WordPress.org

Make WordPress Core

Changeset 43682


Ignore:
Timestamp:
10/08/2018 10:44:05 PM (6 months ago)
Author:
danielbachhuber
Message:

REST API: Declare unfiltered_html capability in links.

Because user capabilities can be modified at runtime, the REST API needs to expose them in some evaluated but declarative manner for clients to interpret. JSON Hyper Schema targetSchema provides an appropriate paradigm for doing so.

Props timothyblynjacobs.
Fixes #45014.

Location:
branches/5.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r43490 r43682  
    17691769        if ( 'attachment' !== $this->post_type && current_user_can( $post_type->cap->publish_posts ) ) {
    17701770            $rels[] = 'https://api.w.org/action-publish';
     1771        }
     1772
     1773        if ( current_user_can( 'unfiltered_html' ) ) {
     1774            $rels[] = 'https://api.w.org/action-unfiltered-html';
    17711775        }
    17721776
     
    21802184        }
    21812185
     2186        $links[] = array(
     2187            'rel'          => 'https://api.w.org/action-unfiltered-html',
     2188            'title'        => __( 'The current user can post unfiltered HTML markup and JavaScript.' ),
     2189            'href'         => $href,
     2190            'targetSchema' => array(
     2191                'type'        => 'object',
     2192                'properties'  => array(
     2193                    'content' => array(
     2194                        'raw' => array(
     2195                            'type' => 'string',
     2196                        ),
     2197                    ),
     2198                ),
     2199            ),
     2200        );
     2201
    21822202        if ( 'post' === $this->post_type ) {
    21832203            $links[] = array(
  • branches/5.0/tests/phpunit/tests/rest-api/rest-posts-controller.php

    r43445 r43682  
    35913591    }
    35923592
     3593    public function test_assign_unfiltered_html_action_superadmin() {
     3594        $post_id = self::factory()->post->create();
     3595        wp_set_current_user( self::$superadmin_id );
     3596        $request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . $post_id );
     3597        $request->set_param( 'context', 'edit' );
     3598        $response = rest_do_request( $request );
     3599        $links    = $response->get_links();
     3600        $this->assertArrayHasKey( 'https://api.w.org/action-unfiltered-html', $links );
     3601    }
     3602
     3603    public function test_assign_unfiltered_html_action_editor() {
     3604        $post_id = self::factory()->post->create();
     3605        wp_set_current_user( self::$editor_id );
     3606        $request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . $post_id );
     3607        $request->set_param( 'context', 'edit' );
     3608        $response = rest_do_request( $request );
     3609        $links    = $response->get_links();
     3610        // Editors can only unfiltered html on single site.
     3611        if ( is_multisite() ) {
     3612            $this->assertArrayNotHasKey( 'https://api.w.org/action-unfiltered-html', $links );
     3613        } else {
     3614            $this->assertArrayHasKey( 'https://api.w.org/action-unfiltered-html', $links );
     3615        }
     3616    }
     3617
     3618    public function test_assign_unfiltered_html_action_author() {
     3619        $post_id = self::factory()->post->create();
     3620        wp_set_current_user( self::$author_id );
     3621        $request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . $post_id );
     3622        $request->set_param( 'context', 'edit' );
     3623        $response = rest_do_request( $request );
     3624        $links    = $response->get_links();
     3625        // Authors can't ever unfiltered html
     3626        $this->assertArrayNotHasKey( 'https://api.w.org/action-unfiltered-html', $links );
     3627    }
     3628
    35933629    public function tearDown() {
    35943630        _unregister_post_type( 'youseeeme' );
Note: See TracChangeset for help on using the changeset viewer.