From c888dd17cc3e898361c27127934febc97edff036 Mon Sep 17 00:00:00 2001
From: Peter Wilson <wilson@peterwilson.cc>
Date: Thu, 15 Apr 2021 01:10:51 +0000
Subject: [PATCH] Grouped merges for 5.3.7.

* REST API: Allow authors to read their own password protected posts.
* About page update

Merges [50717] to the 5.3 branch.

Built from https://develop.svn.wordpress.org/branches/5.3@50728


git-svn-id: http://core.svn.wordpress.org/branches/5.3@50337 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/about.php                            | 20 ++++++
 .../class-wp-rest-posts-controller.php        | 61 ++++++++++++++++---
 2 files changed, 74 insertions(+), 7 deletions(-)

diff --git a/wp-admin/about.php b/wp-admin/about.php
index b2cc8c677e..0c5b39eada 100644
--- a/wp-admin/about.php
+++ b/wp-admin/about.php
@@ -51,6 +51,26 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 		<div class="about__section changelog">
 			<div class="column">
 				<h2><?php _e( 'Maintenance and Security Releases' ); ?></h2>
+				<p>
+					<?php
+					printf(
+						/* translators: %s: WordPress version number */
+						__( '<strong>Version %s</strong> addressed some security issues.' ),
+						'5.3.7'
+					);
+					?>
+					<?php
+					printf(
+						/* translators: %s: HelpHub URL */
+						__( 'For more information, see <a href="%s">the release notes</a>.' ),
+						sprintf(
+							/* translators: %s: WordPress version */
+							esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+							sanitize_title( '5.3.7' )
+						)
+					);
+					?>
+				</p>
 				<p>
 					<?php
 					printf(
diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index e2a4224cc6..29795d11bf 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -31,6 +31,14 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 	 */
 	protected $meta;
 
+	/**
+	 * Passwordless post access permitted.
+	 *
+	 * @since 5.7.1
+	 * @var int[]
+	 */
+	protected $password_check_passed = array();
+
 	/**
 	 * Constructor.
 	 *
@@ -144,6 +152,38 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 		return true;
 	}
 
+	/**
+	 * Override the result of the post password check for REST requested posts.
+	 *
+	 * Allow users to read the content of password protected posts if they have
+	 * previously passed a permission check or if they have the `edit_post` capability
+	 * for the post being checked.
+	 *
+	 * @since 5.7.1
+	 *
+	 * @param bool    $required Whether the post requires a password check.
+	 * @param WP_Post $post     The post been password checked.
+	 * @return bool Result of password check taking in to account REST API considerations.
+	 */
+	public function check_password_required( $required, $post ) {
+		if ( ! $required ) {
+			return $required;
+		}
+
+		$post = get_post( $post );
+
+		if ( ! $post ) {
+			return $required;
+		}
+
+		if ( ! empty( $this->password_check_passed[ $post->ID ] ) ) {
+			// Password previously checked and approved.
+			return false;
+		}
+
+		return ! current_user_can( 'edit_post', $post->ID );
+	}
+
 	/**
 	 * Retrieves a collection of posts.
 	 *
@@ -299,7 +339,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 
 		// Allow access to all password protected posts if the context is edit.
 		if ( 'edit' === $request['context'] ) {
-			add_filter( 'post_password_required', '__return_false' );
+			add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
 		}
 
 		$posts = array();
@@ -315,7 +355,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 
 		// Reset filter.
 		if ( 'edit' === $request['context'] ) {
-			remove_filter( 'post_password_required', '__return_false' );
+			remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
 		}
 
 		$page        = (int) $query_args['paged'];
@@ -413,7 +453,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 
 		// Allow access to all password protected posts if the context is edit.
 		if ( 'edit' === $request['context'] ) {
-			add_filter( 'post_password_required', '__return_false' );
+			add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
 		}
 
 		if ( $post ) {
@@ -441,8 +481,14 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			return false;
 		}
 
-		// Edit context always gets access to password-protected posts.
-		if ( 'edit' === $request['context'] ) {
+		/*
+		 * Users always gets access to password protected content in the edit
+		 * context if they have the `edit_post` meta capability.
+		 */
+		if (
+			'edit' === $request['context'] &&
+			current_user_can( 'edit_post', $post->ID )
+		) {
 			return true;
 		}
 
@@ -1533,8 +1579,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 		$has_password_filter = false;
 
 		if ( $this->can_access_password_content( $post, $request ) ) {
+			$this->password_check_passed[ $post->ID ] = true;
 			// Allow access to the post, permissions already checked before.
-			add_filter( 'post_password_required', '__return_false' );
+			add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 );
 
 			$has_password_filter = true;
 		}
@@ -1568,7 +1615,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 
 		if ( $has_password_filter ) {
 			// Reset filter.
-			remove_filter( 'post_password_required', '__return_false' );
+			remove_filter( 'post_password_required', array( $this, 'check_password_required' ) );
 		}
 
 		if ( rest_is_field_included( 'author', $fields ) ) {