Make WordPress Core


Ignore:
Timestamp:
10/17/2022 06:11:47 PM (2 years ago)
Author:
SergeyBiryukov
Message:

Grouped backports to the 4.9 branch.

  • Posts, Post types: Apply KSES to post-by-email content,
  • General: Validate host on "Are you sure?" screen,
  • Posts, Post types: Remove emails from post-by-email logs,
  • Media: Refactor search by filename within the admin,
  • Pings/trackbacks: Apply KSES to all trackbacks,
  • Comments: Apply kses when editing comments,
  • Customize: Escape blogname option in underscores templates,
  • REST API: Lockdown post parameter of the terms endpoint,
  • Mail: Reset PHPMailer properties between use,
  • Query: Validate relation in WP_Date_Query,
  • Widgets: Escape RSS error messages for display.

Merges [54521], [54522], [54523], [54524], [54525], [54526], [54527], [54528], [54529], [54530], [54541] to the 4.9 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, vortfu, davidbaumwald, tykoted, timothyblynjacobs, johnjamesjacoby, ehtis, matveb, talldanwp.

Location:
branches/4.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

    r43637 r54569  
    128128
    129129    /**
     130     * Checks if the terms for a post can be read.
     131     *
     132     * @since 6.0.3
     133     *
     134     * @param WP_Post         $post    Post object.
     135     * @param WP_REST_Request $request Full details about the request.
     136     * @return bool Whether the terms for the post can be read.
     137     */
     138    public function check_read_terms_permission_for_post( $post, $request ) {
     139        // If the requested post isn't associated with this taxonomy, deny access.
     140        if ( ! is_object_in_taxonomy( $post->post_type, $this->taxonomy ) ) {
     141            return false;
     142        }
     143
     144        // Grant access if the post is publicly viewable.
     145        if ( is_post_publicly_viewable( $post ) ) {
     146            return true;
     147        }
     148
     149        // Otherwise grant access if the post is readable by the logged in user.
     150        if ( current_user_can( 'read_post', $post->ID ) ) {
     151            return true;
     152        }
     153
     154        // Otherwise, deny access.
     155        return false;
     156    }
     157
     158    /**
    130159     * Checks if a request has access to read terms in the specified taxonomy.
    131160     *
     
    137166    public function get_items_permissions_check( $request ) {
    138167        $tax_obj = get_taxonomy( $this->taxonomy );
     168
    139169        if ( ! $tax_obj || ! $this->check_is_taxonomy_allowed( $this->taxonomy ) ) {
    140170            return false;
    141171        }
     172
    142173        if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->edit_terms ) ) {
    143             return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
    144         }
     174            return new WP_Error(
     175                'rest_forbidden_context',
     176                __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ),
     177                array( 'status' => rest_authorization_required_code() )
     178            );
     179        }
     180
     181        if ( ! empty( $request['post'] ) ) {
     182            $post = get_post( $request['post'] );
     183
     184            if ( ! $post ) {
     185                return new WP_Error(
     186                    'rest_post_invalid_id',
     187                    __( 'Invalid post ID.' ),
     188                    array(
     189                        'status' => 400,
     190                    )
     191                );
     192            }
     193
     194            if ( ! $this->check_read_terms_permission_for_post( $post, $request ) ) {
     195                return new WP_Error(
     196                    'rest_forbidden_context',
     197                    __( 'Sorry, you are not allowed to view terms for this post.' ),
     198                    array(
     199                        'status' => rest_authorization_required_code(),
     200                    )
     201                );
     202            }
     203        }
     204
    145205        return true;
    146206    }
Note: See TracChangeset for help on using the changeset viewer.