Changeset 50732 for branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

Timestamp:

04/15/2021 01:11:06 AM (5 years ago)

Author:

peterwilsoncc

Message:

Grouped merges for 4.9.17.

• REST API: Allow authors to read their own password protected posts.
• About page update

Merges [50717] to the 4.9 branch.

File:

• branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (8 diffs)

branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -32 +32 @@
      */
     protected $meta;
+
+    /**
+     * Passwordless post access permitted.
+     *
+     * @since 5.7.1
+     * @var int[]
+     */
+    protected $password_check_passed = array();
 
     /**
@@ -139 +147 @@
 
     /**
+     * Override the result of the post password check for REST requested posts.
+     *
+     * Allow users to read the content of password protected posts if they have
+     * previously passed a permission check or if they have the `edit_post` capability
+     * for the post being checked.
+     *
+     * @since 5.7.1
+     *
+     * @param bool    $required Whether the post requires a password check.
+     * @param WP_Post $post     The post been password checked.
+     * @return bool Result of password check taking in to account REST API considerations.
+     */
+    public function check_password_required( $required, $post ) {
+        if ( ! $required ) {
+            return $required;
+        }
+
+        $post = get_post( $post );
+
+        if ( ! $post ) {
+            return $required;
+        }
+
+        if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) {
+            // Password previously checked and approved.
+            return false;
+        }
+
+        return ! current_user_can( 'edit_post', $post->ID );
+    }
+
+    /**
      * Retrieves a collection of posts.
      *
@@ -293 +333 @@
         // Allow access to all password protected posts if the context is edit.
         if ( 'edit' === $request['context'] ) {
-            add_filter( 'post_password_required', '__return_false' );
+            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
         }
 
@@ -309 +349 @@
         // Reset filter.
         if ( 'edit' === $request['context'] ) {
-            remove_filter( 'post_password_required', '__return_false' );
+            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
         }
 
@@ -407 +447 @@
         // Allow access to all password protected posts if the context is edit.
         if ( 'edit' === $request['context'] ) {
-            add_filter( 'post_password_required', '__return_false' );
+            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
         }
 
@@ -435 +475 @@
         }
 
-        // Edit context always gets access to password-protected posts.
-        if ( 'edit' === $request['context'] ) {
+        /*
+         * Users always gets access to password protected content in the edit
+         * context if they have the `edit_post` meta capability.
+         */
+        if (
+            'edit' === $request['context'] &&
+            current_user_can( 'edit_post', $post->ID )
+        ) {
             return true;
         }
@@ -1486 +1532 @@
 
         if ( $this->can_access_password_content( $post, $request ) ) {
+            $this->password_check_passed[ $post->ID ] = true;
             // Allow access to the post, permissions already checked before.
-            add_filter( 'post_password_required', '__return_false' );
+            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
 
             $has_password_filter = true;
@@ -1513 +1560 @@
         if ( $has_password_filter ) {
             // Reset filter.
-            remove_filter( 'post_password_required', '__return_false' );
+            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
         }