Make WordPress Core


Ignore:
Timestamp:
11/05/2021 02:14:07 AM (3 years ago)
Author:
TimothyBlynJacobs
Message:

REST API: Allow sidebars and their widgets to be public.

By default, only users with the edit_theme_options capability can access the sidebars and widgets REST API endpoints. In this commit, A new show_in_rest parameter is added to the register_sidebar function. When enabled, all users will be able to access that sidebar and any widgets belonging to that sidebar.

This commit reduces the context for a widget's instance information to only edit. This is to ensure that internal widget data is not inadvertently exposed to the public. A future ticket may expose additional APIs to allow widget authors to indicate that their instance data can be safely exposed. REST API consumers intending to access this instance information should take care to explicitly set the context parameter to edit.

Props spacedmonkey, zieladam.
Fixes #53915.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/widgets.php

    r51850 r52016  
    221221 * @since 2.2.0
    222222 * @since 5.6.0 Added the `before_sidebar` and `after_sidebar` arguments.
     223 * @since 5.9.0 Added the `show_in_rest` argument.
    223224 *
    224225 * @global array $wp_registered_sidebars Registered sidebars.
     
    251252 *                                  Outputs before the {@see 'dynamic_sidebar_after'} action.
    252253 *                                  Default empty string.
     254 *     @type bool $show_in_rest     Whether to show this sidebar publicly in the REST API.
     255 *                                  Defaults to only showing the sidebar to administrator users.
    253256 * }
    254257 * @return string Sidebar ID added to $wp_registered_sidebars global.
     
    273276        'before_sidebar' => '',
    274277        'after_sidebar'  => '',
     278        'show_in_rest'   => false,
    275279    );
    276280
     
    10371041
    10381042/**
     1043 * Retrieves the registered sidebar with the given id.
     1044 *
     1045 * @since 5.9.0
     1046 *
     1047 * @global array $wp_registered_sidebars The registered sidebars.
     1048 *
     1049 * @param string $id The sidebar id.
     1050 * @return array|null The discovered sidebar, or null if it is not registered.
     1051 */
     1052function wp_get_sidebar( $id ) {
     1053    global $wp_registered_sidebars;
     1054
     1055    foreach ( (array) $wp_registered_sidebars as $sidebar ) {
     1056        if ( $sidebar['id'] === $id ) {
     1057            return $sidebar;
     1058        }
     1059    }
     1060
     1061    if ( 'wp_inactive_widgets' === $id ) {
     1062        return array(
     1063            'id'   => 'wp_inactive_widgets',
     1064            'name' => __( 'Inactive widgets' ),
     1065        );
     1066    }
     1067
     1068    return null;
     1069}
     1070
     1071/**
    10391072 * Set the sidebar widget option to update sidebars.
    10401073 *
Note: See TracChangeset for help on using the changeset viewer.