Changes in branches/4.7 [39871:39997]
- Location:
- branches/4.7
- Files:
-
- 25 edited
-
package.json (modified) (1 diff)
-
src/wp-admin/about.php (modified) (1 diff)
-
src/wp-admin/includes/class-wp-posts-list-table.php (modified) (1 diff)
-
src/wp-admin/includes/class-wp-press-this.php (modified) (6 diffs)
-
src/wp-includes/class-wp-comment.php (modified) (1 diff)
-
src/wp-includes/class-wp-post.php (modified) (1 diff)
-
src/wp-includes/class-wp-query.php (modified) (1 diff)
-
src/wp-includes/class-wp-term.php (modified) (1 diff)
-
src/wp-includes/rest-api.php (modified) (3 diffs)
-
src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php (modified) (8 diffs)
-
src/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php (modified) (1 diff)
-
src/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php (modified) (1 diff)
-
src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (11 diffs)
-
src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php (modified) (11 diffs)
-
src/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php (modified) (1 diff)
-
src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php (modified) (13 diffs)
-
src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (10 diffs)
-
src/wp-includes/version.php (modified) (1 diff)
-
tests/phpunit/tests/comment/wpComment.php (modified) (2 diffs)
-
tests/phpunit/tests/post/wpPost.php (modified) (2 diffs)
-
tests/phpunit/tests/rest-api/rest-attachments-controller.php (modified) (1 diff)
-
tests/phpunit/tests/rest-api/rest-comments-controller.php (modified) (1 diff)
-
tests/phpunit/tests/rest-api/rest-posts-controller.php (modified) (1 diff)
-
tests/phpunit/tests/rest-api/rest-users-controller.php (modified) (1 diff)
-
tests/phpunit/tests/term/wpTerm.php (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
branches/4.7/package.json
r39871 r39997 1 1 { 2 2 "name": "WordPress", 3 "version": "4.7. 1",3 "version": "4.7.2", 4 4 "description": "WordPress is web software you can use to create a beautiful website or blog.", 5 5 "repository": { -
branches/4.7/src/wp-admin/about.php
r39871 r39997 45 45 46 46 <div class="changelog point-releases"> 47 <h3><?php _e( 'Maintenance and Security Release' ); ?></h3> 47 <h3><?php _e( 'Maintenance and Security Releases' ); ?></h3> 48 <p><?php printf( __( '<strong>Version %s</strong> addressed some security issues.' ), '4.7.2' ); ?> 49 <?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.7.2' ); ?> 50 </p> 48 51 <p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.', 49 52 '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 62 ), '4.7.1', number_format_i18n( 62 ) ); ?> -
branches/4.7/src/wp-admin/includes/class-wp-posts-list-table.php
r39871 r39997 956 956 957 957 if ( ! is_post_type_hierarchical( $this->screen->post_type ) && 'excerpt' === $mode && current_user_can( 'read_post', $post->ID ) ) { 958 the_excerpt();958 echo esc_html( get_the_excerpt() ); 959 959 } 960 960 -
branches/4.7/src/wp-admin/includes/class-wp-press-this.php
r39871 r39997 120 120 'post_status' => 'draft', 121 121 'post_format' => ( ! empty( $_POST['post_format'] ) ) ? sanitize_text_field( $_POST['post_format'] ) : '', 122 'tax_input' => ( ! empty( $_POST['tax_input'] ) ) ? $_POST['tax_input'] : array(),123 'post_category' => ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array(),124 122 ); 125 123 124 // Only accept categories if the user actually can assign 125 $category_tax = get_taxonomy( 'category' ); 126 if ( current_user_can( $category_tax->cap->assign_terms ) ) { 127 $post_data['post_category'] = ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array(); 128 } 129 130 // Only accept taxonomies if the user can actually assign 131 if ( ! empty( $_POST['tax_input'] ) ) { 132 $tax_input = $_POST['tax_input']; 133 foreach ( $tax_input as $tax => $_ti ) { 134 $tax_object = get_taxonomy( $tax ); 135 if ( ! $tax_object || ! current_user_can( $tax_object->cap->assign_terms ) ) { 136 unset( $tax_input[ $tax ] ); 137 } 138 } 139 140 $post_data['tax_input'] = $tax_input; 141 } 142 143 // Toggle status to pending if user cannot actually publish 126 144 if ( ! empty( $_POST['post_status'] ) && 'publish' === $_POST['post_status'] ) { 127 145 if ( current_user_can( 'publish_posts' ) ) { … … 454 472 * 455 473 * @param string $src Embed source URL. 456 * @return string If not from a supported provider, an empty string. Otherwise, a reformatt d embed URL.474 * @return string If not from a supported provider, an empty string. Otherwise, a reformatted embed URL. 457 475 */ 458 476 private function _limit_embed( $src ) { … … 854 872 $taxonomy = get_taxonomy( 'category' ); 855 873 874 // Bail if user cannot assign terms 875 if ( ! current_user_can( $taxonomy->cap->assign_terms ) ) { 876 return; 877 } 878 879 // Only show "add" if user can edit terms 856 880 if ( current_user_can( $taxonomy->cap->edit_terms ) ) { 857 881 ?> … … 1273 1297 wp_enqueue_script( 'editor' ); 1274 1298 1299 $categories_tax = get_taxonomy( 'category' ); 1300 $show_categories = current_user_can( $categories_tax->cap->assign_terms ) || current_user_can( $categories_tax->cap->edit_terms ); 1301 1302 $tag_tax = get_taxonomy( 'post_tag' ); 1303 $show_tags = current_user_can( $tag_tax->cap->assign_terms ); 1304 1275 1305 $supports_formats = false; 1276 1306 $post_format = 0; … … 1424 1454 <?php endif; ?> 1425 1455 1426 <button type="button" class="button-link post-option"> 1427 <span class="dashicons dashicons-category"></span> 1428 <span class="post-option-title"><?php _e( 'Categories' ); ?></span> 1429 <span class="dashicons post-option-forward"></span> 1430 </button> 1431 1432 <button type="button" class="button-link post-option"> 1433 <span class="dashicons dashicons-tag"></span> 1434 <span class="post-option-title"><?php _e( 'Tags' ); ?></span> 1435 <span class="dashicons post-option-forward"></span> 1436 </button> 1456 <?php if ( $show_categories ) : ?> 1457 <button type="button" class="button-link post-option"> 1458 <span class="dashicons dashicons-category"></span> 1459 <span class="post-option-title"><?php _e( 'Categories' ); ?></span> 1460 <span class="dashicons post-option-forward"></span> 1461 </button> 1462 <?php endif; ?> 1463 1464 <?php if ( $show_tags ) : ?> 1465 <button type="button" class="button-link post-option"> 1466 <span class="dashicons dashicons-tag"></span> 1467 <span class="post-option-title"><?php _e( 'Tags' ); ?></span> 1468 <span class="dashicons post-option-forward"></span> 1469 </button> 1470 <?php endif; ?> 1437 1471 </div> 1438 1472 … … 1448 1482 <?php endif; ?> 1449 1483 1450 <div class="setting-modal is-off-screen is-hidden"> 1451 <button type="button" class="button-link modal-close"> 1452 <span class="dashicons post-option-back"></span> 1453 <span class="setting-title" aria-hidden="true"><?php _e( 'Categories' ); ?></span> 1454 <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span> 1455 </button> 1456 <?php $this->categories_html( $post ); ?> 1457 </div> 1458 1459 <div class="setting-modal tags is-off-screen is-hidden"> 1460 <button type="button" class="button-link modal-close"> 1461 <span class="dashicons post-option-back"></span> 1462 <span class="setting-title" aria-hidden="true"><?php _e( 'Tags' ); ?></span> 1463 <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span> 1464 </button> 1465 <?php $this->tags_html( $post ); ?> 1466 </div> 1484 <?php if ( $show_categories ) : ?> 1485 <div class="setting-modal is-off-screen is-hidden"> 1486 <button type="button" class="button-link modal-close"> 1487 <span class="dashicons post-option-back"></span> 1488 <span class="setting-title" aria-hidden="true"><?php _e( 'Categories' ); ?></span> 1489 <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span> 1490 </button> 1491 <?php $this->categories_html( $post ); ?> 1492 </div> 1493 <?php endif; ?> 1494 1495 <?php if ( $show_tags ) : ?> 1496 <div class="setting-modal tags is-off-screen is-hidden"> 1497 <button type="button" class="button-link modal-close"> 1498 <span class="dashicons post-option-back"></span> 1499 <span class="setting-title" aria-hidden="true"><?php _e( 'Tags' ); ?></span> 1500 <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span> 1501 </button> 1502 <?php $this->tags_html( $post ); ?> 1503 </div> 1504 <?php endif; ?> 1467 1505 </div><!-- .options-panel --> 1468 1506 </div><!-- .wrapper --> -
branches/4.7/src/wp-includes/class-wp-comment.php
r39871 r39997 192 192 global $wpdb; 193 193 194 if ( ! is_numeric( $id ) || $id != floor( $id ) || ! $id ) { 194 $comment_id = (int) $id; 195 if ( ! $comment_id ) { 195 196 return false; 196 197 } 197 198 $comment_id = (int) $id;199 198 200 199 $_comment = wp_cache_get( $comment_id, 'comment' ); -
branches/4.7/src/wp-includes/class-wp-post.php
r39871 r39997 211 211 global $wpdb; 212 212 213 if ( ! is_numeric( $post_id ) || $post_id != floor( $post_id ) || ! $post_id ) { 213 $post_id = (int) $post_id; 214 if ( ! $post_id ) { 214 215 return false; 215 216 } 216 217 $post_id = (int) $post_id;218 217 219 218 $_post = wp_cache_get( $post_id, 'posts' ); -
branches/4.7/src/wp-includes/class-wp-query.php
r39871 r39997 2256 2256 $where .= ' AND 1=0 '; 2257 2257 } else { 2258 $where .= " AND {$wpdb->posts}.post_type IN ('" . join( "', '", $in_search_post_types) . "')";2258 $where .= " AND {$wpdb->posts}.post_type IN ('" . join( "', '", array_map( 'esc_sql', $in_search_post_types ) ) . "')"; 2259 2259 } 2260 2260 } elseif ( !empty( $post_type ) && is_array( $post_type ) ) { 2261 $where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", $post_type) . "')";2261 $where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", esc_sql( $post_type ) ) . "')"; 2262 2262 } elseif ( ! empty( $post_type ) ) { 2263 $where .= " AND {$wpdb->posts}.post_type = '$post_type'";2263 $where .= $wpdb->prepare( " AND {$wpdb->posts}.post_type = %s", $post_type ); 2264 2264 $post_type_object = get_post_type_object ( $post_type ); 2265 2265 } elseif ( $this->is_attachment ) { -
branches/4.7/src/wp-includes/class-wp-term.php
r39871 r39997 126 126 global $wpdb; 127 127 128 if ( ! is_numeric( $term_id ) || $term_id != floor( $term_id ) || ! $term_id ) { 128 $term_id = (int) $term_id; 129 if ( ! $term_id ) { 129 130 return false; 130 131 } 131 132 $term_id = (int) $term_id;133 132 134 133 $_term = wp_cache_get( $term_id, 'terms' ); -
branches/4.7/src/wp-includes/rest-api.php
r39871 r39997 47 47 } 48 48 49 if ( isset( $args['args'] ) ) { 50 $common_args = $args['args']; 51 unset( $args['args'] ); 52 } else { 53 $common_args = array(); 54 } 55 49 56 if ( isset( $args['callback'] ) ) { 50 57 // Upgrade a single set to multiple. … … 58 65 ); 59 66 foreach ( $args as $key => &$arg_group ) { 60 if ( ! is_numeric( $ arg_group) ) {67 if ( ! is_numeric( $key ) ) { 61 68 // Route option, skip here. 62 69 continue; … … 64 71 65 72 $arg_group = array_merge( $defaults, $arg_group ); 73 $arg_group['args'] = array_merge( $common_args, $arg_group['args'] ); 66 74 } 67 75 -
branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
r39871 r39997 64 64 65 65 register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<id>[\d]+)', array( 66 'args' => array( 67 'id' => array( 68 'description' => __( 'Unique identifier for the object.' ), 69 'type' => 'integer', 70 ), 71 ), 66 72 array( 67 73 'methods' => WP_REST_Server::READABLE, … … 301 307 302 308 /** 309 * Get the comment, if the ID is valid. 310 * 311 * @since 4.7.2 312 * 313 * @param int $id Supplied ID. 314 * @return WP_Comment|WP_Error Comment object if ID is valid, WP_Error otherwise. 315 */ 316 protected function get_comment( $id ) { 317 $error = new WP_Error( 'rest_comment_invalid_id', __( 'Invalid comment ID.' ), array( 'status' => 404 ) ); 318 if ( (int) $id <= 0 ) { 319 return $error; 320 } 321 322 $id = (int) $id; 323 $comment = get_comment( $id ); 324 if ( empty( $comment ) ) { 325 return $error; 326 } 327 328 if ( ! empty( $comment->comment_post_ID ) ) { 329 $post = get_post( (int) $comment->comment_post_ID ); 330 if ( empty( $post ) ) { 331 return new WP_Error( 'rest_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) ); 332 } 333 } 334 335 return $comment; 336 } 337 338 /** 303 339 * Checks if a given request has access to read the comment. 304 340 * … … 310 346 */ 311 347 public function get_item_permissions_check( $request ) { 312 $id = (int) $request['id']; 313 314 $comment = get_comment( $id ); 315 316 if ( ! $comment ) { 317 return true; 348 $comment = $this->get_comment( $request['id'] ); 349 if ( is_wp_error( $comment ) ) { 350 return $comment; 318 351 } 319 352 … … 345 378 */ 346 379 public function get_item( $request ) { 347 $id = (int) $request['id']; 348 349 $comment = get_comment( $id ); 350 if ( empty( $comment ) ) { 351 return new WP_Error( 'rest_comment_invalid_id', __( 'Invalid comment ID.' ), array( 'status' => 404 ) ); 352 } 353 354 if ( ! empty( $comment->comment_post_ID ) ) { 355 $post = get_post( $comment->comment_post_ID ); 356 if ( empty( $post ) ) { 357 return new WP_Error( 'rest_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) ); 358 } 380 $comment = $this->get_comment( $request['id'] ); 381 if ( is_wp_error( $comment ) ) { 382 return $comment; 359 383 } 360 384 … … 625 649 */ 626 650 public function update_item_permissions_check( $request ) { 627 628 $id = (int) $request['id'];629 630 $comment = get_comment( $id );631 632 if ( $comment &&! $this->check_edit_permission( $comment ) ) {651 $comment = $this->get_comment( $request['id'] ); 652 if ( is_wp_error( $comment ) ) { 653 return $comment; 654 } 655 656 if ( ! $this->check_edit_permission( $comment ) ) { 633 657 return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 634 658 } … … 647 671 */ 648 672 public function update_item( $request ) { 649 $id = (int) $request['id']; 650 651 $comment = get_comment( $id ); 652 653 if ( empty( $comment ) ) { 654 return new WP_Error( 'rest_comment_invalid_id', __( 'Invalid comment ID.' ), array( 'status' => 404 ) ); 655 } 673 $comment = $this->get_comment( $request['id'] ); 674 if ( is_wp_error( $comment ) ) { 675 return $comment; 676 } 677 678 $id = $comment->comment_ID; 656 679 657 680 if ( isset( $request['type'] ) && get_comment_type( $id ) !== $request['type'] ) { … … 745 768 */ 746 769 public function delete_item_permissions_check( $request ) { 747 $id = (int) $request['id']; 748 $comment = get_comment( $id ); 749 750 if ( ! $comment ) { 751 return new WP_Error( 'rest_comment_invalid_id', __( 'Invalid comment ID.' ), array( 'status' => 404 ) ); 770 $comment = $this->get_comment( $request['id'] ); 771 if ( is_wp_error( $comment ) ) { 772 return $comment; 752 773 } 753 774 … … 768 789 */ 769 790 public function delete_item( $request ) { 770 $id = (int) $request['id']; 791 $comment = $this->get_comment( $request['id'] ); 792 if ( is_wp_error( $comment ) ) { 793 return $comment; 794 } 795 771 796 $force = isset( $request['force'] ) ? (bool) $request['force'] : false; 772 773 $comment = get_comment( $id );774 775 if ( empty( $comment ) ) {776 return new WP_Error( 'rest_comment_invalid_id', __( 'Invalid comment ID.' ), array( 'status' => 404 ) );777 }778 797 779 798 /** -
branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php
r39871 r39997 49 49 50 50 register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<status>[\w-]+)', array( 51 'args' => array( 52 'status' => array( 53 'description' => __( 'An alphanumeric identifier for the status.' ), 54 'type' => 'string', 55 ), 56 ), 51 57 array( 52 58 'methods' => WP_REST_Server::READABLE, -
branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php
r39871 r39997 49 49 50 50 register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<type>[\w-]+)', array( 51 'args' => array( 52 'type' => array( 53 'description' => __( 'An alphanumeric identifier for the post type.' ), 54 'type' => 'string', 55 ), 56 ), 51 57 array( 52 58 'methods' => WP_REST_Server::READABLE, -
branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
r39871 r39997 89 89 } 90 90 register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<id>[\d]+)', array( 91 'args' => array( 92 'id' => array( 93 'description' => __( 'Unique identifier for the object.' ), 94 'type' => 'integer', 95 ), 96 ), 91 97 array( 92 98 'methods' => WP_REST_Server::READABLE, … … 351 357 352 358 /** 359 * Get the post, if the ID is valid. 360 * 361 * @since 4.7.2 362 * 363 * @param int $id Supplied ID. 364 * @return WP_Post|WP_Error Post object if ID is valid, WP_Error otherwise. 365 */ 366 protected function get_post( $id ) { 367 $error = new WP_Error( 'rest_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) ); 368 if ( (int) $id <= 0 ) { 369 return $error; 370 } 371 372 $post = get_post( (int) $id ); 373 if ( empty( $post ) || empty( $post->ID ) || $this->post_type !== $post->post_type ) { 374 return $error; 375 } 376 377 return $post; 378 } 379 380 /** 353 381 * Checks if a given request has access to read a post. 354 382 * … … 360 388 */ 361 389 public function get_item_permissions_check( $request ) { 362 363 $post = get_post( (int) $request['id'] ); 390 $post = $this->get_post( $request['id'] ); 391 if ( is_wp_error( $post ) ) { 392 return $post; 393 } 364 394 365 395 if ( 'edit' === $request['context'] && $post && ! $this->check_update_permission( $post ) ) { … … 429 459 */ 430 460 public function get_item( $request ) { 431 $id = (int) $request['id']; 432 $post = get_post( $id ); 433 434 if ( empty( $id ) || empty( $post->ID ) || $this->post_type !== $post->post_type ) { 435 return new WP_Error( 'rest_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) ); 461 $post = $this->get_post( $request['id'] ); 462 if ( is_wp_error( $post ) ) { 463 return $post; 436 464 } 437 465 … … 440 468 441 469 if ( is_post_type_viewable( get_post_type_object( $post->post_type ) ) ) { 442 $response->link_header( 'alternate', get_permalink( $ id), array( 'type' => 'text/html' ) );470 $response->link_header( 'alternate', get_permalink( $post->ID ), array( 'type' => 'text/html' ) ); 443 471 } 444 472 … … 456 484 */ 457 485 public function create_item_permissions_check( $request ) { 486 if ( ! empty( $request['id'] ) ) { 487 return new WP_Error( 'rest_post_exists', __( 'Cannot create existing post.' ), array( 'status' => 400 ) ); 488 } 458 489 459 490 $post_type = get_post_type_object( $this->post_type ); … … 592 623 */ 593 624 public function update_item_permissions_check( $request ) { 594 595 $post = get_post( $request['id'] ); 625 $post = $this->get_post( $request['id'] ); 626 if ( is_wp_error( $post ) ) { 627 return $post; 628 } 629 596 630 $post_type = get_post_type_object( $this->post_type ); 597 631 … … 625 659 */ 626 660 public function update_item( $request ) { 627 $id = (int) $request['id']; 628 $post = get_post( $id ); 629 630 if ( empty( $id ) || empty( $post->ID ) || $this->post_type !== $post->post_type ) { 631 return new WP_Error( 'rest_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) ); 661 $valid_check = $this->get_post( $request['id'] ); 662 if ( is_wp_error( $valid_check ) ) { 663 return $valid_check; 632 664 } 633 665 … … 715 747 */ 716 748 public function delete_item_permissions_check( $request ) { 717 718 $post = get_post( $request['id'] ); 749 $post = $this->get_post( $request['id'] ); 750 if ( is_wp_error( $post ) ) { 751 return $post; 752 } 719 753 720 754 if ( $post && ! $this->check_delete_permission( $post ) ) { … … 735 769 */ 736 770 public function delete_item( $request ) { 737 $id = (int) $request['id']; 771 $post = $this->get_post( $request['id'] ); 772 if ( is_wp_error( $post ) ) { 773 return $post; 774 } 775 776 $id = $post->ID; 738 777 $force = (bool) $request['force']; 739 740 $post = get_post( $id );741 742 if ( empty( $id ) || empty( $post->ID ) || $this->post_type !== $post->post_type ) {743 return new WP_Error( 'rest_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) );744 }745 778 746 779 $supports_trash = ( EMPTY_TRASH_DAYS > 0 ); … … 902 935 // Post ID. 903 936 if ( isset( $request['id'] ) ) { 904 $prepared_post->ID = absint( $request['id'] ); 937 $existing_post = $this->get_post( $request['id'] ); 938 if ( is_wp_error( $existing_post ) ) { 939 return $existing_post; 940 } 941 942 $prepared_post->ID = $existing_post->ID; 905 943 } 906 944 -
branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
r39871 r39997 72 72 73 73 register_rest_route( $this->namespace, '/' . $this->parent_base . '/(?P<parent>[\d]+)/' . $this->rest_base, array( 74 'args' => array( 75 'parent' => array( 76 'description' => __( 'The ID for the parent of the object.' ), 77 'type' => 'integer', 78 ), 79 ), 74 80 array( 75 81 'methods' => WP_REST_Server::READABLE, … … 82 88 83 89 register_rest_route( $this->namespace, '/' . $this->parent_base . '/(?P<parent>[\d]+)/' . $this->rest_base . '/(?P<id>[\d]+)', array( 90 'args' => array( 91 'parent' => array( 92 'description' => __( 'The ID for the parent of the object.' ), 93 'type' => 'integer', 94 ), 95 'id' => array( 96 'description' => __( 'Unique identifier for the object.' ), 97 'type' => 'integer', 98 ), 99 ), 84 100 array( 85 101 'methods' => WP_REST_Server::READABLE, … … 108 124 109 125 /** 126 * Get the parent post, if the ID is valid. 127 * 128 * @since 4.7.2 129 * 130 * @param int $id Supplied ID. 131 * @return WP_Post|WP_Error Post object if ID is valid, WP_Error otherwise. 132 */ 133 protected function get_parent( $parent ) { 134 $error = new WP_Error( 'rest_post_invalid_parent', __( 'Invalid post parent ID.' ), array( 'status' => 404 ) ); 135 if ( (int) $parent <= 0 ) { 136 return $error; 137 } 138 139 $parent = get_post( (int) $parent ); 140 if ( empty( $parent ) || empty( $parent->ID ) || $this->parent_post_type !== $parent->post_type ) { 141 return $error; 142 } 143 144 return $parent; 145 } 146 147 /** 110 148 * Checks if a given request has access to get revisions. 111 149 * … … 117 155 */ 118 156 public function get_items_permissions_check( $request ) { 119 120 $parent = get_post( $request['parent'] );121 if ( ! $parent ) {122 return true;123 } 157 $parent = $this->get_parent( $request['parent'] ); 158 if ( is_wp_error( $parent ) ) { 159 return $parent; 160 } 161 124 162 $parent_post_type_obj = get_post_type_object( $parent->post_type ); 125 163 if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) { … … 131 169 132 170 /** 171 * Get the revision, if the ID is valid. 172 * 173 * @since 4.7.2 174 * 175 * @param int $id Supplied ID. 176 * @return WP_Post|WP_Error Revision post object if ID is valid, WP_Error otherwise. 177 */ 178 protected function get_revision( $id ) { 179 $error = new WP_Error( 'rest_post_invalid_id', __( 'Invalid revision ID.' ), array( 'status' => 404 ) ); 180 if ( (int) $id <= 0 ) { 181 return $error; 182 } 183 184 $revision = get_post( (int) $id ); 185 if ( empty( $revision ) || empty( $revision->ID ) || 'revision' !== $revision->post_type ) { 186 return $error; 187 } 188 189 return $revision; 190 } 191 192 /** 133 193 * Gets a collection of revisions. 134 194 * … … 140 200 */ 141 201 public function get_items( $request ) { 142 $parent = get_post( $request['parent'] );143 if ( ! $request['parent'] || ! $parent || $this->parent_post_type !== $parent->post_type) {144 return new WP_Error( 'rest_post_invalid_parent', __( 'Invalid post parent ID.' ), array( 'status' => 404 ) );202 $parent = $this->get_parent( $request['parent'] ); 203 if ( is_wp_error( $parent ) ) { 204 return $parent; 145 205 } 146 206 … … 178 238 */ 179 239 public function get_item( $request ) { 180 $parent = get_post( $request['parent'] );181 if ( ! $request['parent'] || ! $parent || $this->parent_post_type !== $parent->post_type) {182 return new WP_Error( 'rest_post_invalid_parent', __( 'Invalid post parent ID.' ), array( 'status' => 404 ) );183 } 184 185 $revision = get_post( $request['id'] );186 if ( ! $revision || 'revision' !== $revision->post_type) {187 return new WP_Error( 'rest_post_invalid_id', __( 'Invalid revision ID.' ), array( 'status' => 404 ) );240 $parent = $this->get_parent( $request['parent'] ); 241 if ( is_wp_error( $parent ) ) { 242 return $parent; 243 } 244 245 $revision = $this->get_revision( $request['id'] ); 246 if ( is_wp_error( $revision ) ) { 247 return $revision; 188 248 } 189 249 … … 202 262 */ 203 263 public function delete_item_permissions_check( $request ) { 264 $parent = $this->get_parent( $request['parent'] ); 265 if ( is_wp_error( $parent ) ) { 266 return $parent; 267 } 268 269 $revision = $this->get_revision( $request['id'] ); 270 if ( is_wp_error( $revision ) ) { 271 return $revision; 272 } 204 273 205 274 $response = $this->get_items_permissions_check( $request ); … … 208 277 } 209 278 210 $post = get_post( $request['id'] );211 if ( ! $post ) {212 return new WP_Error( 'rest_post_invalid_id', __( 'Invalid revision ID.' ), array( 'status' => 404 ) );213 }214 279 $post_type = get_post_type_object( 'revision' ); 215 return current_user_can( $post_type->cap->delete_post, $ post->ID );280 return current_user_can( $post_type->cap->delete_post, $revision->ID ); 216 281 } 217 282 … … 226 291 */ 227 292 public function delete_item( $request ) { 293 $revision = $this->get_revision( $request['id'] ); 294 if ( is_wp_error( $revision ) ) { 295 return $revision; 296 } 297 228 298 $force = isset( $request['force'] ) ? (bool) $request['force'] : false; 229 299 … … 233 303 } 234 304 235 $revision = get_post( $request['id'] );236 305 $previous = $this->prepare_item_for_response( $revision, $request ); 237 306 -
branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php
r39871 r39997 49 49 50 50 register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<taxonomy>[\w-]+)', array( 51 'args' => array( 52 'taxonomy' => array( 53 'description' => __( 'An alphanumeric identifier for the taxonomy.' ), 54 'type' => 'string', 55 ), 56 ), 51 57 array( 52 58 'methods' => WP_REST_Server::READABLE, -
branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
r39871 r39997 97 97 98 98 register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<id>[\d]+)', array( 99 'args' => array( 100 'id' => array( 101 'description' => __( 'Unique identifier for the term.' ), 102 'type' => 'integer', 103 ), 104 ), 99 105 array( 100 106 'methods' => WP_REST_Server::READABLE, … … 109 115 'callback' => array( $this, 'update_item' ), 110 116 'permission_callback' => array( $this, 'update_item_permissions_check' ), 111 'args' 117 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ), 112 118 ), 113 119 array( … … 289 295 290 296 /** 297 * Get the term, if the ID is valid. 298 * 299 * @since 4.7.2 300 * 301 * @param int $id Supplied ID. 302 * @return WP_Term|WP_Error Term object if ID is valid, WP_Error otherwise. 303 */ 304 protected function get_term( $id ) { 305 $error = new WP_Error( 'rest_term_invalid', __( 'Term does not exist.' ), array( 'status' => 404 ) ); 306 307 if ( ! $this->check_is_taxonomy_allowed( $this->taxonomy ) ) { 308 return $error; 309 } 310 311 if ( (int) $id <= 0 ) { 312 return $error; 313 } 314 315 $term = get_term( (int) $id, $this->taxonomy ); 316 if ( empty( $term ) || $term->taxonomy !== $this->taxonomy ) { 317 return $error; 318 } 319 320 return $term; 321 } 322 323 /** 291 324 * Checks if a request has access to read or edit the specified term. 292 325 * … … 298 331 */ 299 332 public function get_item_permissions_check( $request ) { 300 $tax_obj = get_taxonomy( $this->taxonomy ); 301 if ( ! $tax_obj || ! $this->check_is_taxonomy_allowed( $this->taxonomy ) ) { 302 return false; 303 } 304 if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', (int) $request['id'] ) ) { 333 $term = $this->get_term( $request['id'] ); 334 if ( is_wp_error( $term ) ) { 335 return $term; 336 } 337 338 if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', $term->term_id ) ) { 305 339 return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this term.' ), array( 'status' => rest_authorization_required_code() ) ); 306 340 } … … 318 352 */ 319 353 public function get_item( $request ) { 320 321 $term = get_term( (int) $request['id'], $this->taxonomy ); 322 323 if ( ! $term || $term->taxonomy !== $this->taxonomy ) { 324 return new WP_Error( 'rest_term_invalid', __( "Term doesn't exist." ), array( 'status' => 404 ) ); 325 } 354 $term = $this->get_term( $request['id'] ); 326 355 327 356 if ( is_wp_error( $term ) ) { … … 446 475 */ 447 476 public function update_item_permissions_check( $request ) { 448 449 if ( ! $this->check_is_taxonomy_allowed( $this->taxonomy ) ) { 450 return false; 451 } 452 453 $term = get_term( (int) $request['id'], $this->taxonomy ); 454 455 if ( ! $term ) { 456 return new WP_Error( 'rest_term_invalid', __( "Term doesn't exist." ), array( 'status' => 404 ) ); 477 $term = $this->get_term( $request['id'] ); 478 if ( is_wp_error( $term ) ) { 479 return $term; 457 480 } 458 481 … … 474 497 */ 475 498 public function update_item( $request ) { 499 $term = $this->get_term( $request['id'] ); 500 if ( is_wp_error( $term ) ) { 501 return $term; 502 } 503 476 504 if ( isset( $request['parent'] ) ) { 477 505 if ( ! is_taxonomy_hierarchical( $this->taxonomy ) ) { … … 488 516 $prepared_term = $this->prepare_item_for_database( $request ); 489 517 490 $term = get_term( (int) $request['id'], $this->taxonomy );491 492 518 // Only update the term if we haz something to update. 493 519 if ( ! empty( $prepared_term ) ) { … … 499 525 } 500 526 501 $term = get_term( (int) $request['id'], $this->taxonomy );527 $term = get_term( $term->term_id, $this->taxonomy ); 502 528 503 529 /* This action is documented in lib/endpoints/class-wp-rest-terms-controller.php */ … … 506 532 $schema = $this->get_item_schema(); 507 533 if ( ! empty( $schema['properties']['meta'] ) && isset( $request['meta'] ) ) { 508 $meta_update = $this->meta->update_value( $request['meta'], (int) $request['id']);534 $meta_update = $this->meta->update_value( $request['meta'], $term->term_id ); 509 535 510 536 if ( is_wp_error( $meta_update ) ) { … … 536 562 */ 537 563 public function delete_item_permissions_check( $request ) { 538 if ( ! $this->check_is_taxonomy_allowed( $this->taxonomy ) ) { 539 return false; 540 } 541 542 $term = get_term( (int) $request['id'], $this->taxonomy ); 543 544 if ( ! $term ) { 545 return new WP_Error( 'rest_term_invalid', __( "Term doesn't exist." ), array( 'status' => 404 ) ); 564 $term = $this->get_term( $request['id'] ); 565 if ( is_wp_error( $term ) ) { 566 return $term; 546 567 } 547 568 … … 563 584 */ 564 585 public function delete_item( $request ) { 586 $term = $this->get_term( $request['id'] ); 587 if ( is_wp_error( $term ) ) { 588 return $term; 589 } 565 590 566 591 $force = isset( $request['force'] ) ? (bool) $request['force'] : false; … … 570 595 return new WP_Error( 'rest_trash_not_supported', __( 'Terms do not support trashing. Set force=true to delete.' ), array( 'status' => 501 ) ); 571 596 } 572 573 $term = get_term( (int) $request['id'], $this->taxonomy );574 597 575 598 $request->set_param( 'context', 'view' ); -
branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
r39871 r39997 66 66 67 67 register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<id>[\d]+)', array( 68 'args' => array( 69 'id' => array( 70 'description' => __( 'Unique identifier for the user.' ), 71 'type' => 'integer', 72 ), 73 ), 68 74 array( 69 75 'methods' => WP_REST_Server::READABLE, … … 327 333 328 334 /** 335 * Get the user, if the ID is valid. 336 * 337 * @since 4.7.2 338 * 339 * @param int $id Supplied ID. 340 * @return WP_User|WP_Error True if ID is valid, WP_Error otherwise. 341 */ 342 protected function get_user( $id ) { 343 $error = new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) ); 344 if ( (int) $id <= 0 ) { 345 return $error; 346 } 347 348 $user = get_userdata( (int) $id ); 349 if ( empty( $user ) || ! $user->exists() ) { 350 return $error; 351 } 352 353 return $user; 354 } 355 356 /** 329 357 * Checks if a given request has access to read a user. 330 358 * … … 336 364 */ 337 365 public function get_item_permissions_check( $request ) { 338 339 $id = (int) $request['id']; 340 $user = get_userdata( $id ); 366 $user = $this->get_user( $request['id'] ); 367 if ( is_wp_error( $user ) ) { 368 return $user; 369 } 370 341 371 $types = get_post_types( array( 'show_in_rest' => true ), 'names' ); 342 372 343 if ( empty( $id ) || empty( $user->ID ) ) { 344 return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) ); 345 } 346 347 if ( get_current_user_id() === $id ) { 373 if ( get_current_user_id() === $user->ID ) { 348 374 return true; 349 375 } … … 351 377 if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) { 352 378 return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) ); 353 } elseif ( ! count_user_posts( $ id, $types ) && ! current_user_can( 'edit_user', $id) && ! current_user_can( 'list_users' ) ) {379 } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) { 354 380 return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) ); 355 381 } … … 368 394 */ 369 395 public function get_item( $request ) { 370 $id = (int) $request['id']; 371 $user = get_userdata( $id ); 372 373 if ( empty( $id ) || empty( $user->ID ) ) { 374 return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) ); 396 $user = $this->get_user( $request['id'] ); 397 if ( is_wp_error( $user ) ) { 398 return $user; 375 399 } 376 400 … … 542 566 */ 543 567 public function update_item_permissions_check( $request ) { 544 545 $id = (int) $request['id']; 546 547 if ( ! current_user_can( 'edit_user', $id ) ) { 568 $user = $this->get_user( $request['id'] ); 569 if ( is_wp_error( $user ) ) { 570 return $user; 571 } 572 573 if ( ! current_user_can( 'edit_user', $user->ID ) ) { 548 574 return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); 549 575 } … … 566 592 */ 567 593 public function update_item( $request ) { 568 $id = (int) $request['id']; 569 $user = get_userdata( $id ); 594 $user = $this->get_user( $request['id'] ); 595 if ( is_wp_error( $user ) ) { 596 return $user; 597 } 598 599 $id = $user->ID; 570 600 571 601 if ( ! $user ) { … … 682 712 */ 683 713 public function delete_item_permissions_check( $request ) { 684 685 $id = (int) $request['id']; 686 687 if ( ! current_user_can( 'delete_user', $id ) ) { 714 $user = $this->get_user( $request['id'] ); 715 if ( is_wp_error( $user ) ) { 716 return $user; 717 } 718 719 if ( ! current_user_can( 'delete_user', $user->ID ) ) { 688 720 return new WP_Error( 'rest_user_cannot_delete', __( 'Sorry, you are not allowed to delete this user.' ), array( 'status' => rest_authorization_required_code() ) ); 689 721 } … … 706 738 return new WP_Error( 'rest_cannot_delete', __( 'The user cannot be deleted.' ), array( 'status' => 501 ) ); 707 739 } 708 709 $id = (int) $request['id']; 740 $user = $this->get_user( $request['id'] ); 741 if ( is_wp_error( $user ) ) { 742 return $user; 743 } 744 745 $id = $user->ID; 710 746 $reassign = false === $request['reassign'] ? null : absint( $request['reassign'] ); 711 747 $force = isset( $request['force'] ) ? (bool) $request['force'] : false; … … 714 750 if ( ! $force ) { 715 751 return new WP_Error( 'rest_trash_not_supported', __( 'Users do not support trashing. Set force=true to delete.' ), array( 'status' => 501 ) ); 716 }717 718 $user = get_userdata( $id );719 720 if ( ! $user ) {721 return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) );722 752 } 723 753 -
branches/4.7/src/wp-includes/version.php
r39871 r39997 5 5 * @global string $wp_version 6 6 */ 7 $wp_version = '4.7. 1-src';7 $wp_version = '4.7.2-src'; 8 8 9 9 /** -
branches/4.7/tests/phpunit/tests/comment/wpComment.php
r39871 r39997 53 53 * @ticket 37738 54 54 */ 55 public function test_get_instance_should_fail_for_bool() {56 $found = WP_Comment::get_instance( true );57 58 $this->assertFalse( $found );59 }60 61 /**62 * @ticket 3773863 */64 55 public function test_get_instance_should_succeed_for_float_that_is_equal_to_post_id() { 65 56 $found = WP_Comment::get_instance( 1.0 ); … … 67 58 $this->assertEquals( 1, $found->comment_ID ); 68 59 } 69 70 /**71 * @ticket 3773872 */73 public function test_get_instance_should_fail_for_float() {74 $found = WP_Comment::get_instance( 1.6 );75 76 $this->assertFalse( $found );77 }78 79 /**80 * @ticket 3773881 */82 public function test_get_instance_should_fail_for_array() {83 $found = WP_Comment::get_instance( array( 1 ) );84 85 $this->assertFalse( $found );86 }87 88 /**89 * @ticket 3773890 */91 public function test_get_instance_should_fail_for_class() {92 $class = new stdClass();93 $found = WP_Comment::get_instance( $class );94 95 $this->assertFalse( $found );96 }97 60 } -
branches/4.7/tests/phpunit/tests/post/wpPost.php
r39871 r39997 51 51 * @ticket 37738 52 52 */ 53 public function test_get_instance_should_fail_for_bool() {54 $found = WP_Post::get_instance( true );55 56 $this->assertFalse( $found );57 }58 59 /**60 * @ticket 3773861 */62 53 public function test_get_instance_should_succeed_for_float_that_is_equal_to_post_id() { 63 54 $found = WP_Post::get_instance( 1.0 ); … … 65 56 $this->assertSame( 1, $found->ID ); 66 57 } 67 68 /**69 * @ticket 3773870 */71 public function test_get_instance_should_fail_for_float() {72 $found = WP_Post::get_instance( 1.6 );73 74 $this->assertFalse( $found );75 }76 77 /**78 * @ticket 3773879 */80 public function test_get_instance_should_fail_for_array() {81 $found = WP_Post::get_instance( array( 1 ) );82 83 $this->assertFalse( $found );84 }85 86 /**87 * @ticket 3773888 */89 public function test_get_instance_should_fail_for_class() {90 $class = new stdClass();91 $found = WP_Post::get_instance( $class );92 93 $this->assertFalse( $found );94 }95 58 } -
branches/4.7/tests/phpunit/tests/rest-api/rest-attachments-controller.php
r39871 r39997 183 183 $keys = array_keys( $data['endpoints'][0]['args'] ); 184 184 sort( $keys ); 185 $this->assertEquals( array( 'context' ), $keys );185 $this->assertEquals( array( 'context', 'id' ), $keys ); 186 186 } 187 187 -
branches/4.7/tests/phpunit/tests/rest-api/rest-comments-controller.php
r39871 r39997 836 836 837 837 $response = $this->server->dispatch( $request ); 838 $this->assertErrorResponse( 'rest_ cannot_read', $response, 401);838 $this->assertErrorResponse( 'rest_post_invalid_id', $response, 404 ); 839 839 } 840 840 -
branches/4.7/tests/phpunit/tests/rest-api/rest-posts-controller.php
r39871 r39997 128 128 $keys = array_keys( $data['endpoints'][0]['args'] ); 129 129 sort( $keys ); 130 $this->assertEquals( array( 'context', ' password' ), $keys );130 $this->assertEquals( array( 'context', 'id', 'password' ), $keys ); 131 131 } 132 132 -
branches/4.7/tests/phpunit/tests/rest-api/rest-users-controller.php
r39871 r39997 1850 1850 $response = $this->server->dispatch( $request ); 1851 1851 1852 // Not implemented in multisite.1853 if ( is_multisite() ) {1854 $this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );1855 return;1856 }1857 1858 1852 $this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 ); 1859 1853 } -
branches/4.7/tests/phpunit/tests/term/wpTerm.php
r39871 r39997 64 64 * @ticket 37738 65 65 */ 66 public function test_get_instance_should_fail_for_bool() {67 $found = WP_Term::get_instance( true );68 69 $this->assertFalse( $found );70 }71 72 /**73 * @ticket 3773874 */75 66 public function test_get_instance_should_succeed_for_float_that_is_equal_to_post_id() { 76 67 $found = WP_Term::get_instance( 1.0 ); … … 78 69 $this->assertSame( 1, $found->term_id ); 79 70 } 80 81 /**82 * @ticket 3773883 */84 public function test_get_instance_should_fail_for_float() {85 $found = WP_Term::get_instance( 1.6 );86 87 $this->assertFalse( $found );88 }89 90 /**91 * @ticket 3773892 */93 public function test_get_instance_should_fail_for_array() {94 $found = WP_Term::get_instance( array( 1 ) );95 96 $this->assertFalse( $found );97 }98 99 /**100 * @ticket 37738101 */102 public function test_get_instance_should_fail_for_class() {103 $class = new stdClass();104 $found = WP_Term::get_instance( $class );105 106 $this->assertFalse( $found );107 }108 71 }
Note: See TracChangeset
for help on using the changeset viewer.