WordPress.org

Make WordPress Core

Changeset 42620


Ignore:
Timestamp:
01/30/2018 02:43:55 PM (2 years ago)
Author:
SergeyBiryukov
Message:

Customize: Ensure customize_autosaved requests only use revision of logged-in user.

Props dlh, westonruter.
See #42433, #39896.
Merges [42615] to the 4.9 branch.
Fixes #42450.

Location:
branches/4.9
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-includes/class-wp-customize-manager.php

    r42542 r42620  
    11361136            $this->_changeset_data = array();
    11371137        } else {
    1138             if ( $this->autosaved() ) {
     1138            if ( $this->autosaved() && is_user_logged_in() ) {
    11391139                $autosave_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
    11401140                if ( $autosave_post ) {
     
    28792879                $r = wp_update_post( wp_slash( $post_array ), true );
    28802880
    2881                 // Delete autosave revision when the changeset is updated.
    2882                 $autosave_draft = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
    2883                 if ( $autosave_draft ) {
    2884                     wp_delete_post( $autosave_draft->ID, true );
     2881                // Delete autosave revision for user when the changeset is updated.
     2882                if ( ! empty( $args['user_id'] ) ) {
     2883                    $autosave_draft = wp_get_post_autosave( $changeset_post_id, $args['user_id'] );
     2884                    if ( $autosave_draft ) {
     2885                        wp_delete_post( $autosave_draft->ID, true );
     2886                    }
    28852887                }
    28862888            }
     
    34943496     */
    34953497    public function handle_dismiss_autosave_or_lock_request() {
     3498        // Calls to dismiss_user_auto_draft_changesets() and wp_get_post_autosave() require non-zero get_current_user_id().
     3499        if ( ! is_user_logged_in() ) {
     3500            wp_send_json_error( 'unauthenticated', 401 );
     3501        }
     3502
    34963503        if ( ! $this->is_preview() ) {
    34973504            wp_send_json_error( 'not_preview', 400 );
     
    45754582        if ( ! $this->saved_starter_content_changeset && ! $this->autosaved() ) {
    45764583            if ( $changeset_post_id ) {
    4577                 $autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
     4584                if ( is_user_logged_in() ) {
     4585                    $autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
     4586                }
    45784587            } else {
    45794588                $autosave_autodraft_posts = $this->get_changeset_posts( array(
  • branches/4.9/tests/phpunit/tests/ajax/CustomizeManager.php

    r41839 r42620  
    521521     */
    522522    public function test_handle_dismiss_autosave_or_lock_request() {
    523         $uuid = wp_generate_uuid4();
    524         $wp_customize = $this->set_up_valid_state( $uuid );
     523        $uuid          = wp_generate_uuid4();
     524        $wp_customize  = $this->set_up_valid_state( $uuid );
     525        $valid_user_id = get_current_user_id();
     526
     527        // Temporarily remove user to test requirement that user is logged in. See #42450.
     528        wp_set_current_user( 0 );
     529        $this->make_ajax_call( 'customize_dismiss_autosave_or_lock' );
     530        $this->assertFalse( $this->_last_response_parsed['success'] );
     531        $this->assertEquals( 'unauthenticated', $this->_last_response_parsed['data'] );
     532        wp_set_current_user( $valid_user_id );
    525533
    526534        $this->make_ajax_call( 'customize_dismiss_autosave_or_lock' );
  • branches/4.9/tests/phpunit/tests/customize/manager.php

    r41839 r42620  
    499499            wp_list_pluck( $wp_customize->changeset_data(), 'value' )
    500500        );
     501
     502        // If there is no user, don't fetch the most recent autosave. See #42450.
     503        wp_set_current_user( 0 );
     504        $wp_customize = new WP_Customize_Manager(
     505            array(
     506                'changeset_uuid' => $uuid,
     507                'autosaved'      => true,
     508            )
     509        );
     510        $this->assertEquals( $data, $wp_customize->changeset_data() );
    501511    }
    502512
Note: See TracChangeset for help on using the changeset viewer.