Changeset 50718
- Timestamp:
- 04/14/2021 11:25:28 PM (4 years ago)
- Location:
- branches/5.7
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/5.7
-
branches/5.7/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
r50157 r50718 31 31 */ 32 32 protected $meta; 33 34 /** 35 * Passwordless post access permitted. 36 * 37 * @since 5.7.1 38 * @var int[] 39 */ 40 protected $password_check_passed = array(); 33 41 34 42 /** … … 150 158 151 159 /** 160 * Override the result of the post password check for REST requested posts. 161 * 162 * Allow users to read the content of password protected posts if they have 163 * previously passed a permission check or if they have the `edit_post` capability 164 * for the post being checked. 165 * 166 * @since 5.7.1 167 * 168 * @param bool $required Whether the post requires a password check. 169 * @param WP_Post $post The post been password checked. 170 * @return bool Result of password check taking in to account REST API considerations. 171 */ 172 public function check_password_required( $required, $post ) { 173 if ( ! $required ) { 174 return $required; 175 } 176 177 $post = get_post( $post ); 178 179 if ( ! $post ) { 180 return $required; 181 } 182 183 if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) { 184 // Password previously checked and approved. 185 return false; 186 } 187 188 return ! current_user_can( 'edit_post', $post->ID ); 189 } 190 191 /** 152 192 * Retrieves a collection of posts. 153 193 * … … 315 355 // Allow access to all password protected posts if the context is edit. 316 356 if ( 'edit' === $request['context'] ) { 317 add_filter( 'post_password_required', '__return_false');357 add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); 318 358 } 319 359 … … 331 371 // Reset filter. 332 372 if ( 'edit' === $request['context'] ) { 333 remove_filter( 'post_password_required', '__return_false');373 remove_filter( 'post_password_required', array( $this, 'check_password_required' ) ); 334 374 } 335 375 … … 446 486 // Allow access to all password protected posts if the context is edit. 447 487 if ( 'edit' === $request['context'] ) { 448 add_filter( 'post_password_required', '__return_false');488 add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); 449 489 } 450 490 … … 474 514 } 475 515 476 // Edit context always gets access to password-protected posts. 477 if ( 'edit' === $request['context'] ) { 516 /* 517 * Users always gets access to password protected content in the edit 518 * context if they have the `edit_post` meta capability. 519 */ 520 if ( 521 'edit' === $request['context'] && 522 current_user_can( 'edit_post', $post->ID ) 523 ) { 478 524 return true; 479 525 } … … 1705 1751 1706 1752 if ( $this->can_access_password_content( $post, $request ) ) { 1753 $this->password_check_passed[ $post->ID ] = true; 1707 1754 // Allow access to the post, permissions already checked before. 1708 add_filter( 'post_password_required', '__return_false');1755 add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); 1709 1756 1710 1757 $has_password_filter = true; … … 1744 1791 if ( $has_password_filter ) { 1745 1792 // Reset filter. 1746 remove_filter( 'post_password_required', '__return_false');1793 remove_filter( 'post_password_required', array( $this, 'check_password_required' ) ); 1747 1794 } 1748 1795 -
branches/5.7/tests/phpunit/tests/rest-api/rest-posts-controller.php
r50284 r50718 1819 1819 1820 1820 $this->assertErrorResponse( 'rest_forbidden', $response, 401 ); 1821 } 1822 1823 public function test_get_post_draft_edit_context() { 1824 $post_content = 'Hello World!'; 1825 $this->factory->post->create( 1826 array( 1827 'post_title' => 'Hola', 1828 'post_password' => 'password', 1829 'post_content' => $post_content, 1830 'post_excerpt' => $post_content, 1831 'post_author' => self::$editor_id, 1832 ) 1833 ); 1834 $draft_id = $this->factory->post->create( 1835 array( 1836 'post_status' => 'draft', 1837 'post_author' => self::$contributor_id, 1838 'post_content' => '<!-- wp:latest-posts {"displayPostContent":true} /--> <!-- wp:latest-posts {"displayPostContent":true,"displayPostContentRadio":"full_post"} /-->', 1839 ) 1840 ); 1841 wp_set_current_user( self::$contributor_id ); 1842 $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/posts/%d', $draft_id ) ); 1843 $request->set_param( 'context', 'edit' ); 1844 $response = rest_get_server()->dispatch( $request ); 1845 $data = $response->get_data(); 1846 $this->assertNotContains( $post_content, $data['content']['rendered'] ); 1821 1847 } 1822 1848
Note: See TracChangeset
for help on using the changeset viewer.