Make WordPress Core

Changeset 41035


Ignore:
Timestamp:
07/12/2017 10:50:57 PM (7 years ago)
Author:
westonruter
Message:

REST API: Remove _wpnonce value from being used in hashed oEmbed proxy cache key.

Amends [40628].
Props r-a-y, westonruter.
See #40450.
Fixes #41048.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-oembed-controller.php

    r40628 r41035  
    160160
    161161        // Serve oEmbed data from cache if set.
     162        unset( $args['_wpnonce'] );
    162163        $cache_key = 'oembed_' . md5( serialize( $args ) );
    163164        $data = get_transient( $cache_key );
  • trunk/tests/phpunit/tests/oembed/controller.php

    r40628 r41035  
    1111    protected $server;
    1212    protected static $editor;
     13    protected static $administrator;
    1314    protected static $subscriber;
    1415    const YOUTUBE_VIDEO_ID = 'OQSNhk5ICTI';
     
    2223            'role'       => 'editor',
    2324            'user_email' => 'editor@example.com',
     25        ) );
     26        self::$administrator = $factory->user->create( array(
     27            'role'       => 'administrator',
     28            'user_email' => 'administrator@example.com',
    2429        ) );
    2530    }
     
    478483    public function test_proxy_with_valid_oembed_provider() {
    479484        wp_set_current_user( self::$editor );
    480 
    481485        $request = new WP_REST_Request( 'GET', '/oembed/1.0/proxy' );
    482486        $request->set_param( 'url', 'https://www.youtube.com/watch?v=' . self::YOUTUBE_VIDEO_ID );
     487        $request->set_param( '_wpnonce', wp_create_nonce( 'wp_rest' ) );
    483488        $response = $this->server->dispatch( $request );
    484489        $this->assertEquals( 200, $response->get_status() );
     
    486491
    487492        // Subsequent request is cached and so it should not cause a request.
     493        $this->server->dispatch( $request );
     494        $this->assertEquals( 1, $this->request_count );
     495
     496        // Rest with another user should also be cached.
     497        wp_set_current_user( self::$administrator );
     498        $request = new WP_REST_Request( 'GET', '/oembed/1.0/proxy' );
     499        $request->set_param( 'url', 'https://www.youtube.com/watch?v=' . self::YOUTUBE_VIDEO_ID );
     500        $request->set_param( '_wpnonce', wp_create_nonce( 'wp_rest' ) );
    488501        $response = $this->server->dispatch( $request );
    489502        $this->assertEquals( 1, $this->request_count );
Note: See TracChangeset for help on using the changeset viewer.