Make WordPress Core


Ignore:
Timestamp:
10/17/2022 06:08:39 PM (19 months ago)
Author:
SergeyBiryukov
Message:

Grouped backports to the 4.7 branch.

  • Posts, Post types: Apply KSES to post-by-email content,
  • General: Validate host on "Are you sure?" screen,
  • Posts, Post types: Remove emails from post-by-email logs,
  • Media: Refactor search by filename within the admin,
  • Pings/trackbacks: Apply KSES to all trackbacks,
  • Comments: Apply kses when editing comments,
  • Customize: Escape blogname option in underscores templates,
  • REST API: Lockdown post parameter of the terms endpoint,
  • Mail: Reset PHPMailer properties between use,
  • Query: Validate relation in WP_Date_Query,
  • Widgets: Escape RSS error messages for display.

Merges [54521], [54522], [54523], [54524], [54525], [54526], [54527], [54528], [54529], [54530], [54541] to the 4.7 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, vortfu, davidbaumwald, tykoted, timothyblynjacobs, johnjamesjacoby, ehtis, matveb, talldanwp.

Location:
branches/4.7
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

    r40427 r54566  
    134134
    135135    /**
     136     * Checks if the terms for a post can be read.
     137     *
     138     * @since 6.0.3
     139     *
     140     * @param WP_Post         $post    Post object.
     141     * @param WP_REST_Request $request Full details about the request.
     142     * @return bool Whether the terms for the post can be read.
     143     */
     144    public function check_read_terms_permission_for_post( $post, $request ) {
     145        // If the requested post isn't associated with this taxonomy, deny access.
     146        if ( ! is_object_in_taxonomy( $post->post_type, $this->taxonomy ) ) {
     147            return false;
     148        }
     149
     150        // Grant access if the post is publicly viewable.
     151        if ( is_post_publicly_viewable( $post ) ) {
     152            return true;
     153        }
     154
     155        // Otherwise grant access if the post is readable by the logged in user.
     156        if ( current_user_can( 'read_post', $post->ID ) ) {
     157            return true;
     158        }
     159
     160        // Otherwise, deny access.
     161        return false;
     162    }
     163
     164    /**
    136165     * Checks if a request has access to read terms in the specified taxonomy.
    137166     *
     
    144173    public function get_items_permissions_check( $request ) {
    145174        $tax_obj = get_taxonomy( $this->taxonomy );
     175
    146176        if ( ! $tax_obj || ! $this->check_is_taxonomy_allowed( $this->taxonomy ) ) {
    147177            return false;
    148178        }
     179
    149180        if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->edit_terms ) ) {
    150             return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
    151         }
     181            return new WP_Error(
     182                'rest_forbidden_context',
     183                __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ),
     184                array( 'status' => rest_authorization_required_code() )
     185            );
     186        }
     187
     188        if ( ! empty( $request['post'] ) ) {
     189            $post = get_post( $request['post'] );
     190
     191            if ( ! $post ) {
     192                return new WP_Error(
     193                    'rest_post_invalid_id',
     194                    __( 'Invalid post ID.' ),
     195                    array(
     196                        'status' => 400,
     197                    )
     198                );
     199            }
     200
     201            if ( ! $this->check_read_terms_permission_for_post( $post, $request ) ) {
     202                return new WP_Error(
     203                    'rest_forbidden_context',
     204                    __( 'Sorry, you are not allowed to view terms for this post.' ),
     205                    array(
     206                        'status' => rest_authorization_required_code(),
     207                    )
     208                );
     209            }
     210        }
     211
    152212        return true;
    153213    }
Note: See TracChangeset for help on using the changeset viewer.