Changeset 39427 for branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

Timestamp:

12/02/2016 06:58:36 AM (8 years ago)

Author:

pento

Message:

REST API: Require the reassign parameter when deleting users.

When deleting a user through the WordPress admin, a specific decision is presented - whether to assign all of the user's posts to another user, or to delete all of the posts.

This change requires reassign as a parameter in the corresponding REST API endpoint, so that content isn't accidentally lost.

Merges [39426] to the 4.7 branch.

Props jeremyfelt.
Fixes #39000.

Location:

branches/4.7

Files:

• . (modified) (1 prop)
• src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (4 diffs)

branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -93 +93 @@
                         'type'        => 'integer',
                         'description' => __( 'Reassign the deleted user\'s posts and links to this user ID.' ),
+                        'required'    => true,
+                        'sanitize_callback' => array( $this, 'check_reassign' ),
                     ),
                 ),
@@ -126 +128 @@
                         'type'        => 'integer',
                         'description' => __( 'Reassign the deleted user\'s posts and links to this user ID.' ),
+                        'required'    => true,
+                        'sanitize_callback' => array( $this, 'check_reassign' ),
                     ),
                 ),
@@ -131 +135 @@
             'schema' => array( $this, 'get_public_item_schema' ),
         ));
+    }
+
+    /**
+     * Checks for a valid value for the reassign parameter when deleting users.
+     *
+     * The value can be an integer, 'false', false, or ''.
+     *
+     * @since 4.7.0
+     *
+     * @param int|bool        $value   The value passed to the reassign parameter.
+     * @param WP_REST_Request $request Full details about the request.
+     * @param string          $param   The parameter that is being sanitized.
+     *
+     * @return int|bool|WP_Error
+     */
+    public function check_reassign( $value, $request, $param ) {
+        if ( is_numeric( $value ) ) {
+            return $value;
+        }
+
+        if ( empty( $value ) || false === $value || 'false' === $value ) {
+            return false;
+        }
+
+        return new WP_Error( 'rest_invalid_param', __( 'Invalid user parameter(s).' ), array( 'status' => 400 ) );
     }
 
@@ -674 +703 @@
     public function delete_item( $request ) {
         $id       = (int) $request['id'];
-        $reassign = isset( $request['reassign'] ) ? absint( $request['reassign'] ) : null;
+        $reassign = false === $request['reassign'] ? null : absint( $request['reassign'] );
         $force    = isset( $request['force'] ) ? (bool) $request['force'] : false;