WordPress.org
Get WordPress

Make WordPress Core

Changeset 50733 for branches/4.7


Ignore:
Timestamp:
04/15/2021 01:12:42 AM (5 years ago)
Author:
peterwilsoncc
Message:

Grouped merges for 4.7.20.

  • REST API: Allow authors to read their own password protected posts.
  • About page update

Merges [50717] to the 4.7 branch.

Location:
branches/4.7/src
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/4.7/src/wp-admin/about.php

    r49417 r50733  
    4646        <div class="changelog point-releases">
    4747            <h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
     48            <p>
     49                <?php
     50                printf(
     51                    /* translators: %s: WordPress version number */
     52                    __( '<strong>Version %s</strong> addressed some security issues.' ),
     53                    '4.7.20'
     54                );
     55                ?>
     56                <?php
     57                printf(
     58                    /* translators: %s: HelpHub URL */
     59                    __( 'For more information, see <a href="%s">the release notes</a>.' ),
     60                    sprintf(
     61                        /* translators: %s: WordPress version */
     62                        esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
     63                        sanitize_title( '4.7.20' )
     64                    )
     65                );
     66                ?>
     67            </p>
    4868            <p>
    4969                <?php

  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r46916 r50733  
    3434     */
    3535    protected $meta;
     36
     37    /**
     38     * Passwordless post access permitted.
     39     *
     40     * @since 5.7.1
     41     * @var int[]
     42     */
     43    protected $password_check_passed = array();
    3644
    3745    /**
     
    144152
    145153    /**
     154     * Override the result of the post password check for REST requested posts.
     155     *
     156     * Allow users to read the content of password protected posts if they have
     157     * previously passed a permission check or if they have the `edit_post` capability
     158     * for the post being checked.
     159     *
     160     * @since 5.7.1
     161     *
     162     * @param bool    $required Whether the post requires a password check.
     163     * @param WP_Post $post     The post been password checked.
     164     * @return bool Result of password check taking in to account REST API considerations.
     165     */
     166    public function check_password_required( $required, $post ) {
     167        if ( ! $required ) {
     168            return $required;
     169        }
     170
     171        $post = get_post( $post );
     172
     173        if ( ! $post ) {
     174            return $required;
     175        }
     176
     177        if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) {
     178            // Password previously checked and approved.
     179            return false;
     180        }
     181
     182        return ! current_user_can( 'edit_post', $post->ID );
     183    }
     184
     185    /**
    146186     * Retrieves a collection of posts.
    147187     *
     
    299339        // Allow access to all password protected posts if the context is edit.
    300340        if ( 'edit' === $request['context'] ) {
    301             add_filter( 'post_password_required', '__return_false' );
     341            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    302342        }
    303343
     
    315355        // Reset filter.
    316356        if ( 'edit' === $request['context'] ) {
    317             remove_filter( 'post_password_required', '__return_false' );
     357            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
    318358        }
    319359
     
    409449        // Allow access to all password protected posts if the context is edit.
    410450        if ( 'edit' === $request['context'] ) {
    411             add_filter( 'post_password_required', '__return_false' );
     451            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    412452        }
    413453
     
    438478        }
    439479
    440         // Edit context always gets access to password-protected posts.
    441         if ( 'edit' === $request['context'] ) {
     480        /*
     481         * Users always gets access to password protected content in the edit
     482         * context if they have the `edit_post` meta capability.
     483         */
     484        if (
     485            'edit' === $request['context'] &&
     486            current_user_can( 'edit_post', $post->ID )
     487        ) {
    442488            return true;
    443489        }
     
    14621508
    14631509        if ( $this->can_access_password_content( $post, $request ) ) {
     1510            $this->password_check_passed[ $post->ID ] = true;
    14641511            // Allow access to the post, permissions already checked before.
    1465             add_filter( 'post_password_required', '__return_false' );
     1512            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    14661513
    14671514            $has_password_filter = true;
     
    14891536        if ( $has_password_filter ) {
    14901537            // Reset filter.
    1491             remove_filter( 'post_password_required', '__return_false' );
     1538            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
    14921539        }
    14931540
Note: See TracChangeset for help on using the changeset viewer.