Changeset 60834

Timestamp:

09/30/2025 05:05:21 PM (8 weeks ago)

Author:

desrosj

Message:

Grouped backports for the 5.2 branch.

• REST API: Increase the specificity of capability checks for collections when the edit context is in use.
• Menus: Prevent HTML in menu item titles from being rendered unexpectedly.

Merges [60814], [60815], [60816] to the 5.2 branch.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, phillsav, rmccue, timothyblynjacobs, vortfu, westonruter , whyisjake, zieladam.

Location:

branches/5.2

Files:

• . (modified) (1 prop)
• src/js/_enqueues/lib/nav-menu.js (modified) (2 diffs)
• src/js/_enqueues/wp/customize/nav-menus.js (modified) (2 diffs)
• src/wp-includes/class-wp-customize-nav-menus.php (modified) (3 diffs)
• src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php (modified) (12 diffs)
• src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php (modified) (1 diff)
• src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php (modified) (1 diff)
• src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (4 diffs)
• tests/phpunit/tests/customize/nav-menu-item-setting.php (modified) (15 diffs)
• tests/phpunit/tests/customize/nav-menus.php (modified) (7 diffs)
• tests/phpunit/tests/rest-api/rest-posts-controller.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/rest-tags-controller.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/rest-users-controller.php (modified) (2 diffs)

branches/5.2/src/js/_enqueues/lib/nav-menu.js

@@ -1177 +1177 @@
 
         eventOnClickMenuSave : function() {
-            var locs = '',
-            menuName = $('#menu-name'),
-            menuNameVal = menuName.val();
-            // Cancel and warn if invalid menu name
+            var menuName = $('#menu-name'),
+                menuNameVal = menuName.val();
+
+            // Cancel and warn if invalid menu name.
             if ( ! menuNameVal || ! menuNameVal.replace( /\s+/, '' ) ) {
                 menuName.parent().addClass( 'form-invalid' );
                 return false;
             }
-            // Copy menu theme locations
+            // Copy menu theme locations.
+            // Note: This appears to be dead code since #nav-menu-theme-locations no longer exists, perhaps removed in r32842.
+            var $updateNavMenu = $('#update-nav-menu');
             $('#nav-menu-theme-locations select').each(function() {
-                locs += '<input type="hidden" name="' + this.name + '" value="' + $(this).val() + '" />';
-            });
-            $('#update-nav-menu').append( locs );
-            // Update menu item position data
+                $updateNavMenu.append(
+                    $( '<input>', {
+                        type: 'hidden',
+                        name: this.name,
+                        value: $( this ).val()
+                    } )
+                );
+            });
+            // Update menu item position data.
             api.menuList.find('.menu-item-data-position').val( function(index) { return index + 1; } );
             window.onbeforeunload = null;
@@ -1230 +1237 @@
 
             if( ! $items.length ) {
-                $('.categorychecklist', panel).html( '<li><p>' + navMenuL10n.noResultsFound + '</p></li>' );
+                var li = $( '<li>' );
+                var p = $( '<p>', { text: navMenuL10n.noResultsFound } );
+                li.append( p );
+                $('.categorychecklist', panel).empty().append( li );
                 $( '.spinner', panel ).removeClass( 'is-active' );
                 wrapper.addClass( 'has-no-menu-item' );

branches/5.2/src/js/_enqueues/wp/customize/nav-menus.js

@@ -525 +525 @@
             }
 
-            this.currentMenuControl.addItemToMenu( menu_item.attributes );
+            // Leave the title as empty to reuse the original title as a placeholder if set.
+            var nav_menu_item = Object.assign( {}, menu_item.attributes );
+            if ( nav_menu_item.title === nav_menu_item.original_title ) {
+                nav_menu_item.title = '';
+            }
+
+            this.currentMenuControl.addItemToMenu( nav_menu_item );
 
             $( menuitemTpl ).find( '.menu-item-handle' ).addClass( 'item-added' );
@@ -2979 +2985 @@
                 {
                     nav_menu_term_id: menuControl.params.menu_id,
-                    original_title: item.title,
                     position: position
                 }

branches/5.2/src/wp-includes/class-wp-customize-nav-menus.php

@@ -159 +159 @@
             } elseif ( 'post' !== $object && 0 === $page && $post_type->has_archive ) {
                 // Add a post type archive link.
+                $title   = $post_type->labels->archives;
                 $items[] = array(
-                    'id'         => $object . '-archive',
-                    'title'      => $post_type->labels->archives,
-                    'type'       => 'post_type_archive',
-                    'type_label' => __( 'Post Type Archive' ),
-                    'object'     => $object,
-                    'url'        => get_post_type_archive_link( $object ),
+                    'id'             => $object_name . '-archive',
+                    'title'          => $title,
+                    'original_title' => $title,
+                    'type'           => 'post_type_archive',
+                    'type_label'     => __( 'Post Type Archive' ),
+                    'object'         => $object_name,
+                    'url'            => get_post_type_archive_link( $object_name ),
                 );
             }
@@ -199 +201 @@
                     $post_title = sprintf( __( '#%d (no title)' ), $post->ID );
                 }
+
+                $title   = html_entity_decode( $post_title, ENT_QUOTES, get_bloginfo( 'charset' ) );
                 $items[] = array(
-                    'id'         => "post-{$post->ID}",
-                    'title'      => html_entity_decode( $post_title, ENT_QUOTES, get_bloginfo( 'charset' ) ),
-                    'type'       => 'post_type',
-                    'type_label' => get_post_type_object( $post->post_type )->labels->singular_name,
-                    'object'     => $post->post_type,
-                    'object_id'  => intval( $post->ID ),
-                    'url'        => get_permalink( intval( $post->ID ) ),
+                    'id'             => "post-{$post->ID}",
+                    'title'          => $title,
+                    'original_title' => $title,
+                    'type'           => 'post_type',
+                    'type_label'     => get_post_type_object( $post->post_type )->labels->singular_name,
+                    'object'         => $post->post_type,
+                    'object_id'      => (int) $post->ID,
+                    'url'            => get_permalink( (int) $post->ID ),
                 );
             }
@@ -230 +235 @@
 
             foreach ( $terms as $term ) {
+                $title   = html_entity_decode( $term->name, ENT_QUOTES, get_bloginfo( 'charset' ) );
                 $items[] = array(
-                    'id'         => "term-{$term->term_id}",
-                    'title'      => html_entity_decode( $term->name, ENT_QUOTES, get_bloginfo( 'charset' ) ),
-                    'type'       => 'taxonomy',
-                    'type_label' => get_taxonomy( $term->taxonomy )->labels->singular_name,
-                    'object'     => $term->taxonomy,
-                    'object_id'  => intval( $term->term_id ),
-                    'url'        => get_term_link( intval( $term->term_id ), $term->taxonomy ),
+                    'id'             => "term-{$term->term_id}",
+                    'title'          => $title,
+                    'original_title' => $title,
+                    'type'           => 'taxonomy',
+                    'type_label'     => get_taxonomy( $term->taxonomy )->labels->singular_name,
+                    'object'         => $term->taxonomy,
+                    'object_id'      => (int) $term->term_id,
+                    'url'            => get_term_link( (int) $term->term_id, $term->taxonomy ),
                 );
             }

branches/5.2/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php

@@ -57 +57 @@
         'xfn'              => '',
         'status'           => 'publish',
-        'original_title'   => '',
         'nav_menu_term_id' => 0, // This will be supplied as the $menu_id arg for wp_update_nav_menu_item().
         '_invalid'         => false,
@@ -212 +211 @@
      */
     public function value() {
-        if ( $this->is_previewed && $this->_previewed_blog_id === get_current_blog_id() ) {
+        $type_label = null;
+        if ( $this->is_previewed && get_current_blog_id() === $this->_previewed_blog_id ) {
             $undefined  = new stdClass(); // Symbol.
             $post_value = $this->post_value( $undefined );
@@ -220 +220 @@
             } else {
                 $value = $post_value;
-            }
-            if ( ! empty( $value ) && empty( $value['original_title'] ) ) {
-                $value['original_title'] = $this->get_original_title( (object) $value );
             }
         } elseif ( isset( $this->value ) ) {
@@ -235 +232 @@
                     $is_title_empty = empty( $post->post_title );
                     $value          = (array) wp_setup_nav_menu_item( $post );
+                    if ( isset( $value['type_label'] ) ) {
+                        $type_label = $value['type_label'];
+                    }
                     if ( $is_title_empty ) {
                         $value['title'] = '';
@@ -251 +251 @@
         }
 
-        if ( ! empty( $value ) && empty( $value['type_label'] ) ) {
-            $value['type_label'] = $this->get_type_label( (object) $value );
+        // These properties are read-only and are part of the setting for use in the Customizer UI.
+        if ( is_array( $value ) ) {
+            $value_obj               = (object) $value;
+            $value['type_label']     = isset( $type_label ) ? $type_label : $this->get_type_label( $value_obj );
+            $value['original_title'] = $this->get_original_title( $value_obj );
         }
 
@@ -259 +262 @@
 
     /**
+     * Prepares the value for editing on the client.
+     *
+     * @since 6.8.3
+     *
+     * @return array|false Value prepared for the client.
+     */
+    public function js_value() {
+        $value = parent::js_value();
+        if ( is_array( $value ) && isset( $value['original_title'] ) ) {
+            // Decode entities for the sake of displaying the original title as a placeholder.
+            $value['original_title'] = html_entity_decode( $value['original_title'], ENT_QUOTES, get_bloginfo( 'charset' ) );
+        }
+        return $value;
+    }
+
+    /**
      * Get original title.
      *
@@ -264 +283 @@
      *
      * @param object $item Nav menu item.
-     * @return string The original title.
+     * @return string The original title, without entity decoding.
      */
     protected function get_original_title( $item ) {
@@ -290 +309 @@
             }
         }
-        $original_title = html_entity_decode( $original_title, ENT_QUOTES, get_bloginfo( 'charset' ) );
         return $original_title;
     }
@@ -346 +364 @@
             $this->value['status'] = $this->value['post_status'];
             unset( $this->value['post_status'] );
-        }
-
-        if ( ! isset( $this->value['original_title'] ) ) {
-            $this->value['original_title'] = $this->get_original_title( (object) $this->value );
         }
 
@@ -593 +607 @@
         unset( $item->position );
 
-        if ( empty( $item->original_title ) ) {
-            $item->original_title = $this->get_original_title( $item );
-        }
         if ( empty( $item->title ) && ! empty( $item->original_title ) ) {
-            $item->title = $item->original_title;
+            $item->title = $item->original_title; // This is NOT entity-decoded. It comes from self::get_original_title().
         }
         if ( $item->title ) {
@@ -647 +658 @@
      * @since 4.3.0
      *
-     * @param array $menu_item_value The value to sanitize.
+     * @param array|false $value The menu item value to sanitize.
      * @return array|false|null|WP_Error Null or WP_Error if an input isn't valid. False if it is marked for deletion.
      *                                   Otherwise the sanitized value.
@@ -701 +712 @@
         }
 
-        $menu_item_value['original_title'] = sanitize_text_field( $menu_item_value['original_title'] );
-
         // Apply the same filters as when calling wp_insert_post().
 

branches/5.2/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -347 +347 @@
 
         foreach ( $query_result as $post ) {
-            if ( ! $this->check_read_permission( $post ) ) {
+            if ( 'edit' === $request['context'] ) {
+                $permission = $this->check_update_permission( $post );
+            } else {
+                $permission = $this->check_read_permission( $post );
+            }
+
+            if ( ! $permission ) {
                 continue;
             }

branches/5.2/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

@@ -327 +327 @@
 
         foreach ( $query_result as $term ) {
+            if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', $term->term_id ) ) {
+                continue;
+            }
+
             $data       = $this->prepare_item_for_response( $term, $request );
             $response[] = $this->prepare_response_for_collection( $data );

branches/5.2/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -192 +192 @@
 
         if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
-            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
+            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit users.' ), array( 'status' => rest_authorization_required_code() ) );
         }
 
@@ -306 +306 @@
 
         foreach ( $query->results as $user ) {
+            if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+                continue;
+            }
+
             $data    = $this->prepare_item_for_response( $user, $request );
             $users[] = $this->prepare_response_for_collection( $data );
@@ -400 +404 @@
         }
 
-        if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
-            return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
-        } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
+        if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) );
+        }
+
+        if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
             return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
         }
@@ -923 +929 @@
         }
 
-        if ( in_array( 'roles', $fields, true ) ) {
+        if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
             // Defensively call array_values() to ensure an array is returned.
             $data['roles'] = array_values( $user->roles );

branches/5.2/tests/phpunit/tests/customize/nav-menu-item-setting.php

@@ -90 +90 @@
             'xfn'              => '',
             'status'           => 'publish',
-            'original_title'   => '',
             'nav_menu_term_id' => 0,
             '_invalid'         => false,
@@ -146 +145 @@
      *
      * @see WP_Customize_Nav_Menu_Item_Setting::value()
+     * @see WP_Customize_Nav_Menu_Item_Setting::js_value()
      */
     function test_value_type_post_type() {
         do_action( 'customize_register', $this->wp_customize );
 
-        $post_id = self::factory()->post->create( array( 'post_title' => 'Hello World' ) );
+        $post_id = self::factory()->post->create( array( 'post_title' => 'Hello <em>World</em>' ) );
 
         $menu_id    = wp_create_nav_menu( 'Menu' );
         $item_title = 'Greetings';
+        $item_props = array(
+            'menu-item-type'      => 'post_type',
+            'menu-item-object'    => 'post',
+            'menu-item-object-id' => $post_id,
+            'menu-item-title'     => $item_title,
+            'menu-item-status'    => 'publish',
+        );
         $item_id    = wp_update_nav_menu_item(
             $menu_id,
             0,
-            array(
-                'menu-item-type'      => 'post_type',
-                'menu-item-object'    => 'post',
-                'menu-item-object-id' => $post_id,
-                'menu-item-title'     => $item_title,
-                'menu-item-status'    => 'publish',
-            )
+            $item_props
         );
 
@@ -173 +174 @@
         $setting    = new WP_Customize_Nav_Menu_Item_Setting( $this->wp_customize, $setting_id );
 
-        $value = $setting->value();
-        $this->assertEquals( $menu_item->title, $value['title'] );
-        $this->assertEquals( $menu_item->type, $value['type'] );
+        $value    = $setting->value();
+        $js_value = $setting->js_value();
+        $this->assertSame( $menu_item->title, $value['title'] );
+        $this->assertSame( $menu_item->type, $value['type'] );
         $this->assertEquals( $menu_item->object_id, $value['object_id'] );
-        $this->assertEquals( $menu_id, $value['nav_menu_term_id'] );
-        $this->assertEquals( 'Hello World', $value['original_title'] );
+        $this->assertSame( $menu_id, $value['nav_menu_term_id'] );
+        $this->assertSame( 'Hello <em>World</em>', $value['original_title'] );
+        $this->assertSame( 'Hello <em>World</em>', $js_value['original_title'] );
+        $this->assertSame( $value, array_merge( $js_value, array( 'original_title' => $value['original_title'] ) ) );
 
         $other_menu_id = wp_create_nav_menu( 'Menu2' );
@@ -184 +188 @@
             $other_menu_id,
             $item_id,
-            array(
-                'menu-item-title' => 'Hola',
-            )
-        );
-        $value = $setting->value();
-        $this->assertEquals( 'Hola', $value['title'] );
-        $this->assertEquals( $other_menu_id, $value['nav_menu_term_id'] );
+            array_merge(
+                $item_props,
+                array(
+                    'menu-item-title' => 'Hola &lt;em&gt;Mundo&lt;/em&gt;',
+                )
+            )
+        );
+        $value    = $setting->value();
+        $js_value = $setting->js_value();
+        $this->assertSame( $menu_item->type, $value['type'] );
+        $this->assertSame( 'Hola &lt;em&gt;Mundo&lt;/em&gt;', $value['title'] );
+        $this->assertSame( 'Hello &lt;em&gt;World&lt;/em&gt;', $value['original_title'] );
+        $this->assertSame( 'Hello <em>World</em>', $js_value['original_title'] );
+        $this->assertSame( $other_menu_id, $value['nav_menu_term_id'] );
+        $this->assertSame( $value, array_merge( $js_value, array( 'original_title' => $value['original_title'] ) ) );
     }
 
@@ -197 +209 @@
      *
      * @see WP_Customize_Nav_Menu_Item_Setting::value()
+     * @see WP_Customize_Nav_Menu_Item_Setting::js_value()
      */
     function test_value_type_post_type_without_label() {
         do_action( 'customize_register', $this->wp_customize );
 
-        $original_title = 'Hello World';
+        $original_title = 'Hello &lt;i&gt;World&lt;/i&gt;';
         $post_id        = self::factory()->post->create( array( 'post_title' => $original_title ) );
 
@@ -220 +233 @@
         $setting    = new WP_Customize_Nav_Menu_Item_Setting( $this->wp_customize, $setting_id );
 
-        $value = $setting->value();
-        $this->assertEquals( '', $value['title'] );
-        $this->assertEquals( $original_title, $value['original_title'] );
+        $value    = $setting->value();
+        $js_value = $setting->js_value();
+        $this->assertSame( '', $value['title'] );
+        $this->assertSame( $original_title, $value['original_title'] );
+        $this->assertSame( 'Hello <i>World</i>', $js_value['original_title'] );
     }
 
@@ -233 +248 @@
         do_action( 'customize_register', $this->wp_customize );
 
-        $tax_id = self::factory()->category->create( array( 'name' => 'Salutations' ) );
+        $tax_id = self::factory()->category->create( array( 'name' => '&iexcl;Salutations!' ) );
 
         $menu_id    = wp_create_nav_menu( 'Menu' );
-        $item_title = 'Greetings';
+        $item_title = '&iexcl;Greetings!';
         $item_id    = wp_update_nav_menu_item(
             $menu_id,
@@ -256 +271 @@
         $setting    = new WP_Customize_Nav_Menu_Item_Setting( $this->wp_customize, $setting_id );
 
-        $value = $setting->value();
-        $this->assertEquals( $menu_item->title, $value['title'] );
-        $this->assertEquals( $menu_item->type, $value['type'] );
+        $value    = $setting->value();
+        $js_value = $setting->js_value();
+        $this->assertSame( $menu_item->title, $value['title'] );
+        $this->assertSame( $menu_item->type, $value['type'] );
         $this->assertEquals( $menu_item->object_id, $value['object_id'] );
-        $this->assertEquals( $menu_id, $value['nav_menu_term_id'] );
-        $this->assertEquals( 'Salutations', $value['original_title'] );
+        $this->assertSame( $menu_id, $value['nav_menu_term_id'] );
+        $this->assertSame( '&iexcl;Salutations!', $value['original_title'] );
+        $this->assertSame( '¡Salutations!', $js_value['original_title'] );
     }
 
@@ -268 +285 @@
      *
      * @see WP_Customize_Nav_Menu_Item_Setting::value()
+     * @see WP_Customize_Nav_Menu_Item_Setting::js_value()
      */
     function test_custom_type_label() {
@@ -291 +309 @@
         $setting    = new WP_Customize_Nav_Menu_Item_Setting( $this->wp_customize, $setting_id );
 
-        $value = $setting->value();
-        $this->assertEquals( $menu_item->type_label, 'Custom Label' );
-        $this->assertEquals( $menu_item->type_label, $value['type_label'] );
+        $value    = $setting->value();
+        $js_value = $setting->js_value();
+        $this->assertSame( 'Custom Label', $value['type_label'] );
+        $this->assertSame( 'custom_type', $value['type'] );
+        $this->assertSame( '', $value['original_title'] );
+        $this->assertSame( '', $js_value['original_title'] );
     }
 
@@ -394 +415 @@
             $this->assertEquals( $value, $updated_item->$key, "Key $key mismatch" );
         }
+    }
+
+    /**
+     * Test preview method for updated menu with readonly properties.
+     *
+     * @see WP_Customize_Nav_Menu_Item_Setting::preview()
+     */
+    public function test_preview_readonly_properties() {
+        do_action( 'customize_register', $this->wp_customize );
+
+        $post_id    = self::factory()->post->create( array( 'post_title' => '&iexcl;Hello World!' ) );
+        $menu_id    = wp_create_nav_menu( 'Primary' );
+        $item_title = 'Greetings';
+        $item_id    = wp_update_nav_menu_item(
+            $menu_id,
+            0,
+            array(
+                'menu-item-type'      => 'post_type',
+                'menu-item-object'    => 'post',
+                'menu-item-object-id' => $post_id,
+                'menu-item-title'     => $item_title,
+                'menu-item-status'    => 'publish',
+            )
+        );
+
+        $post_value = array(
+            'type'             => 'post_type',
+            'object'           => 'post',
+            'object_id'        => $post_id,
+            'title'            => 'Saludos',
+            'status'           => 'publish',
+            'nav_menu_term_id' => $menu_id,
+            'type_label'       => 'Override Label',
+            'original_title'   => 'Not Original!',
+        );
+        $setting_id = "nav_menu_item[$item_id]";
+        $setting    = new WP_Customize_Nav_Menu_Item_Setting( $this->wp_customize, $setting_id );
+        $this->wp_customize->set_post_value( $setting_id, $post_value );
+        $setting->preview();
+
+        $value    = $setting->value();
+        $js_value = $setting->js_value();
+        $this->assertSame( 'Saludos', $value['title'] );
+        $this->assertSame( 'Saludos', $js_value['title'] );
+        $this->assertSame( 'Post', $value['type_label'] );
+        $this->assertSame( 'Post', $js_value['type_label'] );
+        $this->assertSame( '&iexcl;Hello World!', $value['original_title'] );
+        $this->assertSame( '¡Hello World!', $js_value['original_title'] );
     }
 
@@ -459 +528 @@
      *
      * @see WP_Customize_Nav_Menu_Item_Setting::preview()
+     * @see WP_Customize_Nav_Menu_Item_Setting::value()
+     * @see WP_Customize_Nav_Menu_Item_Setting::js_value()
      */
     function test_preview_deleted() {
@@ -493 +564 @@
         $this->assertNotEquals( count( $current_items ), count( $preview_items ) );
         $this->assertContains( $delete_item_id, wp_list_pluck( $current_items, 'db_id' ) );
+
+        $this->assertFalse( $setting->value() );
+        $this->assertFalse( $setting->js_value() );
     }
 
@@ -561 +635 @@
             'xfn'              => 'hello " inject="',
             'status'           => 'forbidden',
-            'original_title'   => 'Hi<script>unfilteredHtml()</script>',
+            'original_title'   => 'Possibly authored by an admin: <script>unfilteredHtml()</script>',
             'nav_menu_term_id' => 'heilo',
             '_invalid'         => false,
@@ -580 +654 @@
             'xfn'              => 'hello  inject',
             'status'           => 'draft',
-            'original_title'   => 'Hi',
+            'original_title'   => 'Possibly authored by an admin: <script>unfilteredHtml()</script>',
             'nav_menu_term_id' => 0,
         );

branches/5.2/tests/phpunit/tests/customize/nav-menus.php

@@ -145 +145 @@
         // Home is included in menu items when page is zero.
         $items = $menus->load_available_items_query( 'post_type', 'page', 0 );
-        $this->assertContains( $expected, $items );
+        $this->assertContains( $expected, $items, "Items:\n" . var_export( $items, true ) );
 
         // Home is not included in menu items when page is larger than zero.
         $items = $menus->load_available_items_query( 'post_type', 'page', 1 );
         $this->assertNotEmpty( $items );
-        $this->assertNotContains( $expected, $items );
+        $this->assertNotContains( $expected, $items, "Items:\n" . var_export( $items, true ) );
     }
 
@@ -162 +162 @@
 
         // Create page.
-        $post_id = self::factory()->post->create( array( 'post_title' => 'Post Title' ) );
+        $post_id = self::factory()->post->create( array( 'post_title' => 'Post <strong>Strong</strong> Title' ) );
 
         // Create pages.
@@ -169 +169 @@
         // Expected menu item array.
         $expected = array(
-            'id'         => "post-{$post_id}",
-            'title'      => 'Post Title',
-            'type'       => 'post_type',
-            'type_label' => 'Post',
-            'object'     => 'post',
-            'object_id'  => intval( $post_id ),
-            'url'        => get_permalink( intval( $post_id ) ),
+            'id'             => "post-{$post_id}",
+            'title'          => 'Post <strong>Strong</strong> Title',
+            'original_title' => 'Post <strong>Strong</strong> Title',
+            'type'           => 'post_type',
+            'type_label'     => 'Post',
+            'object'         => 'post',
+            'object_id'      => (int) $post_id,
+            'url'            => get_permalink( (int) $post_id ),
         );
 
         // Offset the query and get the second page of menu items.
         $items = $menus->load_available_items_query( 'post_type', 'post', 1 );
-        $this->assertContains( $expected, $items );
+        $this->assertContains( $expected, $items, "Items:\n" . var_export( $items, true ) );
     }
 
@@ -201 +202 @@
         // Expected menu item array.
         $expected = array(
-            'id'         => "post-{$page_id}",
-            'title'      => 'Page Title',
-            'type'       => 'post_type',
-            'type_label' => 'Page',
-            'object'     => 'page',
-            'object_id'  => intval( $page_id ),
-            'url'        => get_permalink( intval( $page_id ) ),
+            'id'             => "post-{$page_id}",
+            'title'          => 'Page Title',
+            'original_title' => 'Page Title',
+            'type'           => 'post_type',
+            'type_label'     => 'Page',
+            'object'         => 'page',
+            'object_id'      => (int) $page_id,
+            'url'            => get_permalink( (int) $page_id ),
         );
 
         $items = $menus->load_available_items_query( 'post_type', 'page', 0 );
-        $this->assertContains( $expected, $items );
+        $this->assertContains( $expected, $items, "Items:\n" . var_export( $items, true ) );
     }
 
@@ -227 +229 @@
         // Expected menu item array.
         $expected = array(
-            'id'         => "post-{$post_id}",
-            'title'      => 'Post Title',
-            'type'       => 'post_type',
-            'type_label' => 'Post',
-            'object'     => 'post',
-            'object_id'  => intval( $post_id ),
-            'url'        => get_permalink( intval( $post_id ) ),
+            'id'             => "post-{$post_id}",
+            'title'          => 'Post Title',
+            'original_title' => 'Post Title',
+            'type'           => 'post_type',
+            'type_label'     => 'Post',
+            'object'         => 'post',
+            'object_id'      => (int) $post_id,
+            'url'            => get_permalink( (int) $post_id ),
         );
 
         $items = $menus->load_available_items_query( 'post_type', 'post', 0 );
-        $this->assertContains( $expected, $items );
+        $this->assertContains( $expected, $items, "Items:\n" . var_export( $items, true ) );
     }
 
@@ -253 +256 @@
         // Expected menu item array.
         $expected = array(
-            'id'         => "term-{$term_id}",
-            'title'      => 'Term Title',
-            'type'       => 'taxonomy',
-            'type_label' => 'Category',
-            'object'     => 'category',
-            'object_id'  => intval( $term_id ),
-            'url'        => get_term_link( intval( $term_id ), 'category' ),
+            'id'             => "term-{$term_id}",
+            'title'          => 'Term Title',
+            'original_title' => 'Term Title',
+            'type'           => 'taxonomy',
+            'type_label'     => 'Category',
+            'object'         => 'category',
+            'object_id'      => (int) $term_id,
+            'url'            => get_term_link( (int) $term_id, 'category' ),
         );
 
         $items = $menus->load_available_items_query( 'taxonomy', 'category', 0 );
-        $this->assertContains( $expected, $items );
+        $this->assertContains( $expected, $items, "Items:\n" . var_export( $items, true ) );
     }
 
@@ -288 +292 @@
 
         $items = $menus->load_available_items_query( 'custom_type', 'custom_object', 0 );
-        $this->assertContains( $expected, $items );
+        $this->assertContains( $expected, $items, "Items:\n" . var_export( $items, true ) );
     }
 

branches/5.2/tests/phpunit/tests/rest-api/rest-posts-controller.php

@@ -4314 +4314 @@
 
     /**
+     * @group 1018470
+     */
+    public function test_cannot_get_other_users_single_post_with_edit_context_if_disallowed() {
+        $author_post = self::factory()->post->create(
+            array(
+                'post_password' => 'test',
+                'post_author'   => self::$author_id,
+            )
+        );
+
+        wp_set_current_user( self::$contributor_id );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . $author_post );
+        $request->set_query_params( array( 'context' => 'edit' ) );
+        $response = rest_do_request( $request );
+
+        $this->assertErrorResponse( 'rest_forbidden_context', $response, 403, 'Contributor should not be able to access Author post with edit context' );
+    }
+
+    /**
+     * @group 1018470
+     */
+    public function test_cannot_see_other_users_post_in_collection_with_edit_context_if_disallowed() {
+        $author_post = self::factory()->post->create(
+            array(
+                'post_password' => 'test',
+                'post_author'   => self::$author_id,
+            )
+        );
+
+        wp_set_current_user( self::$contributor_id );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
+        $request->set_query_params(
+            array(
+                'context' => 'edit',
+                'include' => $author_post,
+            )
+        );
+        $response = rest_do_request( $request );
+        $data     = $response->get_data();
+
+        $this->assertIsArray( $data );
+        $this->assertEmpty( $data );
+    }
+
+    /**
      * Internal function used to disable an insert query which
      * will trigger a wpdb error for testing purposes.

branches/5.2/tests/phpunit/tests/rest-api/rest-tags-controller.php

@@ -1270 +1270 @@
     }
 
+    /**
+     * @group 1018470
+     */
+    public function test_cannot_get_single_term_with_edit_context_if_disallowed() {
+        add_filter(
+            'map_meta_cap',
+            static function ( $caps, $cap ) {
+                if ( 'edit_term' === $cap ) {
+                    return array( 'do_not_allow' );
+                }
+
+                return $caps;
+            },
+            10,
+            2
+        );
+
+        $term = self::factory()->term->create();
+
+        wp_set_current_user( self::$editor );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/tags/' . $term );
+        $request->set_query_params( array( 'context' => 'edit' ) );
+        $response = rest_do_request( $request );
+        $this->assertErrorResponse( 'rest_forbidden_context', $response, 403 );
+    }
+
+    /**
+     * @group 1018470
+     */
+    public function test_cannot_see_single_term_in_collection_with_edit_context_if_disallowed() {
+        add_filter(
+            'map_meta_cap',
+            static function ( $caps, $cap ) {
+                if ( 'edit_term' === $cap ) {
+                    return array( 'do_not_allow' );
+                }
+
+                return $caps;
+            },
+            10,
+            2
+        );
+
+        $term = self::factory()->term->create();
+
+        wp_set_current_user( self::$editor );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/tags' );
+        $request->set_query_params(
+            array(
+                'context' => 'edit',
+                'include' => $term,
+            )
+        );
+        $response = rest_do_request( $request );
+        $data     = $response->get_data();
+
+        $this->assertIsArray( $data );
+        $this->assertEmpty( $data );
+    }
+
     public function additional_field_get_callback( $object, $request ) {
         return 123;

branches/5.2/tests/phpunit/tests/rest-api/rest-users-controller.php

@@ -1050 +1050 @@
         $request->set_param( 'context', 'edit' );
         $response = rest_get_server()->dispatch( $request );
-        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
+        $this->assertErrorResponse( 'rest_forbidden_context', $response, 401 );
     }
 
@@ -2744 +2744 @@
 
     /**
+     * @group 1018470
+     */
+    public function test_cannot_get_single_user_with_edit_context_if_disallowed() {
+        $privileged_contributor = self::factory()->user->create_and_get( array( 'role' => 'subscriber' ) );
+        $privileged_contributor->add_cap( 'list_users' );
+
+        wp_set_current_user( $privileged_contributor->ID );
+
+        // Single request for a disallowed user returns an error.
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users/1' );
+        $request->set_query_params( array( 'context' => 'edit' ) );
+        $response = rest_do_request( $request );
+        $this->assertErrorResponse( 'rest_forbidden_context', $response, 403 );
+    }
+
+    /**
+     * @group 1018470
+     */
+    public function test_cannot_see_user_in_collection_with_edit_context_if_disallowed() {
+        $privileged_contributor = self::factory()->user->create_and_get( array( 'role' => 'subscriber' ) );
+        $privileged_contributor->add_cap( 'list_users' );
+
+        wp_set_current_user( $privileged_contributor->ID );
+
+        // Collection request including a disallowed user omits that user.
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_query_params(
+            array(
+                'context' => 'edit',
+                'include' => array( 1 ),
+            )
+        );
+        $response = rest_do_request( $request );
+        $data     = $response->get_data();
+
+        $this->assertIsArray( $data );
+        $this->assertEmpty( $data );
+    }
+
+    /**
+     * @group 1018470
+     */
+    public function test_cannot_see_other_user_in_collection_with_edit_context_if_specifically_disallowed() {
+        wp_set_current_user( self::$user );
+
+        add_filter(
+            'map_meta_cap',
+            static function ( $caps, $cap ) {
+                if ( 'edit_user' === $cap ) {
+                    return array( 'do_not_allow' );
+                }
+
+                return $caps;
+            },
+            10,
+            2
+        );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_query_params(
+            array(
+                'context' => 'edit',
+                'include' => array( 1 ),
+            )
+        );
+        $response = rest_do_request( $request );
+        $data     = $response->get_data();
+
+        $this->assertIsArray( $data );
+        $this->assertEmpty( $data );
+    }
+
+    /**
+     * @group 1018470
+     */
+    public function test_can_get_user_if_specifically_allowed() {
+        wp_set_current_user( self::$subscriber );
+
+        add_filter(
+            'map_meta_cap',
+            static function ( $caps, $cap ) {
+                if ( 'edit_user' === $cap ) {
+                    return array();
+                }
+
+                return $caps;
+            },
+            10,
+            2
+        );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users/' . self::$user );
+        $request->set_query_params( array( 'context' => 'edit' ) );
+        $response = rest_do_request( $request );
+        $this->check_user_data( get_userdata( self::$user ), $response->get_data(), 'edit', $response->get_links() );
+    }
+
+    /**
      * @ticket 39701
      * @group ms-required