Pods 3.2.2

.gitignore

@@ -38,6 +38,7 @@ $RECYCLE.BIN/
 /vendor/*
 !/vendor/vendor-prefixed/
 npm-debug.log
+pnpm-lock.yaml
 
 # Source maps should just be built locally
 ui/js/pods-ui-ready.min.js.map

.nvmrc

@@ -1 +1 @@
-16.13.2
+16.16.0

changelog.txt

@@ -2,6 +2,27 @@ Found a bug? Have a great feature idea? Get on GitHub and tell us about it and w
 
 Our GitHub has the full list of all prior releases of Pods: https://github.com/pods-framework/pods/releases
 
+= 3.2.2 - June 18th, 2024 =
+
+* Feature: You cna now turn on Taxonomy filters for a Custom Taxonomy so that you see a dropdown filter on the list of posts for any associated post types. (@sc0ttkclark)
+* Added: Pods Templates > Support for comments on post types using Pods Templates using `[each comments]` and `[if comments]`. (@sc0ttkclark)
+* Added: REST API > Add support for determining whether to require person to be logged in to read values for custom fields (default: login not required). (@sc0ttkclark)
+* Added: Automatically redirect to the proper edit URL when going to the Pods Admin > Edit Pods page for a specific pod but `id=XX` is the slug. (@sc0ttkclark)
+* Tweak: Accessibility > Make it easier to copy and paste field names for the Edit Pod screen with a new copy icon you can click. #7291 #7237 (@heybran, @sc0ttkclark)
+* Tweak: Responsive UI > Improved appearance for the Edit Pod screen for smaller screens. (@sc0ttkclark)
+* Fixed: Security hardening > Sanitize HTML before passing into Pods field inputs for paragraph/code/wysiwyg field types to cover additional cases where something could make it past the sanitization process on save. (@sc0ttkclark)
+* Fixed: Accessibility > Add label for color fields in the Pods Blocks API so it shows the label and not just the color input itself. #7306 #7305 (@pdclark)
+* Fixed: Group and field names now generate in the UI as expected. (@sc0ttkclark)
+* Fixed: Compatibility > Date, Date/Time, and Time default values now use single quotes to ensure maximum compatibiltiy with various SQL engines. (@sc0ttkclark)
+* Fixed: Compatibility > More PHP compatibility issues with `trim()` related function usage resolved. (@sc0ttkclark)
+* Fixed: Code quality > Various phpstan/phpcs issues resolved. (@sc0ttkclark)
+
+= 3.2.1.1 - May 8th, 2024 =
+
+*Security Release*
+
+* Security hardening: Enforce safe URLs for Pods form submission confirmation page URLs. Props to the wesley (wcraft) / Wordfence for responsibly reporting this. (@sc0ttkclark) 
+
 = 3.2.1 - March 29th, 2024 =
 
 * Performance: The Advanced Filters popup now uses Autocomplete for relationship fields to improve performance for large itemsets. FYI filters are a feature in the Manage Content UI for Advanced Content Types only. (@sc0ttkclark)

classes/Pods.php

@@ -450,10 +450,9 @@ public function fields( $field_name = null, $option = null ) {
 		 * @since unknown
 		 *
 		 * @param array|\Pods\Whatsit\Field|mixed $field_data The data to be returned for the field / option.
-		 * @param array|\Pods\Whatsit\Field       $field      The field information.
 		 * @param string|null                     $field_name The specific field that data is being return for, if set when method is called or null.
 		 * @param string|null                     $option     Value of option param when method was called. Can be used to get a list of available items from a relationship field.
-		 * @param Pods|object                     $this       The current Pods class instance.
+		 * @param Pods|object                     $obj        The current Pods class instance.
 		 */
 		return apply_filters( 'pods_pods_fields', $field_data, $field_name, $option, $this );
 
@@ -643,8 +642,8 @@ public function field( $name, $single = null, $raw = false ) {
 			 *
 			 * @param string       $output How to output related fields. Default is 'arrays'. Options: ids|names|objects|arrays|pods|find
 			 * @param array|object $row    Current row being outputted.
-			 * @param array        $params Params array passed to field().
-			 * @param Pods         $this   Current Pods object.
+			 * @param object       $params Params array passed to field().
+			 * @param Pods         $obj    Current Pods object.
 			 */
 			$params->output = apply_filters( 'pods_pods_field_related_output_type', 'arrays', $this->data->row, $params, $this );
 		}
@@ -659,7 +658,7 @@ public function field( $name, $single = null, $raw = false ) {
 
 		// Support old $orderby variable.
 		if ( null !== $params->single && is_string( $params->single ) && empty( $params->orderby ) ) {
-			if ( ! class_exists( 'Deprecated_Pod' ) || Deprecated_Pod::$deprecated_notice ) {
+			if ( pods_is_debug_display() ) {
 				pods_deprecated( 'Pods::field', '2.0', 'Use $params[ \'orderby\' ] instead' );
 			}
 
@@ -844,11 +843,20 @@ public function field( $name, $single = null, $raw = false ) {
 		$is_relationship_field_and_not_simple = (
 			! $is_traversal
 			&& $field_data
-			&& ! $field_data instanceof Object_Field
+			&& (
+				! $field_data instanceof Object_Field
+				|| 'comments' === $field_data->get_name()
+			)
 			&& $is_relationship_field
 			&& ! $is_simple_relationship_field
 		);
 
+		$is_object_expanded_relationship_field = (
+			$is_relationship_field
+			&&  $field_data instanceof Object_Field
+			&& 'comments' === $field_data->get_name()
+		);
+
 		// If a relationship is returned from the table as an ID but the parameter is not traversal, we need to run traversal logic.
 		if ( $is_relationship_field_and_not_simple && isset( $this->data->row[ $params->name ] ) && ! is_array( $this->data->row[ $params->name ] ) ) {
 			unset( $this->data->row[ $params->name ] );
@@ -903,7 +911,14 @@ public function field( $name, $single = null, $raw = false ) {
 		} elseif ( empty( $value ) ) {
 			$object_field_found = false;
 
-			if ( 'object_field' === $field_source && ! $is_traversal ) {
+			if (
+				'object_field' === $field_source
+				&& ! $is_traversal
+				&& (
+					! $is_object_expanded_relationship_field
+					|| 'arrays' === $params->output
+				)
+			) {
 				$object_field_found = true;
 
 				if ( isset( $this->data->row[ $first_field ] ) ) {
@@ -948,8 +963,8 @@ public function field( $name, $single = null, $raw = false ) {
 					 * @param array|string|null $value      Value retrieved.
 					 * @param array             $field_data Current field object.
 					 * @param array|object      $row        Current row being outputted.
-					 * @param array             $params     Params array passed to field().
-					 * @param object|Pods       $this       Current Pods object.
+					 * @param object            $params     Params array passed to field().
+					 * @param Pods              $obj        Current Pods object.
 					 */
 					$v = apply_filters( "pods_pods_field_{$field_type}", null, $field_data, $this->row(), $params, $this );
 
@@ -1010,8 +1025,8 @@ public function field( $name, $single = null, $raw = false ) {
 						 *
 						 * @param int    $id            The object ID.
 						 * @param string $metadata_type The object metadata type.
-						 * @param array  $params        Field params
-						 * @param \Pods  $pod           Pods object.
+						 * @param object $params        Field params.
+						 * @param Pods   $obj           Pods object.
 						 */
 						$id = apply_filters( 'pods_pods_field_get_metadata_object_id', $this->id(), $metadata_type, $params, $this );
 
@@ -1798,8 +1813,8 @@ public function field( $name, $single = null, $raw = false ) {
 		 *
 		 * @param array|string|null $value  Value to be returned.
 		 * @param array|object      $row    Current row being outputted.
-		 * @param array             $params Params array passed to field().
-		 * @param object|Pods       $this   Current Pods object.
+		 * @param object            $params Params array passed to field().
+		 * @param Pods              $obj    Current Pods object.
 		 */
 		$value = apply_filters( 'pods_pods_field', $value, $this->row(), $params, $this );
 
@@ -2536,8 +2551,8 @@ public function fetch( $id = null, $explicit_set = true ) {
 		 *
 		 * @since unknown
 		 *
-		 * @param int|string|null $id   Item ID being fetched or null.
-		 * @param object|Pods     $this Current Pods object.
+		 * @param int|string|null $id  Item ID being fetched or null.
+		 * @param Pods            $obj Current Pods object.
 		 */
 		do_action( 'pods_pods_fetch', $id, $this );
 
@@ -2569,8 +2584,8 @@ public function reset( $row = null ) {
 		 *
 		 * @since unknown
 		 *
-		 * @param int|string|null The ID of the row being reset to or null if being reset to the beginning.
-		 * @param object|Pods $this Current Pods object.
+		 * @param int|string|null $row The ID of the row being reset to or null if being reset to the beginning.
+		 * @param Pods            $obj Current Pods object.
 		 */
 		do_action( 'pods_pods_reset', $row, $this );
 
@@ -2625,7 +2640,7 @@ public function total_found( $params = null ) {
 		 *
 		 * @since unknown
 		 *
-		 * @param object|Pods $this Current Pods object.
+		 * @param Pods $obj Current Pods object.
 		 */
 		do_action( 'pods_pods_total_found', $this );
 
@@ -3525,9 +3540,9 @@ public function filters( $params = null ) {
 		 *
 		 * @since unknown
 		 *
-		 * @param string      $output Filter output.
-		 * @param array       $params Params array passed to filters().
-		 * @param object|Pods $this   Current Pods object.
+		 * @param string $output Filter output.
+		 * @param array  $params Params array passed to filters().
+		 * @param Pods   $obj    Current Pods object.
 		 */
 		return apply_filters( 'pods_pods_filters', $output, $params, $this );
 	}
@@ -4281,10 +4296,11 @@ private function process_magic_tags( $tag ) {
 		/**
 		 * Filter the magic tag output for a value.
 		 *
-		 * @param string $value      Magic tag output for value.
-		 * @param string $field_name Magic tag field name.
-		 * @param string $before     Before content.
-		 * @param string $after      After content.
+		 * @param string $value       Magic tag output for value.
+		 * @param string $field_name  Magic tag field name.
+		 * @param string $helper_name The helper name.
+		 * @param string $before      Before content.
+		 * @param string $after       After content.
 		 */
 		$value = apply_filters( 'pods_do_magic_tags', $value, $field_name, $helper_name, $before, $after );
 

classes/PodsAdmin.php

@@ -809,17 +809,15 @@ public function admin_content_settings() {
 	 * Add media button for Pods shortcode
 	 *
 	 * @param string $context Media button context.
-	 *
-	 * @return string
 	 */
 	public function media_button( $context = null ) {
 		if ( ! empty( $_GET['action'] ) && 'elementor' === $_GET['action'] ) {
-			return '';
+			return;
 		}
 
 		// If shortcodes are disabled don't show the button
 		if ( defined( 'PODS_DISABLE_SHORTCODE' ) && PODS_DISABLE_SHORTCODE ) {
-			return '';
+			return;
 		}
 
 		/**
@@ -831,7 +829,7 @@ public function media_button( $context = null ) {
 		 * @since 2.3.19
 		 */
 		if ( ! apply_filters( 'pods_admin_media_button', true, $context ) ) {
-			return '';
+			return;
 		}
 
 		$current_page = basename( $_SERVER['PHP_SELF'] );
@@ -846,7 +844,7 @@ public function media_button( $context = null ) {
 				'post.php',
 			), true
 		) ) {
-			return '';
+			return;
 		}
 
 		add_action( 'admin_footer', array( $this, 'mce_popup' ) );
@@ -880,7 +878,9 @@ public function admin_setup() {
 
 		$pods = $api->load_pods( array( 'fields' => false ) );
 
-		$view = pods_v( 'view', 'get', 'all', true );
+		$id     = pods_v( 'id' );
+		$action = pods_v( 'action' );
+		$view   = pods_v( 'view', 'get', 'all', true );
 
 		// @codingStandardsIgnoreLine
 		if ( empty( $pods ) && ! isset( $_GET['action'] ) ) {
@@ -1395,6 +1395,17 @@ public function admin_setup() {
 			}
 		}
 
+		// Maybe auto-map the slugs to ID when editing.
+		if ( 'edit' === $action && $id && ! is_numeric( $id ) ) {
+			foreach ( $ui['data'] as $check_pod ) {
+				if ( $check_pod['name'] === $id && $check_pod['id'] && is_numeric( $check_pod['id'] ) ) {
+					pods_redirect( pods_query_arg( [ 'id' => (int) $check_pod['id'] ] ) );
+
+					break;
+				}
+			}
+		}
+
 		// Add our custom callouts.
 		$this->handle_callouts_updates();
 
@@ -2034,7 +2045,7 @@ public function get_callouts() {
 		 *
 		 * @since 2.7.17
 		 *
-		 * @param array List of callouts to enable.
+		 * @param array $callouts List of callouts to enable.
 		 */
 		$callouts = apply_filters( 'pods_admin_callouts', $callouts );
 
@@ -3762,13 +3773,9 @@ public function admin_components() {
 	 * Toggle a component on or off
 	 *
 	 * @param PodsUI $ui PodsUI object.
-	 *
-	 * @return bool
 	 */
 	public function admin_components_toggle( $ui ) {
-
-		// @codingStandardsIgnoreLine
-		$component = $_GET['id'];
+		$component = pods_v( 'id' );
 
 		if ( ! empty( PodsInit::$components->components[ $component ]['PluginDependency'] ) ) {
 			$dependency = explode( '|', PodsInit::$components->components[ $component ]['PluginDependency'] );
@@ -4398,13 +4405,31 @@ public function add_rest_settings_tab_fields( $options, $pod ) {
 				'depends-on' => [ 'rest_enable' => true ],
 				'dependency' => true,
 			],
+			'read_all_access'   => [
+				'label'             => __( 'Read All Access', 'pods' ),
+				'help'              => __( 'By default the REST API will allow the fields to be returned for everyone who has access to that endpoint/object. You can also restrict the access of your field based on whether the person is logged in.', 'pods' ),
+				'type'              => 'boolean',
+				'boolean_yes_label' => __( 'Require being logged in to read all field values via REST', 'pods' ),
+				'depends-on'        => [
+					'read_all' => true,
+				],
+			],
 			'write_all'   => [
 				'label'             => __( 'Allow All Fields To Be Updated', 'pods' ),
 				'help'              => __( 'Allow all fields to be updated via the REST API. If unchecked fields must be enabled on a field by field basis.', 'pods' ),
 				'type'              => 'boolean',
 				'default'           => pods_v( 'name', $pod ),
 				'depends-on'        => [ 'rest_enable' => true, 'read_all' => true ],
 			],
+			/*'write_all_access'   => [
+				'label'             => __( 'Write All Access', 'pods' ),
+				'help'              => __( 'By default the REST API will allow the fields to be written by everyone who has access to edit that object. You can also restrict the access of your field based on whether the person is logged in.', 'pods' ),
+				'type'              => 'boolean',
+				'boolean_yes_label' => __( 'Require being logged in to write to all field values via REST', 'pods' ),
+				'depends-on'        => [
+					'write_all' => true,
+				],
+			],*/
 			'rest_api_field_mode'   => [
 				'label'             => __( 'Field Mode', 'pods' ),
 				'help'              => __( 'Specify how you would like your values returned in the REST API responses. If you choose to show Both raw and rendered values then an object will be returned for each field that contains the value and rendered properties.', 'pods' ),
@@ -4476,6 +4501,18 @@ public function add_rest_fields_to_field_editor( $options, $pod ) {
 					'type' => $layout_non_input_field_types,
 				],
 			],
+			'rest_read_access'   => [
+				'label'             => __( 'Read Access', 'pods' ),
+				'help'              => __( 'By default the REST API will allow the fields to be returned for everyone who has access to that endpoint/object. You can also restrict the access of your field based on whether the person is logged in.', 'pods' ),
+				'type'              => 'boolean',
+				'boolean_yes_label' => __( 'Require being logged in to read this field value via REST', 'pods' ),
+				'depends-on'        => [
+					'rest_read' => true,
+				],
+				'excludes-on'       => [
+					'type' => $layout_non_input_field_types,
+				],
+			],
 			'rest_write'         => [
 				'label'       => __( 'Write via REST API', 'pods' ),
 				'help'        => __( 'Should this field be writeable via the REST API? You must enable REST API support for this Pod.', 'pods' ),
@@ -4485,6 +4522,18 @@ public function add_rest_fields_to_field_editor( $options, $pod ) {
 					'type' => $layout_non_input_field_types,
 				],
 			],
+			/*'rest_write_access'   => [
+				'label'             => __( 'Write Access', 'pods' ),
+				'help'              => __( 'By default the REST API will allow the fields to be written by everyone who has access to edit that object. You can also restrict the access of your field based on whether the person is logged in.', 'pods' ),
+				'type'              => 'boolean',
+				'boolean_yes_label' => __( 'Require being logged in to write to this field value via REST', 'pods' ),
+				'depends-on'        => [
+					'rest_write' => true,
+				],
+				'excludes-on'       => [
+					'type' => $layout_non_input_field_types,
+				],
+			],*/
 			'rest_field_options' => [
 				'name'       => 'rest_field_options',
 				'label'      => __( 'Relationship Field Options', 'pods' ),