From 120f9b9eae925ca42efefd147ba7a65814def822 Mon Sep 17 00:00:00 2001 From: audrasjb Date: Mon, 25 Apr 2022 12:57:09 +0000 Subject: [PATCH] Users: Make sure `WP_User_Query` can be filtered using the `fields` parameter. This change ensures the `fields` parameter is taken into account when running `WP_User_Query` by fixing the conditional statement used to process the `fields` param. Props rilwis, peterwilsoncc, NomNom99, hellofromTonya, audrasjb, rilwis, Boniu91. Fixes #53177. Built from https://develop.svn.wordpress.org/trunk@53255 git-svn-id: http://core.svn.wordpress.org/trunk@52844 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-user-query.php | 15 +++++++++++++-- wp-includes/version.php | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/wp-includes/class-wp-user-query.php b/wp-includes/class-wp-user-query.php index a757e38e20..6d88b4a855 100644 --- a/wp-includes/class-wp-user-query.php +++ b/wp-includes/class-wp-user-query.php @@ -274,6 +274,16 @@ class WP_User_Query { $qv =& $this->query_vars; $qv = $this->fill_query_vars( $qv ); + $allowed_fields = array( + 'ID', + 'display_name', + 'user_login', + 'user_nicename', + 'user_email', + 'user_url', + 'user_registered', + ); + if ( is_array( $qv['fields'] ) ) { $qv['fields'] = array_unique( $qv['fields'] ); @@ -283,10 +293,11 @@ class WP_User_Query { $this->query_fields[] = "$wpdb->users.$field"; } $this->query_fields = implode( ',', $this->query_fields ); - } elseif ( 'all' === $qv['fields'] ) { + } elseif ( ! in_array( $qv['fields'], $allowed_fields, true ) ) { $this->query_fields = "$wpdb->users.*"; } else { - $this->query_fields = "$wpdb->users.ID"; + $field = 'ID' === $qv['fields'] ? 'ID' : sanitize_key( $qv['fields'] ); + $this->query_fields = "$wpdb->users.$field"; } if ( isset( $qv['count_total'] ) && $qv['count_total'] ) { diff --git a/wp-includes/version.php b/wp-includes/version.php index 681a09b7f2..1245df22f0 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.0-beta2-53254'; +$wp_version = '6.0-beta2-53255'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.