From 901c4ed17a5bb4650f1a9d73c12a8c89ef3bc84c Mon Sep 17 00:00:00 2001
From: Joe Hoyle <joehoyle@gmail.com>
Date: Thu, 3 Nov 2016 01:46:29 +0000
Subject: [PATCH] REST API: Support querying for multiple post statuses.

Multiple post statuses can be specified by the usual CSV or array-propper format.

Props jnylen0, kadamwhite, websupporter.
Fixes #38420.

Built from https://develop.svn.wordpress.org/trunk@39104


git-svn-id: http://core.svn.wordpress.org/trunk@39046 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/rest-api/class-wp-rest-server.php |  6 +++
 .../class-wp-rest-attachments-controller.php  |  4 +-
 .../class-wp-rest-posts-controller.php        | 52 ++++++++++++-------
 wp-includes/version.php                       |  2 +-
 4 files changed, 43 insertions(+), 21 deletions(-)

diff --git a/wp-includes/rest-api/class-wp-rest-server.php b/wp-includes/rest-api/class-wp-rest-server.php
index c7026eb955..76f8b3fe02 100644
--- a/wp-includes/rest-api/class-wp-rest-server.php
+++ b/wp-includes/rest-api/class-wp-rest-server.php
@@ -1183,6 +1183,12 @@ class WP_REST_Server {
 					if ( isset( $opts['description'] ) ) {
 						$arg_data['description'] = $opts['description'];
 					}
+					if ( isset( $opts['type'] ) ) {
+						$arg_data['type'] = $opts['type'];
+					}
+					if ( isset( $opts['items'] ) ) {
+						$arg_data['items'] = $opts['items'];
+					}
 					$endpoint_data['args'][ $key ] = $arg_data;
 				}
 			}
diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
index 2749b12d22..42187df05b 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
@@ -30,7 +30,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 	protected function prepare_items_query( $prepared_args = array(), $request = null ) {
 		$query_args = parent::prepare_items_query( $prepared_args, $request );
 
-		if ( empty( $query_args['post_status'] ) || ! in_array( $query_args['post_status'], array( 'inherit', 'private', 'trash' ), true ) ) {
+		if ( empty( $query_args['post_status'] ) ) {
 			$query_args['post_status'] = 'inherit';
 		}
 
@@ -586,7 +586,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 	public function get_collection_params() {
 		$params = parent::get_collection_params();
 		$params['status']['default'] = 'inherit';
-		$params['status']['enum'] = array( 'inherit', 'private', 'trash' );
+		$params['status']['items']['enum'] = array( 'inherit', 'private', 'trash' );
 		$media_types = $this->get_media_types();
 
 		$params['media_type'] = array(
diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index 0122f9a773..2eed29b69f 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -2120,11 +2120,13 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 
 		$params['status'] = array(
 			'default'           => 'publish',
-			'description'       => __( 'Limit result set to posts assigned a specific status; can be comma-delimited list of status types.' ),
-			'enum'              => array_merge( array_keys( get_post_stati() ), array( 'any' ) ),
-			'sanitize_callback' => 'sanitize_key',
-			'type'              => 'string',
-			'validate_callback' => array( $this, 'validate_user_can_query_private_statuses' ),
+			'description'       => __( 'Limit result set to posts assigned one or more statuses.' ),
+			'type'              => 'array',
+			'items'             => array(
+				'enum'          => array_merge( array_keys( get_post_stati() ), array( 'any' ) ),
+				'type'          => 'string',
+			),
+			'sanitize_callback' => array( $this, 'sanitize_post_statuses' ),
 		);
 
 		$taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
@@ -2152,27 +2154,41 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 	}
 
 	/**
-	 * Validates whether the user can query private statuses.
+	 * Sanitizes and validates the list of post statuses, including whether the
+	 * user can query private statuses.
 	 *
 	 * @since 4.7.0
 	 * @access public
 	 *
-	 * @param  mixed           $value     Post status.
+	 * @param  string|array    $statuses  One or more post statuses.
 	 * @param  WP_REST_Request $request   Full details about the request.
 	 * @param  string          $parameter Additional parameter to pass to validation.
-	 * @return bool|WP_Error Whether the request can query private statuses, otherwise WP_Error object.
+	 * @return array|WP_Error A list of valid statuses, otherwise WP_Error object.
 	 */
-	public function validate_user_can_query_private_statuses( $value, $request, $parameter ) {
-		if ( 'publish' === $value ) {
-			return rest_validate_request_arg( $value, $request, $parameter );
+	public function sanitize_post_statuses( $statuses, $request, $parameter ) {
+		$statuses = wp_parse_slug_list( $statuses );
+
+		// The default status is different in WP_REST_Attachments_Controller
+		$attributes = $request->get_attributes();
+		$default_status = $attributes['args']['status']['default'];
+
+		foreach ( $statuses as $status ) {
+			if ( $status === $default_status ) {
+				continue;
+			}
+
+			$post_type_obj = get_post_type_object( $this->post_type );
+
+			if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
+				$result = rest_validate_request_arg( $status, $request, $parameter );
+				if ( is_wp_error( $result ) ) {
+					return $result;
+				}
+			} else {
+				return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden.' ), array( 'status' => rest_authorization_required_code() ) );
+			}
 		}
 
-		$post_type_obj = get_post_type_object( $this->post_type );
-
-		if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
-			return rest_validate_request_arg( $value, $request, $parameter );
-		}
-
-		return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden.' ), array( 'status' => rest_authorization_required_code() ) );
+		return $statuses;
 	}
 }
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 7cb4947f6d..a89e1e0186 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.7-beta1-39103';
+$wp_version = '4.7-beta1-39104';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.