The REST API treats routes without a permission_callback as public. Because this happens without any warning to the user, if the permission callback is unintentionally omitted or misspelled, the endpoint can end up being available to the public. Such a scenario has happened multiple times in the wild, and the results can be catostrophic when it occurs.
For REST API routes that are intended to be public, it is recommended to set the permission callback to the `__return_true` built in function.
Fixes#50075.
Props rmccue, sorenbronsted, whyisjake, SergeyBiryukov, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@48526
git-svn-id: http://core.svn.wordpress.org/trunk@48288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The REST API plugin installation tests use the `upgrader_pre_download` filter to avoid downloading the test plugin from WordPress.org. Previously, this would apply to any upgrader, which caused issues if the testing environment required a language update.
Now, the filter only overwrites the file if the `Plugin_Upgrader` is being used which should hopefully prevent the issue.
Props pfefferle, TimothyBlynJacobs.
Fixes#50671.
Built from https://develop.svn.wordpress.org/trunk@48524
git-svn-id: http://core.svn.wordpress.org/trunk@48286 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If sitemaps are disabled, previously there would be a rewrite rule for the sitemap endpoint. This endpoint would display the homepage since there was a rewrite rule. Now, Sitemaps are loaded, and the proper HTTP headers are returned.
Fixes#50643.
Props swissspidy, kraftbj, donmhico.
Built from https://develop.svn.wordpress.org/trunk@48523
git-svn-id: http://core.svn.wordpress.org/trunk@48285 1a063a9b-81f0-0310-95a4-ce76da25c4cd
It doesn't make sense to be able to filter the comments list table when there are are no (trashed/spam) comments available.
Fixes#40188.
Props swissspidy, Jim_Panse, menakas, akbarhusen429, dinhtungdu, birgire, SergeyBiryukov, davidbaumwald, rebasaurus, whyisjake.
Built from https://develop.svn.wordpress.org/trunk@48521
git-svn-id: http://core.svn.wordpress.org/trunk@48283 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- `post_title`,
- `post_content` (image description),
- `post_excerpt` (image caption as saved in the DB),
- `_wp_attachment_image_alt` meta (alt text for the img tag as saved in the DB).
Props spacedmonkey, joedolson, TimothyBlynJacobs, azaozz.
Fixes#50675.
Built from https://develop.svn.wordpress.org/trunk@48510
git-svn-id: http://core.svn.wordpress.org/trunk@48272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [48456], database import and export icons were introduced. However, the arrows were pointing in the wrong directions. This reverses the arrows to be pointing correctly based on the action described in the name.
Props johnbillion, joen, desrosj, empireoflight.
Fixes#49913.
Built from https://develop.svn.wordpress.org/trunk@48506
git-svn-id: http://core.svn.wordpress.org/trunk@48268 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The order of parameters in `get_metadata_default()` did not match the signature of `get_metadata()`. This could be confusing for developers who are familiar with the existing metadata API.
Fixes#43941.
Props SergeyBiryukov, spacedmonkey, johnjamesjacoby.
Built from https://develop.svn.wordpress.org/trunk@48502
git-svn-id: http://core.svn.wordpress.org/trunk@48264 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When `wp_count_posts()` is cached, it does so with all statuses defaulted to 0. The problem is however, if this is called before all plugins have registered their desired statuses, they won't have that default.
Fixes#49685.
Props obliviousharmony, SergeyBiryukov.
Built from https://develop.svn.wordpress.org/trunk@48497
git-svn-id: http://core.svn.wordpress.org/trunk@48259 1a063a9b-81f0-0310-95a4-ce76da25c4cd
WordPress Core comes by default with a number of block patterns and a frequent request was to be able to opt-out of the Core block patterns.
You can now opt-out using remove_theme_support( 'core-block-patterns' )
Props desrosj, nosolosw.
Fixes#50669.
Built from https://develop.svn.wordpress.org/trunk@48492
git-svn-id: http://core.svn.wordpress.org/trunk@48254 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Move default term assignment from `wp_set_object_terms()` to `wp_insert_post()`.
* Make sure the passed taxonomy list overwrites the existing list if not empty.
* Remove the default term option on `unregister_taxonomy()`.
* Prevent deletion of the default term in `wp_delete_term()`.
Props enrico.sorcinelli, TimothyBlynJacobs.
See #43517.
Built from https://develop.svn.wordpress.org/trunk@48480
git-svn-id: http://core.svn.wordpress.org/trunk@48249 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change renames `$new_whitelist_options` to `$new_allowed_options`. This makes the variable’s purpose more clear, and promotes using more inclusive language.
For backwards compatibility, the new variable is passed by reference to the old one.
Follow up to [48121].
Props ayeshrajans, desrosj, jorbin, SergeyBiryukov.
See #50413.
Fixes#50434.
Built from https://develop.svn.wordpress.org/trunk@48477
git-svn-id: http://core.svn.wordpress.org/trunk@48246 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If there are no pages and no static homepage, there will still be one sitemap including the homepage URL.
This change ensures that this sitemap is correctly listed in the sitemap index.
Props Chouby, pacifika, elrae.
Fixes#50571.
Built from https://develop.svn.wordpress.org/trunk@48476
git-svn-id: http://core.svn.wordpress.org/trunk@48245 1a063a9b-81f0-0310-95a4-ce76da25c4cd
