2122 2122 'default' => 'publish', 2123 'description' => __( 'Limit result set to posts assigned a specific status; can be comma-delimited list of status types.' ), 2124 'enum' => array_merge( array_keys( get_post_stati() ), array( 'any' ) ), 2125 'sanitize_callback' => 'sanitize_key', 2126 'type' => 'string', 2127 'validate_callback' => array( $this, 'validate_user_can_query_private_statuses' ), 2123 'description' => __( 'Limit result set to posts assigned one or more statuses.' ), 2124 'type' => 'array', 2125 'items' => array( 2126 'enum' => array_merge( array_keys( get_post_stati() ), array( 'any' ) ), 2127 'type' => 'string', 2128 ), 2129 'sanitize_callback' => array( $this, 'sanitize_post_statuses' ), 2128 2130 ); 2129 2131 … … 2153 2155 2154 2156 /** 2155 * Validates whether the user can query private statuses. 2157 * Sanitizes and validates the list of post statuses, including whether the 2158 * user can query private statuses. 2156 2159 * 2157 2160 * @since 4.7.0 2158 2161 * @access public 2159 2162 * 2160 * @param mixed $value Post status.2163 * @param string|array $statuses One or more post statuses. 2161 2164 * @param WP_REST_Request $request Full details about the request. 2162 2165 * @param string $parameter Additional parameter to pass to validation. 2163 * @return bool|WP_Error Whether the request can query private statuses, otherwise WP_Error object. 2164 */ 2165 public function validate_user_can_query_private_statuses( $value, $request, $parameter ) { 2166 if ( 'publish' === $value ) { 2167 return rest_validate_request_arg( $value, $request, $parameter ); 2168 } 2169 2170 $post_type_obj = get_post_type_object( $this->post_type ); 2171 2172 if ( current_user_can( $post_type_obj->cap->edit_posts ) ) { 2173 return rest_validate_request_arg( $value, $request, $parameter ); 2174 } 2175 2176 return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden.' ), array( 'status' => rest_authorization_required_code() ) ); 2166 * @return array|WP_Error A list of valid statuses, otherwise WP_Error object. 2167 */ 2168 public function sanitize_post_statuses( $statuses, $request, $parameter ) { 2169 $statuses = wp_parse_slug_list( $statuses ); 2170 2171 // The default status is different in WP_REST_Attachments_Controller 2172 $attributes = $request->get_attributes(); 2173 $default_status = $attributes['args']['status']['default']; 2174 2175 foreach ( $statuses as $status ) { 2176 if ( $status === $default_status ) { 2177 continue; 2178 } 2179 2180 $post_type_obj = get_post_type_object( $this->post_type ); 2181 2182 if ( current_user_can( $post_type_obj->cap->edit_posts ) ) { 2183 $result = rest_validate_request_arg( $status, $request, $parameter ); 2184 if ( is_wp_error( $result ) ) { 2185 return $result; 2186 } 2187 } else { 2188 return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden.' ), array( 'status' => rest_authorization_required_code() ) ); 2189 } 2190 } 2191 2192 return $statuses; 2177 2193 } 2178 2194 }
Note: See TracChangeset
for help on using the changeset viewer.