From 940a4be8043c9287d0766230685eb9a9f1aa25c1 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Mon, 17 Dec 2018 03:26:22 +0000
Subject: [PATCH] REST API: Avoid using 'parent' as path argument name for
 autosaves.

When 'parent' is set as the path argument name, it gets passed down through to the `create_item()` method and can erroneously reset the 'parent' value on the post itself. Instead, we rename the argument to 'id' and replicate the revision controller's `get_items_permissions_check()` to instead reference 'id'.

Also ensures revision query params (of which there are many) aren't exposed as the query params for autosaves (of which there are two).

Props TimothyBlynJacobs.
Merges [43897] to trunk.
See #43316.
Built from https://develop.svn.wordpress.org/trunk@44250


git-svn-id: http://core.svn.wordpress.org/trunk@44080 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 .../class-wp-rest-autosaves-controller.php    | 45 ++++++++++++++++---
 wp-includes/version.php                       |  2 +-
 2 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php
index 79529213c3..bf5b180df8 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php
@@ -79,7 +79,7 @@ class WP_REST_Autosaves_Controller extends WP_REST_Revisions_Controller {
 	public function register_routes() {
 		register_rest_route(
 			$this->rest_namespace,
-			'/' . $this->parent_base . '/(?P<parent>[\d]+)/' . $this->rest_base,
+			'/' . $this->parent_base . '/(?P<id>[\d]+)/' . $this->rest_base,
 			array(
 				'args'   => array(
 					'parent' => array(
@@ -90,14 +90,14 @@ class WP_REST_Autosaves_Controller extends WP_REST_Revisions_Controller {
 				array(
 					'methods'             => WP_REST_Server::READABLE,
 					'callback'            => array( $this, 'get_items' ),
-					'permission_callback' => array( $this->revisions_controller, 'get_items_permissions_check' ),
+					'permission_callback' => array( $this, 'get_items_permissions_check' ),
 					'args'                => $this->get_collection_params(),
 				),
 				array(
 					'methods'             => WP_REST_Server::CREATABLE,
 					'callback'            => array( $this, 'create_item' ),
 					'permission_callback' => array( $this, 'create_item_permissions_check' ),
-					'args'                => $this->get_endpoint_args_for_item_schema( WP_REST_Server::CREATABLE ),
+					'args'                => $this->parent_controller->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ),
 				),
 				'schema' => array( $this, 'get_public_item_schema' ),
 			)
@@ -143,6 +143,28 @@ class WP_REST_Autosaves_Controller extends WP_REST_Revisions_Controller {
 		return $this->revisions_controller->get_parent( $parent_id );
 	}
 
+	/**
+	 * Checks if a given request has access to get autosaves.
+	 *
+	 * @since 5.0.0
+	 *
+	 * @param WP_REST_Request $request Full data about the request.
+	 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
+	 */
+	public function get_items_permissions_check( $request ) {
+		$parent = $this->get_parent( $request['id'] );
+		if ( is_wp_error( $parent ) ) {
+			return $parent;
+		}
+
+		$parent_post_type_obj = get_post_type_object( $parent->post_type );
+		if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) {
+			return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to view autosaves of this post.' ), array( 'status' => rest_authorization_required_code() ) );
+		}
+
+		return true;
+	}
+
 	/**
 	 * Checks if a given request has access to create an autosave revision.
 	 *
@@ -177,7 +199,7 @@ class WP_REST_Autosaves_Controller extends WP_REST_Revisions_Controller {
 			define( 'DOING_AUTOSAVE', true );
 		}
 
-		$post = get_post( $request->get_param( 'id' ) );
+		$post = get_post( $request['id'] );
 
 		if ( is_wp_error( $post ) ) {
 			return $post;
@@ -245,7 +267,7 @@ class WP_REST_Autosaves_Controller extends WP_REST_Revisions_Controller {
 	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
 	 */
 	public function get_items( $request ) {
-		$parent = $this->get_parent( $request->get_param( 'parent' ) );
+		$parent = $this->get_parent( $request['id'] );
 		if ( is_wp_error( $parent ) ) {
 			return $parent;
 		}
@@ -389,4 +411,17 @@ class WP_REST_Autosaves_Controller extends WP_REST_Revisions_Controller {
 		 */
 		return apply_filters( 'rest_prepare_autosave', $response, $post, $request );
 	}
+
+	/**
+	 * Retrieves the query params for the autosaves collection.
+	 *
+	 * @since 5.0.0
+	 *
+	 * @return array Collection parameters.
+	 */
+	public function get_collection_params() {
+		return array(
+			'context' => $this->get_context_param( array( 'default' => 'view' ) ),
+		);
+	}
 }
diff --git a/wp-includes/version.php b/wp-includes/version.php
index b9b5fdb764..eaa01a9448 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.1-alpha-44249';
+$wp_version = '5.1-alpha-44250';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.