Changeset 50731 for branches/5.0
- Timestamp:
- 04/15/2021 01:10:18 AM (4 years ago)
- Location:
- branches/5.0
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/5.0
-
branches/5.0/src/wp-admin/about.php
r49414 r50731 63 63 <div class="changelog point-releases"> 64 64 <h3><?php _e( 'Maintenance and Security Releases' ); ?></h3> 65 <p> 66 <?php 67 printf( 68 /* translators: %s: WordPress version number */ 69 __( '<strong>Version %s</strong> addressed some security issues.' ), 70 '5.0.12' 71 ); 72 ?> 73 <?php 74 printf( 75 /* translators: %s: HelpHub URL */ 76 __( 'For more information, see <a href="%s">the release notes</a>.' ), 77 sprintf( 78 /* translators: %s: WordPress version */ 79 esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), 80 sanitize_title( '5.0.12' ) 81 ) 82 ); 83 ?> 84 </p> 65 85 <p> 66 86 <?php -
branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
r46915 r50731 32 32 */ 33 33 protected $meta; 34 35 /** 36 * Passwordless post access permitted. 37 * 38 * @since 5.7.1 39 * @var int[] 40 */ 41 protected $password_check_passed = array(); 34 42 35 43 /** … … 139 147 140 148 /** 149 * Override the result of the post password check for REST requested posts. 150 * 151 * Allow users to read the content of password protected posts if they have 152 * previously passed a permission check or if they have the `edit_post` capability 153 * for the post being checked. 154 * 155 * @since 5.7.1 156 * 157 * @param bool $required Whether the post requires a password check. 158 * @param WP_Post $post The post been password checked. 159 * @return bool Result of password check taking in to account REST API considerations. 160 */ 161 public function check_password_required( $required, $post ) { 162 if ( ! $required ) { 163 return $required; 164 } 165 166 $post = get_post( $post ); 167 168 if ( ! $post ) { 169 return $required; 170 } 171 172 if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) { 173 // Password previously checked and approved. 174 return false; 175 } 176 177 return ! current_user_can( 'edit_post', $post->ID ); 178 } 179 180 /** 141 181 * Retrieves a collection of posts. 142 182 * … … 293 333 // Allow access to all password protected posts if the context is edit. 294 334 if ( 'edit' === $request['context'] ) { 295 add_filter( 'post_password_required', '__return_false');335 add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); 296 336 } 297 337 … … 309 349 // Reset filter. 310 350 if ( 'edit' === $request['context'] ) { 311 remove_filter( 'post_password_required', '__return_false');351 remove_filter( 'post_password_required', array( $this, 'check_password_required' ) ); 312 352 } 313 353 … … 407 447 // Allow access to all password protected posts if the context is edit. 408 448 if ( 'edit' === $request['context'] ) { 409 add_filter( 'post_password_required', '__return_false');449 add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); 410 450 } 411 451 … … 435 475 } 436 476 437 // Edit context always gets access to password-protected posts. 438 if ( 'edit' === $request['context'] ) { 477 /* 478 * Users always gets access to password protected content in the edit 479 * context if they have the `edit_post` meta capability. 480 */ 481 if ( 482 'edit' === $request['context'] && 483 current_user_can( 'edit_post', $post->ID ) 484 ) { 439 485 return true; 440 486 } … … 1508 1554 1509 1555 if ( $this->can_access_password_content( $post, $request ) ) { 1556 $this->password_check_passed[ $post->ID ] = true; 1510 1557 // Allow access to the post, permissions already checked before. 1511 add_filter( 'post_password_required', '__return_false');1558 add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); 1512 1559 1513 1560 $has_password_filter = true; … … 1536 1583 if ( $has_password_filter ) { 1537 1584 // Reset filter. 1538 remove_filter( 'post_password_required', '__return_false');1585 remove_filter( 'post_password_required', array( $this, 'check_password_required' ) ); 1539 1586 } 1540 1587 -
branches/5.0/tests/phpunit/tests/rest-api/rest-posts-controller.php
r43930 r50731 1222 1222 1223 1223 $this->assertErrorResponse( 'rest_forbidden', $response, 401 ); 1224 } 1225 1226 public function test_get_post_draft_edit_context() { 1227 $post_content = 'Hello World!'; 1228 $this->factory->post->create( 1229 array( 1230 'post_title' => 'Hola', 1231 'post_password' => 'password', 1232 'post_content' => $post_content, 1233 'post_excerpt' => $post_content, 1234 'post_author' => self::$editor_id, 1235 ) 1236 ); 1237 $draft_id = $this->factory->post->create( 1238 array( 1239 'post_status' => 'draft', 1240 'post_author' => self::$contributor_id, 1241 'post_content' => '<!-- wp:latest-posts {"displayPostContent":true} /--> <!-- wp:latest-posts {"displayPostContent":true,"displayPostContentRadio":"full_post"} /-->', 1242 ) 1243 ); 1244 wp_set_current_user( self::$contributor_id ); 1245 $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/posts/%d', $draft_id ) ); 1246 $request->set_param( 'context', 'edit' ); 1247 $response = rest_get_server()->dispatch( $request ); 1248 $data = $response->get_data(); 1249 $this->assertNotContains( $post_content, $data['content']['rendered'] ); 1224 1250 } 1225 1251
Note: See TracChangeset
for help on using the changeset viewer.