The edit access in now taken into account for each individual post, term, or user in the response.
Merges [60814] into the 6.8 branch.
Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, rmccue, timothyblynjacobs, vortfu, whyisjake, zieladam.
Built from https://develop.svn.wordpress.org/branches/6.8@60817
git-svn-id: http://core.svn.wordpress.org/branches/6.8@60153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [59889] the REST API controllers were adjusted to perform less work when responding to HEAD requests. The WP_REST_Response body would now be `null`, which caused issues with filters that expected the response body to be an array.
This commit sets the response body to be an empty array when preparing the response instead. The body will still be discarded, but this provides better backward comppatibility with code that assumes an array will be used.
See #56481.
Props antonvlasenko, timothyblynjacobs, mamaduka, wildworks.
Built from https://develop.svn.wordpress.org/trunk@59970
git-svn-id: http://core.svn.wordpress.org/trunk@59312 1a063a9b-81f0-0310-95a4-ce76da25c4cd
By default, the REST API responds to HEAD rqeuests by calling the GET handler and omitting the body from the response. While convenient, this ends up performing needless work that slows down the API response time.
This commit adjusts the Core controllers to specifically handle HEAD requests by not preparing the response body.
Fixes#56481.
Props antonvlasenko, janusdev, ironprogrammer, swissspidy, spacedmonkey, mukesh27, mamaduka, timothyblynjacobs.
Built from https://develop.svn.wordpress.org/trunk@59899
git-svn-id: http://core.svn.wordpress.org/trunk@59241 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds support for passing a `search_columns` argument to the user controller so that users with `list_users` caps can specify which field is being searched.
Props youknowriad, joemcgill, ntsekouras, mreishus, mamaduka.
Fixes 62596.
Built from https://develop.svn.wordpress.org/trunk@59892
git-svn-id: http://core.svn.wordpress.org/trunk@59234 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Values passed to parameters with this attribute will be redacted if present in a stack trace when using PHP 8.2 or later. This reduces the chance that passwords and security keys get accidentally exposed in debug logs and bug reports.
Props petitphp, TobiasBg, jrf, johnbillion.
Fixes#57304
Built from https://develop.svn.wordpress.org/trunk@59754
git-svn-id: http://core.svn.wordpress.org/trunk@59096 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This resolves an issue where the private property `WP_User_Query::$results` is accessed directly in `WP_REST_Users_Controller::get_items()` instead of via the `::get_results()` method.
Follow-up to [38832].
Props justlevine.
See #52217.
Built from https://develop.svn.wordpress.org/trunk@59357
git-svn-id: http://core.svn.wordpress.org/trunk@58743 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When various methods parameters in child classes were renamed to `$item` to match the parent class for PHP 8 named parameter support, most of the methods restored the more descriptive, specific name at the beginning for better readability, with several exceptions for methods consisting only of a few lines.
To avoid confusion about why some methods do that and some don't, this commit aims to bring more consistency to the code, specifically in list tables' `::column_default()` methods.
Follow-up to [51728], [51737], [51786].
See #58831.
Built from https://develop.svn.wordpress.org/trunk@56586
git-svn-id: http://core.svn.wordpress.org/trunk@56098 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987].
Props Soean, spacedmonkey, costdev, dingo_d, azaozz, mikeschroder, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes#58206.
Built from https://develop.svn.wordpress.org/trunk@55988
git-svn-id: http://core.svn.wordpress.org/trunk@55500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Removes the `WP_Error` code for `'Invalid user ID.'`. Why?
tl;dr
This branch will never be entered as the `$user` will never be falsey.
Longer reasoning:
[39954] introduced `WP_REST_Users_Controller::get_user()` method to encapsulate getting the user and handling the `'Invalid user ID.'` `WP_Error`. It replaced `get_userdata()` in `WP_REST_Users_Controller::update_item()` but left the existing `'Invalid user ID.'` `WP_Error` introduced in [38832].
The code removed in this changeset will never be reached because `$user` will never be falsey. Rather, `WP_REST_Users_Controller::get_user()` will always return an instance of `WP_Error` or `WP_User`.
Could the user's ID be falsey?
No. Why? `WP_REST_Users_Controller::get_user()` checks that the user exists, which checks if the ID is falsey.
Therefore, the code can safely be removed.
Follow-up to [39954], [38832].
Props jrf, costdev, hellofromTonya, SergeyBiryukov.
Fixes#56662.
Built from https://develop.svn.wordpress.org/trunk@55325
git-svn-id: http://core.svn.wordpress.org/trunk@54858 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Not all requests are accompanied by a `$request['email']`. This leads to a PHP 8.1 "passing null to non-nullable" deprecation notice when the `WP_REST_Users_Controller::update_item()` method passes a `null` email address onto `email_exists()`, which eventually reached the `WP_User::get_data_by()` method where things go wrong.
In the next condition in the code of the `WP_REST_Users_Controller::update_item()` method - `if ( $owner_id && $owner_id !== $id )` - you can see that the code already takes this into account as it will not throw a `WP_Error` if `$owner_id` is falsey.
`WP_User::get_data_by()` returns `false` for a failed field request. The other functions through which the return value is passed through, do the same.
So, by setting a default value for `$owner_id` of `false` and only checking `email_exists()` when there is an email to check, the "passing null to non-nullable" deprecation notice is bypassed without breaking BC.
Fixes a whole slew of test errors along the lines of:
{{{
6) WP_Test_REST_Users_Controller::test_update_item_en_US_locale
trim(): Passing null to parameter https://github.com/WordPress/wordpress-develop/pull/1 ($string) of type string is deprecated
/var/www/src/wp-includes/class-wp-user.php:211
/var/www/src/wp-includes/pluggable.php:105
/var/www/src/wp-includes/user.php:1953
/var/www/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php:728
/var/www/src/wp-includes/rest-api/class-wp-rest-server.php:1143
/var/www/src/wp-includes/rest-api/class-wp-rest-server.php:990
/var/www/tests/phpunit/includes/spy-rest-server.php:67
/var/www/tests/phpunit/tests/rest-api/rest-users-controller.php:1719
/var/www/vendor/bin/phpunit:123
}}}
Follow-up to [44641], [38832].
Props jrf.
See #55656.
Built from https://develop.svn.wordpress.org/trunk@54317
git-svn-id: http://core.svn.wordpress.org/trunk@53876 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Do not call the `prepare_links` methods in core REST API controllers, unless the `_links` or `_embedded` fields are requested. There is no need to prepare links if they are never returned in the response. This saves resources, as many calls to `prepare_links` methods perform database queries.
Props Spacedmonkey, timothyblynjacobs, rachelbaker, desrosj, dlh, hellofromTonya.
Fixes#52992.
Built from https://develop.svn.wordpress.org/trunk@53760
git-svn-id: http://core.svn.wordpress.org/trunk@53319 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset replaces contracted verb forms like `doesn't`, `can't`, or `isn't` with non-contracted forms like `does not`, `cannot`, or `is not`, for better consistency across the WordPress administration. It also updates some corresponding unit tests strings.
Props Presskopp, socalchristina, aandrewdixon, francina, SergeyBiryukov, JeffPaul, audrasjb, hellofromTonya.
Fixes#38913.
See #39176.
Built from https://develop.svn.wordpress.org/trunk@52978
git-svn-id: http://core.svn.wordpress.org/trunk@52567 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- First pass at adding the site editor from the Gutenberg plugin to
wp-admin/site-editor.php.
- Adds miscellaneous PHP changes from Gutenberg 10.1 - 11.9.
Follows [52042].
See #54337.
Props youknowriad, aristath, hellofromtonya, gziolo.
Built from https://develop.svn.wordpress.org/trunk@52069
git-svn-id: http://core.svn.wordpress.org/trunk@51661 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Similar to the existing `role`/`role__in`/`role__not_in` query arguments, this adds support for three new query arguments in `WP_User_Query`:
* `capability`
* `capability__in`
* `capability__not_in`
These can be used to fetch users with (or without) a specific set of capabilities, for example to get all users
with the capability to edit a certain post type.
Under the hood, this will check all existing roles on the site and perform a `LIKE` query against the `capabilities` user meta field to find:
* all users with a role that has this capability
* all users with the capability being assigned directly
Note: In WordPress, not all capabilities are stored in the database. Capabilities can also be modified using filters like `map_meta_cap`. These new query arguments do NOT work for such capabilities.
The prime use case for capability queries is to get all "authors", i.e. users with the capability to edit a certain post type.
Until now, `'who' => 'authors'` was used for this, which relies on user levels. However, user levels were deprecated a long time ago and thus never added to custom roles. This led to constant frustration due to users with custom roles missing from places like author dropdowns.
This updates any usage of `'who' => 'authors'` in core to use capability queries instead.
Subsequently, `'who' => 'authors'` queries are being **deprecated** in favor of these new query arguments.
Also adds a new `capabilities` parameter (mapping to `capability__in` in `WP_User_Query`) to the REST API users controller.
Also updates `twentyfourteen_list_authors()` in Twenty Fourteen to make use of this new functionality, adding a new `twentyfourteen_list_authors_query_args` filter to make it easier to override this behavior.
Props scribu, lgladdly, boonebgorges, spacedmonkey, peterwilsoncc, SergeyBiryukov, swissspidy.
Fixes#16841.
Built from https://develop.svn.wordpress.org/trunk@51943
git-svn-id: http://core.svn.wordpress.org/trunk@51532 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In each child and grandchild class, renames the first parameter to match the parent's method signature.
Why? PHP 8 introduces the ability to pass named arguments to function/method calls. This means the child and parent method signatures (i.e. parameter names) need to match.
Changes for readability:
- `@since` clearly specifies the original parameter name and its new name as well as why the change happened.
- In methods longer than a single line, the generic parameter is reassigned to the original parameter restoring it for context for use within the method. An inline comment is added to explain why this reassignment is made.
Follow-up to [38832], [39011], [39015], [39021], [39024], [39025], [39031], [39036], [43519], [43735], [43739], [43768], [46821], [48173], [48242], [49088], [50995], [51003], [51021].
Props jrf, hellofromTonya, sergeybiryukov, azaozz, desrosj, johnbillion.
See #51553.
Built from https://develop.svn.wordpress.org/trunk@51786
git-svn-id: http://core.svn.wordpress.org/trunk@51393 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The REST API treats routes without a permission_callback as public. Because this happens without any warning to the user, if the permission callback is unintentionally omitted or misspelled, the endpoint can end up being available to the public. Such a scenario has happened multiple times in the wild, and the results can be catostrophic when it occurs.
For REST API routes that are intended to be public, it is recommended to set the permission callback to the `__return_true` built in function.
Fixes#50075.
Props rmccue, sorenbronsted, whyisjake, SergeyBiryukov, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@48526
git-svn-id: http://core.svn.wordpress.org/trunk@48288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Only query post types with `'show_in_rest' => true` instead of looping over all post types and checking the `show_in_rest` property separately.
* Return from the `foreach()` loop as soon as the permission check succeeded.
Props pbiron, TimothyBlynJacobs, SergeyBiryukov.
Fixes#49118.
Built from https://develop.svn.wordpress.org/trunk@47034
git-svn-id: http://core.svn.wordpress.org/trunk@46834 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Caches the output of get_item_schema() to avoid redundant recomputation of translatable strings and other computed values. This method is called many times per item in each REST request, and the results of the method should not vary between calls.
Additional schema fields are not cached.
Props kadamwhite, joehoyle, TimothyBlynJacobs.
Fixes#47871.
Built from https://develop.svn.wordpress.org/trunk@45811
git-svn-id: http://core.svn.wordpress.org/trunk@45622 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Use of `date()` in core depends on PHP timezone set to UTC and not changed by third party code (which cannot be guaranteed).
`gmdate()` is functionally equivalent, but is not affected by PHP timezone setting: it's always UTC, which is the exact behavior the core needs.
Props nielsdeblaauw, Rarst.
Fixes#46438. See #44491.
Built from https://develop.svn.wordpress.org/trunk@45424
git-svn-id: http://core.svn.wordpress.org/trunk@45235 1a063a9b-81f0-0310-95a4-ce76da25c4cd
