Make WordPress Core

Changeset 50731 for branches/5.0


Ignore:
Timestamp:
04/15/2021 01:10:18 AM (4 years ago)
Author:
desrosj
Message:

Grouped merges for 5.0.12.

  • REST API: Allow authors to read their own password protected posts.
  • About page update.

Merges [50717] to the 5.0 branch.

Location:
branches/5.0
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/5.0

  • branches/5.0/src/wp-admin/about.php

    r49414 r50731  
    6363        <div class="changelog point-releases">
    6464            <h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
     65            <p>
     66                <?php
     67                printf(
     68                    /* translators: %s: WordPress version number */
     69                    __( '<strong>Version %s</strong> addressed some security issues.' ),
     70                    '5.0.12'
     71                );
     72                ?>
     73                <?php
     74                printf(
     75                    /* translators: %s: HelpHub URL */
     76                    __( 'For more information, see <a href="%s">the release notes</a>.' ),
     77                    sprintf(
     78                        /* translators: %s: WordPress version */
     79                        esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
     80                        sanitize_title( '5.0.12' )
     81                    )
     82                );
     83                ?>
     84            </p>
    6585            <p>
    6686                <?php
  • branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r46915 r50731  
    3232     */
    3333    protected $meta;
     34
     35    /**
     36     * Passwordless post access permitted.
     37     *
     38     * @since 5.7.1
     39     * @var int[]
     40     */
     41    protected $password_check_passed = array();
    3442
    3543    /**
     
    139147
    140148    /**
     149     * Override the result of the post password check for REST requested posts.
     150     *
     151     * Allow users to read the content of password protected posts if they have
     152     * previously passed a permission check or if they have the `edit_post` capability
     153     * for the post being checked.
     154     *
     155     * @since 5.7.1
     156     *
     157     * @param bool    $required Whether the post requires a password check.
     158     * @param WP_Post $post     The post been password checked.
     159     * @return bool Result of password check taking in to account REST API considerations.
     160     */
     161    public function check_password_required( $required, $post ) {
     162        if ( ! $required ) {
     163            return $required;
     164        }
     165
     166        $post = get_post( $post );
     167
     168        if ( ! $post ) {
     169            return $required;
     170        }
     171
     172        if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) {
     173            // Password previously checked and approved.
     174            return false;
     175        }
     176
     177        return ! current_user_can( 'edit_post', $post->ID );
     178    }
     179
     180    /**
    141181     * Retrieves a collection of posts.
    142182     *
     
    293333        // Allow access to all password protected posts if the context is edit.
    294334        if ( 'edit' === $request['context'] ) {
    295             add_filter( 'post_password_required', '__return_false' );
     335            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    296336        }
    297337
     
    309349        // Reset filter.
    310350        if ( 'edit' === $request['context'] ) {
    311             remove_filter( 'post_password_required', '__return_false' );
     351            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
    312352        }
    313353
     
    407447        // Allow access to all password protected posts if the context is edit.
    408448        if ( 'edit' === $request['context'] ) {
    409             add_filter( 'post_password_required', '__return_false' );
     449            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    410450        }
    411451
     
    435475        }
    436476
    437         // Edit context always gets access to password-protected posts.
    438         if ( 'edit' === $request['context'] ) {
     477        /*
     478         * Users always gets access to password protected content in the edit
     479         * context if they have the `edit_post` meta capability.
     480         */
     481        if (
     482            'edit' === $request['context'] &&
     483            current_user_can( 'edit_post', $post->ID )
     484        ) {
    439485            return true;
    440486        }
     
    15081554
    15091555        if ( $this->can_access_password_content( $post, $request ) ) {
     1556            $this->password_check_passed[ $post->ID ] = true;
    15101557            // Allow access to the post, permissions already checked before.
    1511             add_filter( 'post_password_required', '__return_false' );
     1558            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    15121559
    15131560            $has_password_filter = true;
     
    15361583        if ( $has_password_filter ) {
    15371584            // Reset filter.
    1538             remove_filter( 'post_password_required', '__return_false' );
     1585            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
    15391586        }
    15401587
  • branches/5.0/tests/phpunit/tests/rest-api/rest-posts-controller.php

    r43930 r50731  
    12221222
    12231223        $this->assertErrorResponse( 'rest_forbidden', $response, 401 );
     1224    }
     1225
     1226    public function test_get_post_draft_edit_context() {
     1227        $post_content = 'Hello World!';
     1228        $this->factory->post->create(
     1229            array(
     1230                'post_title'    => 'Hola',
     1231                'post_password' => 'password',
     1232                'post_content'  => $post_content,
     1233                'post_excerpt'  => $post_content,
     1234                'post_author'   => self::$editor_id,
     1235            )
     1236        );
     1237        $draft_id = $this->factory->post->create(
     1238            array(
     1239                'post_status'  => 'draft',
     1240                'post_author'  => self::$contributor_id,
     1241                'post_content' => '<!-- wp:latest-posts {"displayPostContent":true} /--> <!-- wp:latest-posts {"displayPostContent":true,"displayPostContentRadio":"full_post"} /-->',
     1242            )
     1243        );
     1244        wp_set_current_user( self::$contributor_id );
     1245        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/posts/%d', $draft_id ) );
     1246        $request->set_param( 'context', 'edit' );
     1247        $response = rest_get_server()->dispatch( $request );
     1248        $data     = $response->get_data();
     1249        $this->assertNotContains( $post_content, $data['content']['rendered'] );
    12241250    }
    12251251
Note: See TracChangeset for help on using the changeset viewer.