Make WordPress Core


Ignore:
Timestamp:
01/30/2018 12:20:37 AM (7 years ago)
Author:
westonruter
Message:

Customize: Ensure customize_autosaved requests only use revision of logged-in user.

Props dlh, westonruter.
See #42433, #39896.
Fixes #42450.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-manager.php

    r42612 r42615  
    11421142            $this->_changeset_data = array();
    11431143        } else {
    1144             if ( $this->autosaved() ) {
     1144            if ( $this->autosaved() && is_user_logged_in() ) {
    11451145                $autosave_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
    11461146                if ( $autosave_post ) {
     
    29032903                $r                       = wp_update_post( wp_slash( $post_array ), true );
    29042904
    2905                 // Delete autosave revision when the changeset is updated.
    2906                 $autosave_draft = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
    2907                 if ( $autosave_draft ) {
    2908                     wp_delete_post( $autosave_draft->ID, true );
     2905                // Delete autosave revision for user when the changeset is updated.
     2906                if ( ! empty( $args['user_id'] ) ) {
     2907                    $autosave_draft = wp_get_post_autosave( $changeset_post_id, $args['user_id'] );
     2908                    if ( $autosave_draft ) {
     2909                        wp_delete_post( $autosave_draft->ID, true );
     2910                    }
    29092911                }
    29102912            }
     
    35493551     */
    35503552    public function handle_dismiss_autosave_or_lock_request() {
     3553        // Calls to dismiss_user_auto_draft_changesets() and wp_get_post_autosave() require non-zero get_current_user_id().
     3554        if ( ! is_user_logged_in() ) {
     3555            wp_send_json_error( 'unauthenticated', 401 );
     3556        }
     3557
    35513558        if ( ! $this->is_preview() ) {
    35523559            wp_send_json_error( 'not_preview', 400 );
     
    46504657        if ( ! $this->saved_starter_content_changeset && ! $this->autosaved() ) {
    46514658            if ( $changeset_post_id ) {
    4652                 $autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
     4659                if ( is_user_logged_in() ) {
     4660                    $autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
     4661                }
    46534662            } else {
    46544663                $autosave_autodraft_posts = $this->get_changeset_posts(
Note: See TracChangeset for help on using the changeset viewer.