WordPress.org

Make WordPress Core


Ignore:
Timestamp:
11/15/2018 12:56:54 PM (11 months ago)
Author:
danielbachhuber
Message:

REST API: Avoid using 'parent' as path argument name for autosaves.

When 'parent' is set as the path argument name, it gets passed down through to the create_item() method and can erroneously reset the 'parent' value on the post itself. Instead, we rename the argument to 'id' and replicate the revision controller's get_items_permissions_check() to instead reference 'id'.

Also ensures revision query params (of which there are many) aren't exposed as the query params for autosaves (of which there are two).

Props TimothyBlynJacobs.
See #43316.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php

    r43768 r43897  
    8080        register_rest_route(
    8181            $this->rest_namespace,
    82             '/' . $this->parent_base . '/(?P<parent>[\d]+)/' . $this->rest_base,
     82            '/' . $this->parent_base . '/(?P<id>[\d]+)/' . $this->rest_base,
    8383            array(
    8484                'args'   => array(
     
    9191                    'methods'             => WP_REST_Server::READABLE,
    9292                    'callback'            => array( $this, 'get_items' ),
    93                     'permission_callback' => array( $this->revisions_controller, 'get_items_permissions_check' ),
     93                    'permission_callback' => array( $this, 'get_items_permissions_check' ),
    9494                    'args'                => $this->get_collection_params(),
    9595                ),
     
    9898                    'callback'            => array( $this, 'create_item' ),
    9999                    'permission_callback' => array( $this, 'create_item_permissions_check' ),
    100                     'args'                => $this->get_endpoint_args_for_item_schema( WP_REST_Server::CREATABLE ),
     100                    'args'                => $this->parent_controller->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ),
    101101                ),
    102102                'schema' => array( $this, 'get_public_item_schema' ),
     
    145145
    146146    /**
     147     * Checks if a given request has access to get autosaves.
     148     *
     149     * @since 5.0.0
     150     *
     151     * @param WP_REST_Request $request Full data about the request.
     152     * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
     153     */
     154    public function get_items_permissions_check( $request ) {
     155        $parent = $this->get_parent( $request['id'] );
     156        if ( is_wp_error( $parent ) ) {
     157            return $parent;
     158        }
     159
     160        $parent_post_type_obj = get_post_type_object( $parent->post_type );
     161        if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) {
     162            return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to view autosaves of this post.' ), array( 'status' => rest_authorization_required_code() ) );
     163        }
     164
     165        return true;
     166    }
     167
     168    /**
    147169     * Checks if a given request has access to create an autosave revision.
    148170     *
     
    178200        }
    179201
    180         $post = get_post( $request->get_param( 'id' ) );
     202        $post = get_post( $request['id'] );
    181203
    182204        if ( is_wp_error( $post ) ) {
     
    246268     */
    247269    public function get_items( $request ) {
    248         $parent = $this->get_parent( $request->get_param( 'parent' ) );
     270        $parent = $this->get_parent( $request['id'] );
    249271        if ( is_wp_error( $parent ) ) {
    250272            return $parent;
     
    390412        return apply_filters( 'rest_prepare_autosave', $response, $post, $request );
    391413    }
     414
     415    /**
     416     * Retrieves the query params for the autosaves collection.
     417     *
     418     * @since 5.0.0
     419     *
     420     * @return array Collection parameters.
     421     */
     422    public function get_collection_params() {
     423        return array(
     424            'context' => $this->get_context_param( array( 'default' => 'view' ) ),
     425        );
     426    }
    392427}
Note: See TracChangeset for help on using the changeset viewer.