Skip to content
Permalink
Browse files

REST API: Avoid using 'parent' as path argument name for autosaves.

When 'parent' is set as the path argument name, it gets passed down through to the `create_item()` method and can erroneously reset the 'parent' value on the post itself. Instead, we rename the argument to 'id' and replicate the revision controller's `get_items_permissions_check()` to instead reference 'id'.

Also ensures revision query params (of which there are many) aren't exposed as the query params for autosaves (of which there are two).

Props TimothyBlynJacobs.
See #43316.


git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43897 602fd350-edb4-49c9-b593-d223f7449a82
  • Loading branch information...
danielbachhuber committed Nov 15, 2018
1 parent e964c99 commit 4b791ecf5f057b5dd97135f846ef771033ee8532
@@ -79,7 +79,7 @@ public function __construct( $parent_post_type ) {
public function register_routes() {
register_rest_route(
$this->rest_namespace,
'/' . $this->parent_base . '/(?P<parent>[\d]+)/' . $this->rest_base,
'/' . $this->parent_base . '/(?P<id>[\d]+)/' . $this->rest_base,
array(
'args' => array(
'parent' => array(
@@ -90,14 +90,14 @@ public function register_routes() {
array(
'methods' => WP_REST_Server::READABLE,
'callback' => array( $this, 'get_items' ),
'permission_callback' => array( $this->revisions_controller, 'get_items_permissions_check' ),
'permission_callback' => array( $this, 'get_items_permissions_check' ),
'args' => $this->get_collection_params(),
),
array(
'methods' => WP_REST_Server::CREATABLE,
'callback' => array( $this, 'create_item' ),
'permission_callback' => array( $this, 'create_item_permissions_check' ),
'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::CREATABLE ),
'args' => $this->parent_controller->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ),
),
'schema' => array( $this, 'get_public_item_schema' ),
)
@@ -143,6 +143,28 @@ protected function get_parent( $parent_id ) {
return $this->revisions_controller->get_parent( $parent_id );
}
/**
* Checks if a given request has access to get autosaves.
*
* @since 5.0.0
*
* @param WP_REST_Request $request Full data about the request.
* @return true|WP_Error True if the request has read access, WP_Error object otherwise.
*/
public function get_items_permissions_check( $request ) {
$parent = $this->get_parent( $request['id'] );
if ( is_wp_error( $parent ) ) {
return $parent;
}
$parent_post_type_obj = get_post_type_object( $parent->post_type );
if ( ! current_user_can( $parent_post_type_obj->cap->edit_post, $parent->ID ) ) {
return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to view autosaves of this post.' ), array( 'status' => rest_authorization_required_code() ) );
}
return true;
}
/**
* Checks if a given request has access to create an autosave revision.
*
@@ -177,7 +199,7 @@ public function create_item( $request ) {
define( 'DOING_AUTOSAVE', true );
}
$post = get_post( $request->get_param( 'id' ) );
$post = get_post( $request['id'] );
if ( is_wp_error( $post ) ) {
return $post;
@@ -245,7 +267,7 @@ public function get_item( $request ) {
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
*/
public function get_items( $request ) {
$parent = $this->get_parent( $request->get_param( 'parent' ) );
$parent = $this->get_parent( $request['id'] );
if ( is_wp_error( $parent ) ) {
return $parent;
}
@@ -389,4 +411,17 @@ public function prepare_item_for_response( $post, $request ) {
*/
return apply_filters( 'rest_prepare_autosave', $response, $post, $request );
}
/**
* Retrieves the query params for the autosaves collection.
*
* @since 5.0.0
*
* @return array Collection parameters.
*/
public function get_collection_params() {
return array(
'context' => $this->get_context_param( array( 'default' => 'view' ) ),
);
}
}
@@ -13,13 +13,18 @@
class WP_Test_REST_Autosaves_Controller extends WP_Test_REST_Post_Type_Controller_Testcase {
protected static $post_id;
protected static $page_id;
protected static $draft_page_id;
protected static $autosave_post_id;
protected static $autosave_page_id;
protected static $editor_id;
protected static $contributor_id;
protected static $parent_page_id;
protected static $child_page_id;
protected static $child_draft_page_id;
protected function set_post_data( $args = array() ) {
$defaults = array(
'title' => 'Post Title',
@@ -76,6 +81,25 @@ public static function wpSetUpBeforeClass( $factory ) {
)
);
self::$draft_page_id = $factory->post->create( array(
'post_type' => 'page',
'post_status' => 'draft',
) );
self::$parent_page_id = $factory->post->create( array(
'post_type' => 'page',
) );
self::$child_page_id = $factory->post->create( array(
'post_type' => 'page',
'post_parent' => self::$parent_page_id,
) );
self::$child_draft_page_id = $factory->post->create( array(
'post_type' => 'page',
'post_parent' => self::$parent_page_id,
// The "update post" behavior of the autosave endpoint only occurs
// when saving a draft/auto-draft authored by the current user.
'post_status' => 'draft',
'post_author' => self::$editor_id,
) );
}
public static function wpTearDownAfterClass() {
@@ -96,9 +120,9 @@ public function setUp() {
public function test_register_routes() {
$routes = rest_get_server()->get_routes();
$this->assertArrayHasKey( '/wp/v2/posts/(?P<parent>[\d]+)/autosaves', $routes );
$this->assertArrayHasKey( '/wp/v2/posts/(?P<id>[\d]+)/autosaves', $routes );
$this->assertArrayHasKey( '/wp/v2/posts/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)', $routes );
$this->assertArrayHasKey( '/wp/v2/pages/(?P<parent>[\d]+)/autosaves', $routes );
$this->assertArrayHasKey( '/wp/v2/pages/(?P<id>[\d]+)/autosaves', $routes );
$this->assertArrayHasKey( '/wp/v2/pages/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)', $routes );
}
@@ -119,6 +143,18 @@ public function test_context_param() {
$this->assertEqualSets( array( 'view', 'edit', 'embed' ), $data['endpoints'][0]['args']['context']['enum'] );
}
public function test_registered_query_params() {
$request = new WP_REST_Request( 'OPTIONS', '/wp/v2/posts/' . self::$post_id . '/autosaves' );
$response = $this->server->dispatch( $request );
$data = $response->get_data();
$keys = array_keys( $data['endpoints'][0]['args'] );
sort( $keys );
$this->assertEquals( array(
'context',
'parent',
), $keys );
}
public function test_get_items() {
wp_set_current_user( self::$editor_id );
$request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . self::$post_id . '/autosaves' );
@@ -517,4 +553,40 @@ public function test_get_item_sets_up_postdata() {
$this->assertEquals( $parent_post_id, self::$post_id );
}
public function test_update_item_draft_page_with_parent() {
wp_set_current_user( self::$editor_id );
$request = new WP_REST_Request( 'POST', '/wp/v2/pages/' . self::$child_draft_page_id . '/autosaves' );
$request->add_header( 'content-type', 'application/x-www-form-urlencoded' );
$params = $this->set_post_data(
array(
'id' => self::$child_draft_page_id,
'author' => self::$editor_id,
)
);
$request->set_body_params( $params );
$response = rest_get_server()->dispatch( $request );
$data = $response->get_data();
$this->assertEquals( self::$child_draft_page_id, $data['id'] );
$this->assertEquals( self::$parent_page_id, $data['parent'] );
}
public function test_schema_validation_is_applied() {
wp_set_current_user( self::$editor_id );
$request = new WP_REST_Request( 'POST', '/wp/v2/pages/' . self::$draft_page_id . '/autosaves' );
$request->add_header( 'content-type', 'application/x-www-form-urlencoded' );
$params = $this->set_post_data( array(
'id' => self::$draft_page_id,
'comment_status' => 'garbage',
) );
$request->set_body_params( $params );
$response = rest_get_server()->dispatch( $request );
$this->assertNotEquals( 'garbage', get_post( self::$draft_page_id )->comment_status );
}
}
@@ -89,19 +89,19 @@ public function test_expected_routes_in_schema() {
'/wp/v2/posts/(?P<id>[\\d]+)',
'/wp/v2/posts/(?P<parent>[\\d]+)/revisions',
'/wp/v2/posts/(?P<parent>[\\d]+)/revisions/(?P<id>[\\d]+)',
'/wp/v2/posts/(?P<parent>[\\d]+)/autosaves',
'/wp/v2/posts/(?P<id>[\\d]+)/autosaves',
'/wp/v2/posts/(?P<parent>[\\d]+)/autosaves/(?P<id>[\\d]+)',
'/wp/v2/pages',
'/wp/v2/pages/(?P<id>[\\d]+)',
'/wp/v2/pages/(?P<parent>[\\d]+)/revisions',
'/wp/v2/pages/(?P<parent>[\\d]+)/revisions/(?P<id>[\\d]+)',
'/wp/v2/pages/(?P<parent>[\\d]+)/autosaves',
'/wp/v2/pages/(?P<id>[\\d]+)/autosaves',
'/wp/v2/pages/(?P<parent>[\\d]+)/autosaves/(?P<id>[\\d]+)',
'/wp/v2/media',
'/wp/v2/media/(?P<id>[\\d]+)',
'/wp/v2/blocks',
'/wp/v2/blocks/(?P<id>[\d]+)',
'/wp/v2/blocks/(?P<parent>[\d]+)/autosaves',
'/wp/v2/blocks/(?P<id>[\d]+)/autosaves',
'/wp/v2/blocks/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)',
'/wp/v2/types',
'/wp/v2/types/(?P<type>[\\w-]+)',

0 comments on commit 4b791ec

Please sign in to comment.
You can’t perform that action at this time.