WordPress.org
Get WordPress

Make WordPress Core

Changeset 50730


Ignore:
Timestamp:
04/15/2021 01:09:07 AM (5 years ago)
Author:
peterwilsoncc
Message:

Grouped merges for 5.1.9.

  • REST API: Allow authors to read their own password protected posts.
  • About page update

Merges [50717] to the 5.1 branch.

Location:
branches/5.1
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • branches/5.1/src/wp-admin/about.php

    r49462 r50730  
    3737        <div class="changelog point-releases">
    3838            <h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
     39            <p>
     40                <?php
     41                printf(
     42                    /* translators: %s: WordPress version number */
     43                    __( '<strong>Version %s</strong> addressed some security issues.' ),
     44                    '5.1.9'
     45                );
     46                ?>
     47                <?php
     48                printf(
     49                    /* translators: %s: HelpHub URL */
     50                    __( 'For more information, see <a href="%s">the release notes</a>.' ),
     51                    sprintf(
     52                        /* translators: %s: WordPress version */
     53                        esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
     54                        sanitize_title( '5.1.9' )
     55                    )
     56                );
     57                ?>
     58            </p>
    3959            <p>
    4060                <?php

  • branches/5.1/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r46907 r50730  
    3232     */
    3333    protected $meta;
     34
     35    /**
     36     * Passwordless post access permitted.
     37     *
     38     * @since 5.7.1
     39     * @var int[]
     40     */
     41    protected $password_check_passed = array();
    3442
    3543    /**
     
    144152
    145153        return true;
     154    }
     155
     156    /**
     157     * Override the result of the post password check for REST requested posts.
     158     *
     159     * Allow users to read the content of password protected posts if they have
     160     * previously passed a permission check or if they have the `edit_post` capability
     161     * for the post being checked.
     162     *
     163     * @since 5.7.1
     164     *
     165     * @param bool    $required Whether the post requires a password check.
     166     * @param WP_Post $post     The post been password checked.
     167     * @return bool Result of password check taking in to account REST API considerations.
     168     */
     169    public function check_password_required( $required, $post ) {
     170        if ( ! $required ) {
     171            return $required;
     172        }
     173
     174        $post = get_post( $post );
     175
     176        if ( ! $post ) {
     177            return $required;
     178        }
     179
     180        if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) {
     181            // Password previously checked and approved.
     182            return false;
     183        }
     184
     185        return ! current_user_can( 'edit_post', $post->ID );
    146186    }
    147187
     
    301341        // Allow access to all password protected posts if the context is edit.
    302342        if ( 'edit' === $request['context'] ) {
    303             add_filter( 'post_password_required', '__return_false' );
     343            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    304344        }
    305345
     
    317357        // Reset filter.
    318358        if ( 'edit' === $request['context'] ) {
    319             remove_filter( 'post_password_required', '__return_false' );
     359            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
    320360        }
    321361
     
    415455        // Allow access to all password protected posts if the context is edit.
    416456        if ( 'edit' === $request['context'] ) {
    417             add_filter( 'post_password_required', '__return_false' );
     457            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    418458        }
    419459
     
    443483        }
    444484
    445         // Edit context always gets access to password-protected posts.
    446         if ( 'edit' === $request['context'] ) {
     485        /*
     486         * Users always gets access to password protected content in the edit
     487         * context if they have the `edit_post` meta capability.
     488         */
     489        if (
     490            'edit' === $request['context'] &&
     491            current_user_can( 'edit_post', $post->ID )
     492        ) {
    447493            return true;
    448494        }
     
    15201566
    15211567        if ( $this->can_access_password_content( $post, $request ) ) {
     1568            $this->password_check_passed[ $post->ID ] = true;
    15221569            // Allow access to the post, permissions already checked before.
    1523             add_filter( 'post_password_required', '__return_false' );
     1570            add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
    15241571
    15251572            $has_password_filter = true;
     
    15481595        if ( $has_password_filter ) {
    15491596            // Reset filter.
    1550             remove_filter( 'post_password_required', '__return_false' );
     1597            remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
    15511598        }
    15521599

  • branches/5.1/tests/phpunit/tests/rest-api/rest-posts-controller.php

    r44452 r50730  
    14301430
    14311431        $this->assertErrorResponse( 'rest_forbidden', $response, 401 );
     1432    }
     1433
     1434    public function test_get_post_draft_edit_context() {
     1435        $post_content = 'Hello World!';
     1436        $this->factory->post->create(
     1437            array(
     1438                'post_title'    => 'Hola',
     1439                'post_password' => 'password',
     1440                'post_content'  => $post_content,
     1441                'post_excerpt'  => $post_content,
     1442                'post_author'   => self::$editor_id,
     1443            )
     1444        );
     1445        $draft_id = $this->factory->post->create(
     1446            array(
     1447                'post_status'  => 'draft',
     1448                'post_author'  => self::$contributor_id,
     1449                'post_content' => '<!-- wp:latest-posts {"displayPostContent":true} /--> <!-- wp:latest-posts {"displayPostContent":true,"displayPostContentRadio":"full_post"} /-->',
     1450            )
     1451        );
     1452        wp_set_current_user( self::$contributor_id );
     1453        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/posts/%d', $draft_id ) );
     1454        $request->set_param( 'context', 'edit' );
     1455        $response = rest_get_server()->dispatch( $request );
     1456        $data     = $response->get_data();
     1457        $this->assertNotContains( $post_content, $data['content']['rendered'] );
    14321458    }
    14331459
Note: See TracChangeset for help on using the changeset viewer.