WordPress.org

Make WordPress Core

Changeset 50734


Ignore:
Timestamp:
04/15/2021 01:14:49 AM (9 months ago)
Author:
desrosj
Message:

Grouped merges for 4.8.16.

  • REST API: Allow authors to read their own password protected posts.
  • About page update

Merges [50717] to the 4.8 branch.

Location:
branches/4.8
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/4.8

  • branches/4.8/src/wp-admin/about.php

    r49416 r50734  
    4646        <div class="changelog point-releases">
    4747            <h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
     48            <p>
     49                <?php
     50                printf(
     51                    /* translators: %s: WordPress version number */
     52                    __( '<strong>Version %s</strong> addressed some security issues.' ),
     53                    '4.8.16'
     54                );
     55                ?>
     56                <?php
     57                printf(
     58                    /* translators: %s: HelpHub URL */
     59                    __( 'For more information, see <a href="%s">the release notes</a>.' ),
     60                    sprintf(
     61                        /* translators: %s: WordPress version */
     62                        esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
     63                        sanitize_title( '4.8.16' )
     64                    )
     65                );
     66                ?>
     67            </p>
    4868            <p>
    4969                <?php
  • branches/4.8/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r46917 r50734  
    3434     */
    3535    protected $meta;
     36
     37    /**
     38     * Passwordless post access permitted.
     39     *
     40     * @since 5.7.1
     41     * @var int[]
     42     */
     43    protected $password_check_passed = array();
    3644
    3745    /**
     
    144152
    145153    /**
     154     * Override the result of the post password check for REST requested posts.
     155     *
     156     * Allow users to read the content of password protected posts if they have
     157     * previously passed a permission check or if they have the `edit_post` capability
     158     * for the post being checked.
     159     *
     160     * @since 5.7.1
     161     *
     162     * @param bool    $required Whether the post requires a password check.
     163     * @param WP_Post $post     The post been password checked.
     164     * @return bool Result of password check taking in to account REST API considerations.
     165     */
     166    public function check_password_required( $required, $post ) {
     167        if ( ! $required ) {
     168            return $required;
     169        }
     170
     171        $post = get_post( $post );
     172
     173        if ( ! $post ) {
     174            return $required;
     175        }
     176
     177        if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) {
     178            // Password previously checked and approved.
     179            return false;
     180        }
     181
     182        return ! current_user_can( 'edit_post', $post->ID );
     183    }
     184
     185    /**
    146186     * Retrieves a collection of posts.
    147187     *
     
    299339        // Allow access to all password protected posts if the context is edit.
    300340        if ( 'edit' === $request['context'] ) {
    301             add_filter( 'post_password_required', '__return_false' );
     341            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    302342        }
    303343
     
    315355        // Reset filter.
    316356        if ( 'edit' === $request['context'] ) {
    317             remove_filter( 'post_password_required', '__return_false' );
     357            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
    318358        }
    319359
     
    414454        // Allow access to all password protected posts if the context is edit.
    415455        if ( 'edit' === $request['context'] ) {
    416             add_filter( 'post_password_required', '__return_false' );
     456            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    417457        }
    418458
     
    443483        }
    444484
    445         // Edit context always gets access to password-protected posts.
    446         if ( 'edit' === $request['context'] ) {
     485        /*
     486         * Users always gets access to password protected content in the edit
     487         * context if they have the `edit_post` meta capability.
     488         */
     489        if (
     490            'edit' === $request['context'] &&
     491            current_user_can( 'edit_post', $post->ID )
     492        ) {
    447493            return true;
    448494        }
     
    14681514
    14691515        if ( $this->can_access_password_content( $post, $request ) ) {
     1516            $this->password_check_passed[ $post->ID ] = true;
    14701517            // Allow access to the post, permissions already checked before.
    1471             add_filter( 'post_password_required', '__return_false' );
     1518            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    14721519
    14731520            $has_password_filter = true;
     
    14951542        if ( $has_password_filter ) {
    14961543            // Reset filter.
    1497             remove_filter( 'post_password_required', '__return_false' );
     1544            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
    14981545        }
    14991546
Note: See TracChangeset for help on using the changeset viewer.