Changeset 39222 for trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php

Timestamp:

11/14/2016 04:35:35 PM (8 years ago)

Author:

joehoyle

Message:

REST API: Validate and Sanitize registered meta based off the schema.

With the addition of Array support in our schema validation functions, it's now possible to use these in the meta validation and sanitization steps. Also, this increases the test coverage of using registered via meta the API significantly.

Fixes #38531.
Props rachelbaker, tharsheblows.

File:

• trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php (modified) (5 diffs)

trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php

@@ -85 +85 @@
         }
 
-        return (object) $response;
+        return $response;
     }
 
@@ -134 +134 @@
             if ( is_null( $request[ $name ] ) ) {
                 $result = $this->delete_meta_value( $object_id, $name );
-            } elseif ( $args['single'] ) {
-                $result = $this->update_meta_value( $object_id, $name, $request[ $name ] );
+                if ( is_wp_error( $result ) ) {
+                    return $result;
+                }
+                continue;
+            }
+
+            $is_valid = rest_validate_value_from_schema( $request[ $name ], $args['schema'], 'meta.' . $name );
+            if ( is_wp_error( $is_valid ) ) {
+                $is_valid->add_data( array( 'status' => 400 ) );
+                return $is_valid;
+            }
+
+            $value = rest_sanitize_value_from_schema( $request[ $name ], $args['schema'] );
+
+            if ( $args['single'] ) {
+                $result = $this->update_meta_value( $object_id, $name, $value );
             } else {
-                $result = $this->update_multi_meta_value( $object_id, $name, $request[ $name ] );
+                $result = $this->update_multi_meta_value( $object_id, $name, $value );
             }
 
@@ -320 +334 @@
                 'name'             => $name,
                 'single'           => $args['single'],
+                'type'             => ! empty( $args['type'] ) ? $args['type'] : null,
                 'schema'           => array(),
                 'prepare_callback' => array( $this, 'prepare_value' ),
@@ -325 +340 @@
 
             $default_schema = array(
-                'type'        => null,
+                'type'        => $default_args['type'],
                 'description' => empty( $args['description'] ) ? '' : $args['description'],
                 'default'     => isset( $args['default'] ) ? $args['default'] : null,
@@ -333 +348 @@
             $rest_args['schema'] = array_merge( $default_schema, $rest_args['schema'] );
 
-            if ( empty( $rest_args['schema']['type'] ) ) {
-                // Skip over meta fields that don't have a defined type.
-                if ( empty( $args['type'] ) ) {
-                    continue;
-                }
-
-                if ( $rest_args['single'] ) {
-                    $rest_args['schema']['type'] = $args['type'];
-                } else {
-                    $rest_args['schema']['type'] = 'array';
-                    $rest_args['schema']['items'] = array(
-                        'type' => $args['type'],
-                    );
-                }
+            $type = ! empty( $rest_args['type'] ) ? $rest_args['type'] : null;
+            $type = ! empty( $rest_args['schema']['type'] ) ? $rest_args['schema']['type'] : $type;
+
+            if ( ! in_array( $type, array( 'string', 'boolean', 'integer', 'number' ) ) ) {
+                continue;
+            }
+
+            if ( empty( $rest_args['single'] ) ) {
+                $rest_args['schema']['items'] = array(
+                    'type' => $rest_args['type'],
+                );
+                $rest_args['schema']['type'] = 'array';
             }