Changeset 50726 for branches/5.6/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

Timestamp:

04/15/2021 01:06:00 AM (5 years ago)

Author:

desrosj

Message:

Grouped merges for 5.6.3.

• REST API: Allow authors to read their own password protected posts.
• About page update.

Merges [50717] to the 5.6 branch.

Location:

branches/5.6

Files:

• . (modified) (1 prop)
• src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (8 diffs)

branches/5.6/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -31 +31 @@
      */
     protected $meta;
+
+    /**
+     * Passwordless post access permitted.
+     *
+     * @since 5.7.1
+     * @var int[]
+     */
+    protected $password_check_passed = array();
 
     /**
@@ -147 +155 @@
 
         return true;
+    }
+
+    /**
+     * Override the result of the post password check for REST requested posts.
+     *
+     * Allow users to read the content of password protected posts if they have
+     * previously passed a permission check or if they have the `edit_post` capability
+     * for the post being checked.
+     *
+     * @since 5.7.1
+     *
+     * @param bool    $required Whether the post requires a password check.
+     * @param WP_Post $post     The post been password checked.
+     * @return bool Result of password check taking in to account REST API considerations.
+     */
+    public function check_password_required( $required, $post ) {
+        if ( ! $required ) {
+            return $required;
+        }
+
+        $post = get_post( $post );
+
+        if ( ! $post ) {
+            return $required;
+        }
+
+        if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) {
+            // Password previously checked and approved.
+            return false;
+        }
+
+        return ! current_user_can( 'edit_post', $post->ID );
     }
 
@@ -316 +356 @@
         // Allow access to all password protected posts if the context is edit.
         if ( 'edit' === $request['context'] ) {
-            add_filter( 'post_password_required', '__return_false' );
+            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
         }
 
@@ -332 +372 @@
         // Reset filter.
         if ( 'edit' === $request['context'] ) {
-            remove_filter( 'post_password_required', '__return_false' );
+            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
         }
 
@@ -447 +487 @@
         // Allow access to all password protected posts if the context is edit.
         if ( 'edit' === $request['context'] ) {
-            add_filter( 'post_password_required', '__return_false' );
+            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
         }
 
@@ -475 +515 @@
         }
 
-        // Edit context always gets access to password-protected posts.
-        if ( 'edit' === $request['context'] ) {
+        /*
+         * Users always gets access to password protected content in the edit
+         * context if they have the `edit_post` meta capability.
+         */
+        if (
+            'edit' === $request['context'] &&
+            current_user_can( 'edit_post', $post->ID )
+        ) {
             return true;
         }
@@ -1706 +1752 @@
 
         if ( $this->can_access_password_content( $post, $request ) ) {
+            $this->password_check_passed[ $post->ID ] = true;
             // Allow access to the post, permissions already checked before.
-            add_filter( 'post_password_required', '__return_false' );
+            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
 
             $has_password_filter = true;
@@ -1745 +1792 @@
         if ( $has_password_filter ) {
             // Reset filter.
-            remove_filter( 'post_password_required', '__return_false' );
+            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
         }