The REST API treats routes without a permission_callback as public. Because this happens without any warning to the user, if the permission callback is unintentionally omitted or misspelled, the endpoint can end up being available to the public. Such a scenario has happened multiple times in the wild, and the results can be catostrophic when it occurs.
For REST API routes that are intended to be public, it is recommended to set the permission callback to the `__return_true` built in function.
Fixes#50075.
Props rmccue, sorenbronsted, whyisjake, SergeyBiryukov, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@48526
git-svn-id: http://core.svn.wordpress.org/trunk@48288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- `post_title`,
- `post_content` (image description),
- `post_excerpt` (image caption as saved in the DB),
- `_wp_attachment_image_alt` meta (alt text for the img tag as saved in the DB).
Props spacedmonkey, joedolson, TimothyBlynJacobs, azaozz.
Fixes#50675.
Built from https://develop.svn.wordpress.org/trunk@48510
git-svn-id: http://core.svn.wordpress.org/trunk@48272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The Content-Disposition and Content-MD5 headers allow for easier file uploading across domains by using a File/Blob object directly. The X-WP-Nonce header is allowed for making cross-origin and same-origin authenticated requests consistent.
Additionally a filter is introduced, "rest_allowed_cors_headers", to simplify the process of allowing additional request headers.
Props rmccue, TimothyBlynJacobs.
Fixes#41696.
Built from https://develop.svn.wordpress.org/trunk@48452
git-svn-id: http://core.svn.wordpress.org/trunk@48221 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [48069] the Block Renderer was changed to register a single route for all dynamic blocks. Validation was dynamically applied based on the requested block, but sanitization was not. This commit adds the same sanitization back to the block attributes.
Props manooweb.
Fixes#50620. See #48079.
Built from https://develop.svn.wordpress.org/trunk@48437
git-svn-id: http://core.svn.wordpress.org/trunk@48206 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `register_meta()` API now officially supports specifying a default metadata value. When `get_metadata()` is called for a meta key that does not yet exist for the object, this default value will be returned instead of an empty string.
A new function is introduced `get_metadata_raw` to retrieve the raw metadata value from the database, without applying the registered default.
Props spacedmonkey, flixos90, rmccue, kadamwhite, mnelson4, johnbillion, chrisvanpatten, TimothyBlynJacobs.
Fixes#43941.
Built from https://develop.svn.wordpress.org/trunk@48402
git-svn-id: http://core.svn.wordpress.org/trunk@48171 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Multi-type schema handling was improved in [48306]. In particular, it now allows for sanitizing a multi-typed value that wouldn't validate. Removing this handling will make 3rd party registered theme features more robust.
Fixes#50562.
Built from https://develop.svn.wordpress.org/trunk@48308
git-svn-id: http://core.svn.wordpress.org/trunk@48077 1a063a9b-81f0-0310-95a4-ce76da25c4cd
To facilitate inline image editing in Gutenberg, a new endpoint at wp/v2/media/<id>/edit has been introduced. This is functionally similar to the existing ajax image editor, however the REST API editor creates a new attachment record instead of updating an existing attachment.
Fixes#44405.
Props ajlende, ellatrix, spacedmonkey, azaozz.
Built from https://develop.svn.wordpress.org/trunk@48291
git-svn-id: http://core.svn.wordpress.org/trunk@48060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
These endpoints facilitate the Block Directory Inserter feature in Gutenberg. Users can now install, activate, deactivate, and delete plugins over the REST API. The block directoryendpoint allows searching for available blocks from the WordPress.org block directory.
Props cklee, talldanwp, noisysocks, joen, soean, youknowriad, dufresnesteven, gziolo, dd32, tellyworth, ryelle, spacedmonkey, TimothyBlynJacobs.
Fixes#50321.
Built from https://develop.svn.wordpress.org/trunk@48242
git-svn-id: http://core.svn.wordpress.org/trunk@48011 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The filter is the callback function added with `add_filter()`, therefore the hook passes a value to the filter, and the filter returns a value to change its behaviour.
The documentation is referring to the latter.
Props johnbillion.
See #49572, #16557.
Built from https://develop.svn.wordpress.org/trunk@48185
git-svn-id: http://core.svn.wordpress.org/trunk@47954 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Currently themes can declare support for a given feature by using add_theme_support(). This commit adds a register_theme_feature() API that allows plugins and WordPress Core to declare a list of available features that themes can support.
The REST API uses this to expose a theme's supported features if the feature has been registered with "show_in_rest" set to true.
Props kadamwhite, spacedmonkey, williampatton, desrosj, TimothyBlynJacobs.
Fixes#49406.
Built from https://develop.svn.wordpress.org/trunk@48171
git-svn-id: http://core.svn.wordpress.org/trunk@47940 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `wp_update_comment_data` filter introduced in 4.7 allows comment data to be filtered before it is updated in the database.
The patch aims to handle `WP_Error` as the filter above return value in a similar manner as is done for `wp_new_comment()`.
Fixes#39732.
Props: enricosorcinelli, swissspidy, gkloveweb, jnylen0, jbpaul17, afercia, SergeyBiryukov, audrasjb, imath, davidbaumwald.
Built from https://develop.svn.wordpress.org/trunk@48154
git-svn-id: http://core.svn.wordpress.org/trunk@47923 1a063a9b-81f0-0310-95a4-ce76da25c4cd
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”
With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).
Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.
Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.
Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes#50413.
Built from https://develop.svn.wordpress.org/trunk@48121
git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Currently, only the X-WP-Total and X-WP-TotalPages headers are exposed which means that clients have to manually construct the URL to implement pagination instead of using the "prev" and "next" Links.
Additionally, a filter "rest_exposed_cors_headers" is introduced to make it simpler for plugins to expose additional headers.
Props Toro_Unit, ayeshrajans.
Fixes#50369.
Built from https://develop.svn.wordpress.org/trunk@48112
git-svn-id: http://core.svn.wordpress.org/trunk@47881 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Every block has a different set of attributes. These attributes are specified as a JSON Schema object. Previously, every block registered its own block renderer route using its attributes for the schema. This allowed for the attributes to be validated using the built in endpoint validation rules. It had the unfortunate side effect, however, of creating a large number of nearly identical REST API routes, one for each dynamic block. Each registered route has a performance impact. As the number of server side blocks goes up, this becomes more and more of an issue.
Now, we register a single block renderer route and dynamically validate the attributes based on the selected block.
Fixes#48079.
Props gziolo, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@48069
git-svn-id: http://core.svn.wordpress.org/trunk@47836 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, the REST API would end up deleting each row of metadata and recreating it unnecessarily. This was caused by a type mismatch where the metadata API would always return a string value, and the REST API operated on a typed value.
The REST API now applies the same sanitization and type casting for "multiple" meta keys and "single" meta keys.
Fixes#49339.
Props renathoc.
Built from https://develop.svn.wordpress.org/trunk@47943
git-svn-id: http://core.svn.wordpress.org/trunk@47716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `$HTTP_RAW_POST_DATA` global was deprecated in PHP 5.6 and removed completely in PHP 7.0. In general, `php://input` should be used instead of `$HTTP_RAW_POST_DATA`.
Because WordPress Core still supports PHP 5.6, some plugins or sites may still rely on this variable being present and populated with the expected data. For that reason, occurrences of the variable will remain with updated inline documentation until support for PHP 5.6 is officially dropped in WordPress.
Props skoskie, jrf, desrosj, TimothyBlynJacobs.
See #49922.
Fixes#49810.
Built from https://develop.svn.wordpress.org/trunk@47926
git-svn-id: http://core.svn.wordpress.org/trunk@47700 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Add new var $valid_schema_properties to match rest_validate_value_from_schema()
* Unit test to ensure all valid properties exists, and non-valid properties are ignored
Fixes: #50301.
Props: pentatonicfunk, TimothyBlynJacobs.
Built from https://develop.svn.wordpress.org/trunk@47911
git-svn-id: http://core.svn.wordpress.org/trunk@47685 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This is the first step to bring support for custom comment types into WordPress.
Add a scheduled upgrade routine to update the type value for existing comments, in batches of 100 at a time.
Props imath, aaroncampbell, jeremyfelt, dshanske.
Fixes#49236.
Built from https://develop.svn.wordpress.org/trunk@47597
git-svn-id: http://core.svn.wordpress.org/trunk@47372 1a063a9b-81f0-0310-95a4-ce76da25c4cd
A request has multiple parameter types, including "query" and "json." Updating a parameter could previously modify a key's value in the wrong parameter type, leading to confusing and self-contradictory response objects.
Props mnelson4, TimothyBlynJacobs, vagios, jnylen0.
Fixes#40838.
Built from https://develop.svn.wordpress.org/trunk@47559
git-svn-id: http://core.svn.wordpress.org/trunk@47334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
r45812 incorrectly introduced a delete_post permissions check into the get_item method, breaking some plugins which requested revisions when generating previews.
Props sorenbronsted, yohannp, TimothyBlynJacobs.
Fixes#49645.
Built from https://develop.svn.wordpress.org/trunk@47547
git-svn-id: http://core.svn.wordpress.org/trunk@47322 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds a missing DocBlock for `::register_routes()` and parameter descriptions for `::post_process_item()`.
Includes minor documenation fixes in other REST API classes for consistency.
Props dkarfa, mukesh27, SergeyBiryukov.
Fixes#48841.
Built from https://develop.svn.wordpress.org/trunk@47391
git-svn-id: http://core.svn.wordpress.org/trunk@47178 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Check a more exhaustive list of post type editing caps beyond "edit_post" to ensure custom user roles with access to to specific post types may still use block editor functionality depending on theme features.
Props miyauchi, TimothyBlynJacobs.
Fixes#46723.
Built from https://develop.svn.wordpress.org/trunk@47361
git-svn-id: http://core.svn.wordpress.org/trunk@47148 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Several filters were introduced to the render_block method since the initial implementation of the block-renderer/ endpoints, causing the output of those endpoints to diverge from the rendered content of blocks on the frontend.
Props kadamwhite, TimothyBlynJacobs, miinasikk.
Fixes#49387.
Built from https://develop.svn.wordpress.org/trunk@47360
git-svn-id: http://core.svn.wordpress.org/trunk@47147 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Following [47260] a namespace such as "test-ns" prevents any namespace such as "test-ns/v1" from being found when matching routes.
While not best practice, this was an unintentional back-compat break; this patch restores the original behavior.
Props david.binda, TimothyBlynJacobs.
Fixes#48530.
Built from https://develop.svn.wordpress.org/trunk@47351
git-svn-id: http://core.svn.wordpress.org/trunk@47138 1a063a9b-81f0-0310-95a4-ce76da25c4cd
All schema types, not just objects, are permitted as the base type of a resource. A future patch could add validation support for those types, but this fix only prevents a PHP warning from being issued.
Props dhavalkasvala, johnwatkins0, birgire.
Fixes#48785.
Built from https://develop.svn.wordpress.org/trunk@47328
git-svn-id: http://core.svn.wordpress.org/trunk@47122 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Although the file is already included via the `::insert_attachment()` method, this addresses an inconsistency and corrects a misleading comment.
It also reduces the possibility of a future error in case `::insert_attachment()` is no longer called earlier in `::create_item()` at some point.
Follow-up to [43850] and [44206].
Props luisrivera.
Fixes#49449.
Built from https://develop.svn.wordpress.org/trunk@47296
git-svn-id: http://core.svn.wordpress.org/trunk@47096 1a063a9b-81f0-0310-95a4-ce76da25c4cd
register_rest_field can be used to add properties to a schema, but no mechanism existed to alter existing properties like "content".
Running the schema through this filter lets plugins append additional sub-properties to existing schema definitions.
Props luisherranz, TimothyBlynJacobs, swissspidy, westonruter, kadamwhite.
Fixes#47779.
Built from https://develop.svn.wordpress.org/trunk@47265
git-svn-id: http://core.svn.wordpress.org/trunk@47065 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fully list which first-party core theme features are supported in the /themes endpoint response. This brings the REST API themes controller's response more in line with the output of get_theme_support().
Props adamboro, apieschel, koke, spacedmonkey, TimothyBlynJacobs.
See #49037.
Built from https://develop.svn.wordpress.org/trunk@47258
git-svn-id: http://core.svn.wordpress.org/trunk@47058 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously the REST API did not account for server configurations where the Authorization header must be added using ModRewrite. This caused major DUX issues when trying to use custom authentication mechanisms.
Fixes#47077.
Props dshanske, cklosows.
Built from https://develop.svn.wordpress.org/trunk@47239
git-svn-id: http://core.svn.wordpress.org/trunk@47039 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously the _embed flag would embed all embeddable links in a response even if only a subset of the links were necessary. Now, a list of link relations can be passed in the _embed parameter to restrict the list of embedded objects.
Props rheinardkorf, adamsilverstein, jnylen0, cklosows, chrisvanpatten, TimothyBlynJacobs.
Fixes#39696.
Built from https://develop.svn.wordpress.org/trunk@47224
git-svn-id: http://core.svn.wordpress.org/trunk@47024 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Store each generated embedded object in a temporary cache when querying for linked resources so that repeated links to the same resource do not trigger repeated queries or processing.
Props TimothyBlynJacobs.
Fixes#48838.
Built from https://develop.svn.wordpress.org/trunk@47138
git-svn-id: http://core.svn.wordpress.org/trunk@46938 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Only query post types with `'show_in_rest' => true` instead of looping over all post types and checking the `show_in_rest` property separately.
* Return from the `foreach()` loop as soon as the permission check succeeded.
Props pbiron, TimothyBlynJacobs, SergeyBiryukov.
Fixes#49118.
Built from https://develop.svn.wordpress.org/trunk@47034
git-svn-id: http://core.svn.wordpress.org/trunk@46834 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Slashing non-string data caused PUT requests containing unmodified meta arrays of integers to fail the check against the existing stored meta value, causing a 500 when posting an unmodified response body back to the server.
Props TimothyBlynJacobs, augustuswm.
Fixes#48264.
Built from https://develop.svn.wordpress.org/trunk@46454
git-svn-id: http://core.svn.wordpress.org/trunk@46252 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Ensures that the ::get_rest_controller() method will always return an instanceof the expected controller class, or null.
Removes unused private static property $post_type_controllers.
Props dlh, TimothyBlynJacobs.
Fixes#45677.
Built from https://develop.svn.wordpress.org/trunk@46435
git-svn-id: http://core.svn.wordpress.org/trunk@46233 1a063a9b-81f0-0310-95a4-ce76da25c4cd