Changeset 50729 for branches/5.2
- Timestamp:
- 04/15/2021 01:08:26 AM (5 years ago)
- Location:
- branches/5.2
- Files:
-
- 4 edited
-
. (modified) (1 prop)
-
src/wp-admin/about.php (modified) (1 diff)
-
src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (8 diffs)
-
tests/phpunit/tests/rest-api/rest-posts-controller.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
branches/5.2
-
branches/5.2/src/wp-admin/about.php
r49461 r50729 51 51 <div class="changelog point-releases"> 52 52 <h3><?php _e( 'Maintenance and Security Releases' ); ?></h3> 53 <p> 54 <?php 55 printf( 56 /* translators: %s: WordPress version number */ 57 __( '<strong>Version %s</strong> addressed some security issues.' ), 58 '5.2.10' 59 ); 60 ?> 61 <?php 62 printf( 63 /* translators: %s: HelpHub URL */ 64 __( 'For more information, see <a href="%s">the release notes</a>.' ), 65 sprintf( 66 /* translators: %s: WordPress version */ 67 esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), 68 sanitize_title( '5.2.10' ) 69 ) 70 ); 71 ?> 72 </p> 53 73 <p> 54 74 <?php -
branches/5.2/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
r46901 r50729 32 32 */ 33 33 protected $meta; 34 35 /** 36 * Passwordless post access permitted. 37 * 38 * @since 5.7.1 39 * @var int[] 40 */ 41 protected $password_check_passed = array(); 34 42 35 43 /** … … 144 152 145 153 return true; 154 } 155 156 /** 157 * Override the result of the post password check for REST requested posts. 158 * 159 * Allow users to read the content of password protected posts if they have 160 * previously passed a permission check or if they have the `edit_post` capability 161 * for the post being checked. 162 * 163 * @since 5.7.1 164 * 165 * @param bool $required Whether the post requires a password check. 166 * @param WP_Post $post The post been password checked. 167 * @return bool Result of password check taking in to account REST API considerations. 168 */ 169 public function check_password_required( $required, $post ) { 170 if ( ! $required ) { 171 return $required; 172 } 173 174 $post = get_post( $post ); 175 176 if ( ! $post ) { 177 return $required; 178 } 179 180 if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) { 181 // Password previously checked and approved. 182 return false; 183 } 184 185 return ! current_user_can( 'edit_post', $post->ID ); 146 186 } 147 187 … … 301 341 // Allow access to all password protected posts if the context is edit. 302 342 if ( 'edit' === $request['context'] ) { 303 add_filter( 'post_password_required', '__return_false');343 add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); 304 344 } 305 345 … … 317 357 // Reset filter. 318 358 if ( 'edit' === $request['context'] ) { 319 remove_filter( 'post_password_required', '__return_false');359 remove_filter( 'post_password_required', array( $this, 'check_password_required' ) ); 320 360 } 321 361 … … 415 455 // Allow access to all password protected posts if the context is edit. 416 456 if ( 'edit' === $request['context'] ) { 417 add_filter( 'post_password_required', '__return_false');457 add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); 418 458 } 419 459 … … 443 483 } 444 484 445 // Edit context always gets access to password-protected posts. 446 if ( 'edit' === $request['context'] ) { 485 /* 486 * Users always gets access to password protected content in the edit 487 * context if they have the `edit_post` meta capability. 488 */ 489 if ( 490 'edit' === $request['context'] && 491 current_user_can( 'edit_post', $post->ID ) 492 ) { 447 493 return true; 448 494 } … … 1520 1566 1521 1567 if ( $this->can_access_password_content( $post, $request ) ) { 1568 $this->password_check_passed[ $post->ID ] = true; 1522 1569 // Allow access to the post, permissions already checked before. 1523 add_filter( 'post_password_required', '__return_false');1570 add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); 1524 1571 1525 1572 $has_password_filter = true; … … 1548 1595 if ( $has_password_filter ) { 1549 1596 // Reset filter. 1550 remove_filter( 'post_password_required', '__return_false');1597 remove_filter( 'post_password_required', array( $this, 'check_password_required' ) ); 1551 1598 } 1552 1599 -
branches/5.2/tests/phpunit/tests/rest-api/rest-posts-controller.php
r44933 r50729 1452 1452 1453 1453 $this->assertErrorResponse( 'rest_forbidden', $response, 401 ); 1454 } 1455 1456 public function test_get_post_draft_edit_context() { 1457 $post_content = 'Hello World!'; 1458 $this->factory->post->create( 1459 array( 1460 'post_title' => 'Hola', 1461 'post_password' => 'password', 1462 'post_content' => $post_content, 1463 'post_excerpt' => $post_content, 1464 'post_author' => self::$editor_id, 1465 ) 1466 ); 1467 $draft_id = $this->factory->post->create( 1468 array( 1469 'post_status' => 'draft', 1470 'post_author' => self::$contributor_id, 1471 'post_content' => '<!-- wp:latest-posts {"displayPostContent":true} /--> <!-- wp:latest-posts {"displayPostContent":true,"displayPostContentRadio":"full_post"} /-->', 1472 ) 1473 ); 1474 wp_set_current_user( self::$contributor_id ); 1475 $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/posts/%d', $draft_id ) ); 1476 $request->set_param( 'context', 'edit' ); 1477 $response = rest_get_server()->dispatch( $request ); 1478 $data = $response->get_data(); 1479 $this->assertNotContains( $post_content, $data['content']['rendered'] ); 1454 1480 } 1455 1481
Note: See TracChangeset
for help on using the changeset viewer.