Make WordPress Core


Ignore:
Timestamp:
11/19/2016 10:38:40 PM (8 years ago)
Author:
westonruter
Message:

Customize: Ensure that WP_Customize_Manager::save_changeset_post() returns setting_validities even for supplied values that are unchanged from values in changeset.

Check setting existence and authorization via WP_Customize_Manager::validate_setting_values() even for null values to account for custom params being added to settings, preventing failures from being silently ignored.

See #38705, #30937.
Fixes #38865.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-manager.php

    r39276 r39320  
    17291729                continue;
    17301730            }
    1731             if ( is_null( $unsanitized_value ) ) {
    1732                 continue;
    1733             }
    17341731            if ( $options['validate_capability'] && ! current_user_can( $setting->capability ) ) {
    17351732                $validity = new WP_Error( 'unauthorized', __( 'Unauthorized to modify setting due to capability.' ) );
    17361733            } else {
     1734                if ( is_null( $unsanitized_value ) ) {
     1735                    continue;
     1736                }
    17371737                $validity = $setting->validate( $unsanitized_value );
    17381738            }
     
    20312031            }
    20322032        }
    2033         $post_values = wp_array_slice_assoc( $post_values, $changed_setting_ids );
    20342033
    20352034        /**
     
    20472046
    20482047        // Validate settings.
    2049         $setting_validities = $this->validate_setting_values( $post_values, array(
     2048        $validated_values = array_merge(
     2049            array_fill_keys( array_keys( $args['data'] ), null ), // Make sure existence/capability checks are done on value-less setting updates.
     2050            $post_values
     2051        );
     2052        $setting_validities = $this->validate_setting_values( $validated_values, array(
    20502053            'validate_capability' => true,
    20512054            'validate_existence' => true,
     
    20652068        }
    20662069
    2067         $response = array(
    2068             'setting_validities' => $setting_validities,
    2069         );
    2070 
    20712070        // Obtain/merge data for changeset.
    20722071        $original_changeset_data = $this->get_changeset_post_data( $changeset_post_id );
     
    21062105                unset( $data[ $changeset_setting_id ] );
    21072106            } else {
    2108                 // Merge any additional setting params that have been supplied with the existing params.
     2107
    21092108                if ( ! isset( $data[ $changeset_setting_id ] ) ) {
    21102109                    $data[ $changeset_setting_id ] = array();
    21112110                }
    21122111
     2112                // Merge any additional setting params that have been supplied with the existing params.
     2113                $merged_setting_params = array_merge( $data[ $changeset_setting_id ], $setting_params );
     2114
     2115                // Skip updating setting params if unchanged (ensuring the user_id is not overwritten).
     2116                if ( $data[ $changeset_setting_id ] === $merged_setting_params ) {
     2117                    continue;
     2118                }
     2119
    21132120                $data[ $changeset_setting_id ] = array_merge(
    2114                     $data[ $changeset_setting_id ],
    2115                     $setting_params,
     2121                    $merged_setting_params,
    21162122                    array(
    21172123                        'type' => $setting->type,
     
    22202226
    22212227        remove_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ) );
     2228
     2229        $response = array(
     2230            'setting_validities' => $setting_validities,
     2231        );
    22222232
    22232233        if ( is_wp_error( $r ) ) {
Note: See TracChangeset for help on using the changeset viewer.