Make WordPress Core

Changeset 39162


Ignore:
Timestamp:
11/08/2016 02:07:10 PM (7 years ago)
Author:
joehoyle
Message:

REST API: Remove get_allowed_query_vars() now filter is gone.

Now all public query vars are not supoprted via ?filter in the REST API, we can remove the get_allowed_query_vars() method and filter. To provide developers with a good altnerative to filter, the "rest_{$this->post_type}_collection_params" filter has been added.

Props rmccue, rachelbacker, danielbachhuber.
Fixes #38629.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r39161 r39162  
    816816     */
    817817    protected function prepare_items_query( $prepared_args = array(), $request = null ) {
    818 
    819         $valid_vars = array_flip( $this->get_allowed_query_vars( $request ) );
    820818        $query_args = array();
    821819
    822         foreach ( $valid_vars as $var => $index ) {
    823             if ( isset( $prepared_args[ $var ] ) ) {
    824                 /**
    825                  * Filters the query_vars used in get_items() for the constructed query.
    826                  *
    827                  * The dynamic portion of the hook name, `$var`, refers to the query_var key.
    828                  *
    829                  * @since 4.7.0
    830                  *
    831                  * @param string $var The query_var value.
    832                  */
    833                 $query_args[ $var ] = apply_filters( "rest_query_var-{$var}", $prepared_args[ $var ] );
    834             }
    835         }
    836 
    837         if ( 'post' !== $this->post_type || ! isset( $query_args['ignore_sticky_posts'] ) ) {
    838             $query_args['ignore_sticky_posts'] = true;
    839         }
    840 
    841         if ( 'include' === $query_args['orderby'] ) {
    842             $query_args['orderby'] = 'post__in';
    843         }
    844 
    845         return $query_args;
    846     }
    847 
    848     /**
    849      * Retrieves all of the WP Query vars that are allowed for the REST API request.
    850      *
    851      * @since 4.7.0
    852      * @access protected
    853      *
    854      * @param WP_REST_Request $request Optional. Full details about the request.
    855      * @return array Allowed query variables.
    856      */
    857     protected function get_allowed_query_vars( $request = null ) {
    858         global $wp;
    859 
    860         /** This filter is documented in wp-includes/class-wp.php */
    861         $valid_vars = apply_filters( 'query_vars', $wp->public_query_vars );
    862 
    863         $post_type_obj = get_post_type_object( $this->post_type );
    864         if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
     820        foreach ( $prepared_args as $key => $value ) {
    865821            /**
    866              * Filters the allowed 'private' query vars for authorized users.
     822             * Filters the query_vars used in get_items() for the constructed query.
    867823             *
    868              * If the user has the `edit_posts` capability, we also allow use of
    869              * private query parameters, which are only undesirable on the
    870              * frontend, but are safe for use in query strings.
    871              *
    872              * To disable anyway, use
    873              * `add_filter( 'rest_private_query_vars', '__return_empty_array' );`
     824             * The dynamic portion of the hook name, `$key`, refers to the query_var key.
    874825             *
    875826             * @since 4.7.0
    876827             *
    877              * @param array $private_query_vars Array of allowed query vars for authorized users.
     828             * @param string $value The query_var value.
    878829             */
    879             $private = apply_filters( 'rest_private_query_vars', $wp->private_query_vars );
    880 
    881             $valid_vars = array_merge( $valid_vars, $private );
    882         }
    883 
    884         // Define our own in addition to WP's normal vars.
    885         $rest_valid = array(
    886             'author__in',
    887             'author__not_in',
    888             'ignore_sticky_posts',
    889             'menu_order',
    890             'offset',
    891             'post__in',
    892             'post__not_in',
    893             'post_parent',
    894             'post_parent__in',
    895             'post_parent__not_in',
    896             'posts_per_page',
    897             'date_query',
    898             'post_name__in',
    899         );
    900 
    901         $valid_vars = array_merge( $valid_vars, $rest_valid );
    902 
    903         /**
    904          * Filters allowed query vars for the REST API.
    905          *
    906          * This filter allows you to add or remove query vars from the final allowed
    907          * list for all requests, including unauthenticated ones. To alter the
    908          * vars for editors only, see {@see 'rest_private_query_vars'}.
    909          *
    910          * @since 4.7.0
    911          *
    912          * @param array {
    913          *    Array of allowed WP_Query query vars.
    914          *
    915          *    @param string          $allowed_query_var The query var to allow.
    916          *    @param WP_REST_Request $request           Request object.
    917          * }
    918          */
    919         $valid_vars = apply_filters( 'rest_query_vars', $valid_vars, $request );
    920 
    921         return $valid_vars;
     830            $query_args[ $key ] = apply_filters( "rest_query_var-{$key}", $value );
     831        }
     832
     833        if ( 'post' !== $this->post_type || ! isset( $query_args['ignore_sticky_posts'] ) ) {
     834            $query_args['ignore_sticky_posts'] = true;
     835        }
     836
     837        if ( 'include' === $query_args['orderby'] ) {
     838            $query_args['orderby'] = 'post__in';
     839        }
     840
     841        return $query_args;
    922842    }
    923843
     
    21962116        }
    21972117
    2198         return $params;
     2118        /**
     2119         * Filter collection parameters for the posts controller.
     2120         *
     2121         * The dynamic part of the filter `$this->post_type` refers to the post
     2122         * type slug for the controller.
     2123         *
     2124         * This filter registers the collection parameter, but does not map the
     2125         * collection parameter to an internal WP_Query parameter. Use the
     2126         * `rest_{$this->post_type}_query` filter to set WP_Query parameters.
     2127         *
     2128         * @since 4.7.0
     2129         *
     2130         * @param $params JSON Schema-formatted collection parameters.
     2131         * @param WP_Post_Type $post_type_obj Post type object.
     2132         */
     2133        return apply_filters( "rest_{$this->post_type}_collection_params", $params, $post_type_obj );
    21992134    }
    22002135
Note: See TracChangeset for help on using the changeset viewer.