* `wp_ajax_get_comments()` relies on the `$post_id` global - even though `$_POST['p']` is passed to every action in the test methods. If `$post_id` is still lingering in between tests and doesn't match `p` in the request, the cap check might pass while the queries for comments will blow up. I added `unset( $GLOBALS['post_id'] )` to `Tests_Ajax_GetComments::setUp()`.
* If the global `$post_id` is empty, but `$_REQUEST['p']` is not, `$post_id` is now set to `absint( $_REQUEST['p'] )` and sanity-checked in `wp_ajax_get_comments()`.
* `map_meta_cap()` always assumes that `get_comment()` succeeds when checking for the `edit_comment` cap. It doesn't. I added sanity checks in a few places where it will break early if `get_post()` or `get_comment()` are empty.
* `wp_update_comment()` always assumes `get_comment()` succeeds. It doesn't. I added a check for empty.
All AJAX unit tests run and pass in debug mode. All general unit tests pass against these changes.
Fixes#25282.
Built from https://develop.svn.wordpress.org/trunk@25438
git-svn-id: http://core.svn.wordpress.org/trunk@25360 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* There are several places where a `$_POST` index was unchecked before setting a variable
* In `wp_notify_postauthor()`, `$comment` was being returned null, but its properties were being accessed.
* In `check_ajax_referer()`, 3 different values can be checked for nonce on `$_REQUEST`, but only 1 had an `isset()`
See #25282.
Built from https://develop.svn.wordpress.org/trunk@25433
git-svn-id: http://core.svn.wordpress.org/trunk@25355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Eliminates the bloated Revisions meta box in favor of 'Revisions: #' in the publish box.
* Adds ability to compare autosave to current post, when revisions are disabled.
* Makes autosaves stand out visually, including "Restore This Autosave".
Also:
* Adds missing capability check for restoring a revision.
* When no revision matches the post's current modified time, avoid marking an autosave as 'current'.
* Fixes wp_get_post_autosave() to return an autosave even when revisions are disabled.
* Add 'check_enabled' arg to wp_get_post_revisions(); false avoids the wp_revisions_enabled() check.
* Adds a responsive slider that is narrower for fewer versions. props markjaquith.
see #24804.
git-svn-id: http://core.svn.wordpress.org/trunk@24790 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Loading indicator when the user is waiting for a trip to the server.
* Bug fixes for diff priming.
* Fix the date display.
* Forget about local comparator, instead order by `modified` on the server.
* Initialize the frame model before the view (this was the source of a LOT of heartache).
git-svn-id: http://core.svn.wordpress.org/trunk@24667 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Update the heartbeat nonce when refreshing nonces on the Edit Post screen.
- After a user logs in from the auth-check dialog, speed up heatrbeat to check/refresh nonces on the Edit Post screen.
- Speeding up heartbeat: bring back the setting how long it should last (how many ticks).
- Add 'heartbeat-nonces-expired' jQuery event when nonces have expired and the user is logged in.
See #23295, see #23216.
git-svn-id: http://core.svn.wordpress.org/trunk@24528 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Much simpler PHP API
* Cleaner and more Backbone-y JS API
* Consequently, does batch queries; this now scales up to hundreds of revisions
Currently missing, but much easier considering the cleaned up base:
* Compare two mode
* RTL
props koopersmith, nacin, adamsilverstein, ocean90. see #24425
git-svn-id: http://core.svn.wordpress.org/trunk@24520 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Move nonces refreshing from autosave to lock checking.
- Do autosave only when there is something to save.
See #23295
git-svn-id: http://core.svn.wordpress.org/trunk@24209 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Refines the UI to make it clearer and easier to use
* Introduces weighted tickmarks
* Fixes comparison bugs.
See #23497 props adamsilverstein
git-svn-id: http://core.svn.wordpress.org/trunk@23769 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Various Updates including:
* i18n fixes
* Added tracking of what revision ID was restored
* async fetching of diffs so that slider works sooner even with many revisions
See #23497 props adamsilverstein, ethitter
git-svn-id: http://core.svn.wordpress.org/trunk@23639 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This implements a new revisions ui using Backbone and preserves all the old methods of "integration" so the change should be transparent to plugins using revisi
ons with CPTs.
This is the first pass and so there are a number of things still to be resolved, more details in the ticket. Feedback welcomed.
git-svn-id: http://core.svn.wordpress.org/trunk@23506 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.
Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.
Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.
Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.
Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.
Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.
Plugins should use wp_unslash() on data being passed to core API.
Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.
Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.
Remove many no longer necessary calls to $wpdb->escape() and esc_sql().
In wp_get_referer() and wp_get_original_referer(), return unslashed data.
Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.
Switch several queries over to prepare().
Expect something to break.
Props alexkingorg
see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
We tried in vain -- a noble but ultimately failed effort -- to reduce the number of fields for attachments from four (title, caption, alt, description) to one (caption for images, title otherwise). Alternative text needed to stay for accessibility reasons, of course.
Eventually title returned due to heavy plugin reliance. Description is too used by too many plugins (often times incorrectly -- the caption is more likely the proper field), hence its less-than-triumphant return today.
Version 3.5 has tried to streamline media in a number of ways. Removing fields may have been too much at once, as it forced not only a user interface change, but a paradigm change as well.
Finally, on upload we populate the description field with IPTC/EXIF captions, rather than the caption field. See #22768, this should be fixed. For now, Description stays.
This commit also restores 'Title' attribute editing to the main tab of the Edit Image dialog. The "Title" field no longer populates title attributes for <img> tags by design (for accessibility and other purposes, see #18984). So, here is a more obvious 'workaround' for the tooltip community.
Finally, this:
* Cleans up the post.php attachment editor, including by showing a prettier form of the mime type.
* Enables plugins to specifically hide attachment_fields_to_edit from either post.php (where you can create meta boxes) or the modal (which you may not want to clutter), for compatibility reasons.
* Hides the 'Describe this file...' placeholder when a field is read-only in the modal.
props nacin, helenyhou.
fixes#22759.
git-svn-id: http://core.svn.wordpress.org/trunk@23083 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Most users don't realize that the Featured Image meta box exists; if they do, few use it.
Restores the old meta box UI, including the admin_post_thumbnail_html filter. If a plugin is using _wp_post_thumbnail_html() in conjunction with Thickbox elsewhere, it will also magically still work.
Specific underlying changes:
* Converts the modal view to use the view manager, which means that a call to open() will automatically call render and attach if necessary.
* Doesn't automatically set a state in wp.media, to allow code to customize the states to be added before activation.
props koopersmith.
fixes#21776.
git-svn-id: http://core.svn.wordpress.org/trunk@22979 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This functionality is designed to be backwards compatible with manual querying for attachments by menu_order.
props koopersmith.
see #22607.
git-svn-id: http://core.svn.wordpress.org/trunk@22967 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The difference is the content type: application/json (which jQuery deserializes automatically for us) and the default text/html.
jQuery correctly handles application/json requests for IE, so we can continue to use the wp_send_json_* handlers elsewhere. Plupload rolls its own requests and does not handle application/json correctly. So, keep the standard text/html content type on upload-attachment.
props koopersmith.
see #22446.
git-svn-id: http://core.svn.wordpress.org/trunk@22845 1a063a9b-81f0-0310-95a4-ce76da25c4cd
We are de-emphasising attaching (see [22630]) but this is existing
core functionality and will remain for now. This commit just cleans
it up a bit so as to be less embarrassing.
props lessbloat, helenyhou.
fixes#20164.
git-svn-id: http://core.svn.wordpress.org/trunk@22723 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Adds a `describe` option to the workflow controller to support inline caption editing.
* For images, descriptions are mapped to the `caption` attribute.
* For other media items, descriptions are mapped to the `title` attribute.
* Descriptions are saved when the textarea's `change` event fires (i.e. when the textarea is blurred).
fixes#21807, see #21390.
git-svn-id: http://core.svn.wordpress.org/trunk@22173 1a063a9b-81f0-0310-95a4-ce76da25c4cd
'''Galleries'''
* Gallery insertion from the new media modal (into TinyMCE, the text editor, etc).
* Gallery previews in TinyMCE now use the `wp.mce.views` API.
* Disables the TinyMCE `wpgallery` plugin.
* Gallery previews consist of the first image of the gallery and the appearance of a stack. This will later be fleshed out to include more images/functionality (including editing the gallery, gallery properties, and showing the number of images in the gallery).
* Multiple galleries can be added to a single post.
* The gallery MCE view provides a bridge between the `wp.shortcode` and `Attachments` representation of a gallery, which allows the existing collection to persist when a gallery is initially created (preventing a request to the server for the query).
'''Shortcodes'''
* Renames `wp.shortcode.Match` to `wp.shortcode` to better expose the shortcode constructor.
* The `wp.shortcode` constructor now accepts an object of options instead of a `wp.shortcode.regexp()` match.
* A `wp.shortcode` instance can be created from a `wp.shortcode.regexp()` match by calling `wp.shortcode.fromMatch( match )`.
* Adds `wp.shortcode.string()`, which takes a set of shortcode parameters and converts them into a string.* Renames `wp.shortcode.prototype.text()` to `wp.shortcode.prototype.string()`.
* Adds an additional capture group to `wp.shortcode.regexp()` that records whether or not the shortcode has a closing tag. This allows us to improve the accuracy of the syntax used when transforming a shortcode object back into a string.
'''Media Models'''
* Prevents media `Query` models from observing the central `Attachments.all` object when query args without corresponding filters are set (otherwise, queries quickly amass false positives).
* Adds `post__in`, `post__not_in`, and `post_parent` as acceptable JS attachment `Query` args.
* `Attachments.more()` always returns a `$.promise` object.
see #21390, #21809, #21812, #21815, #21817.
git-svn-id: http://core.svn.wordpress.org/trunk@22120 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Moves the uploading Attachments queue from the media workspace view to the uploader itself. This ensures that all attachments are added to the central attachmnet store.
Updates wp.Uploader to pass Attachment models to callbacks instead of Plupload file objects. Attachments in the process of uploading have a reference to the file object (which can be fetched by calling `attachment.get('file');`).
Also updates the customizer to be compatible with the API changes.
git-svn-id: http://core.svn.wordpress.org/trunk@21814 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Return WP_Post from get_default_post_to_edit()
Replace all calls to get_page() with get_post()
see #21309
git-svn-id: http://core.svn.wordpress.org/trunk@21597 1a063a9b-81f0-0310-95a4-ce76da25c4cd