Changeset 43897 for branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php

Timestamp:

11/15/2018 12:56:54 PM (5 years ago)

Author:

danielbachhuber

Message:

REST API: Avoid using 'parent' as path argument name for autosaves.

When 'parent' is set as the path argument name, it gets passed down through to the create_item() method and can erroneously reset the 'parent' value on the post itself. Instead, we rename the argument to 'id' and replicate the revision controller's get_items_permissions_check() to instead reference 'id'.

Also ensures revision query params (of which there are many) aren't exposed as the query params for autosaves (of which there are two).

Props TimothyBlynJacobs.
See #43316.

File:

• branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php (modified) (7 diffs)

branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php

@@ -80 +80 @@
         register_rest_route(
             $this->rest_namespace,
-            '/' . $this->parent_base . '/(?P<parent>[\d]+)/' . $this->rest_base,
+            '/' . $this->parent_base . '/(?P<id>[\d]+)/' . $this->rest_base,
             array(
                 'args'   => array(
@@ -91 +91 @@
                     'methods'             => WP_REST_Server::READABLE,
                     'callback'            => array( $this, 'get_items' ),
-                    'permission_callback' => array( $this->revisions_controller, 'get_items_permissions_check' ),
+                    'permission_callback' => array( $this, 'get_items_permissions_check' ),
                     'args'                => $this->get_collection_params(),
                 ),
@@ -98 +98 @@
                     'callback'            => array( $this, 'create_item' ),
                     'permission_callback' => array( $this, 'create_item_permissions_check' ),
-                    'args'                => $this->get_endpoint_args_for_item_schema( WP_REST_Server::CREATABLE ),
+                    'args'                => $this->parent_controller->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ),
                 ),
                 'schema' => array( $this, 'get_public_item_schema' ),
@@ -145 +145 @@
 
     /**
+     * Checks if a given request has access to get autosaves.
+     *
+     * @since 5.0.0
+     *
+     * @param WP_REST_Request $request Full data about the request.
+     * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
+     */
+    public function get_items_permissions_check( $request ) {
+        $parent = $this->get_parent( $request['id'] );
+        if ( is_wp_error( $parent ) ) {
+            return $parent;
+        }
+
+        $parent_post_type_obj = get_post_type_object( $parent->post_type );
+        if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) {
+            return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to view autosaves of this post.' ), array( 'status' => rest_authorization_required_code() ) );
+        }
+
+        return true;
+    }
+
+    /**
      * Checks if a given request has access to create an autosave revision.
      *
@@ -178 +200 @@
         }
 
-        $post = get_post( $request->get_param( 'id' ) );
+        $post = get_post( $request['id'] );
 
         if ( is_wp_error( $post ) ) {
@@ -246 +268 @@
      */
     public function get_items( $request ) {
-        $parent = $this->get_parent( $request->get_param( 'parent' ) );
+        $parent = $this->get_parent( $request['id'] );
         if ( is_wp_error( $parent ) ) {
             return $parent;
@@ -390 +412 @@
         return apply_filters( 'rest_prepare_autosave', $response, $post, $request );
     }
+
+    /**
+     * Retrieves the query params for the autosaves collection.
+     *
+     * @since 5.0.0
+     *
+     * @return array Collection parameters.
+     */
+    public function get_collection_params() {
+        return array(
+            'context' => $this->get_context_param( array( 'default' => 'view' ) ),
+        );
+    }
 }