Make WordPress Core


Ignore:
Timestamp:
10/12/2023 02:48:17 PM (7 months ago)
Author:
davidbaumwald
Message:

Grouped backports to the 4.7 branch.

  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Shortcodes: Restrict media shortcode ajax to certain type.
  • REST API: Ensure no-cache headers are sent when methods are overridden.
  • REST API: Limit search_columns for users without list_users.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56834], [56835], [56836], [56838], and [56840] to the 4.7 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r40426 r56862  
    260260
    261261        if ( ! empty( $prepared_args['search'] ) ) {
     262            if ( ! current_user_can( 'list_users' ) ) {
     263                $prepared_args['search_columns'] = array( 'ID', 'user_login', 'user_nicename', 'display_name' );
     264            }
    262265            $prepared_args['search'] = '*' . $prepared_args['search'] . '*';
    263266        }
Note: See TracChangeset for help on using the changeset viewer.