From 3623a537fa5b960fff210f89cc4dfe623ab6c856 Mon Sep 17 00:00:00 2001 From: Peter Wilson Date: Thu, 15 Apr 2021 01:07:00 +0000 Subject: [PATCH] Grouped merges for 5.5.4. * REST API: Allow authors to read their own password protected posts. * About page update Merges [50717] to the 5.5 branch. Built from https://develop.svn.wordpress.org/branches/5.5@50725 git-svn-id: http://core.svn.wordpress.org/branches/5.5@50334 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/about.php | 20 ++++++ .../class-wp-rest-posts-controller.php | 61 ++++++++++++++++--- wp-includes/version.php | 2 +- 3 files changed, 75 insertions(+), 8 deletions(-) diff --git a/wp-admin/about.php b/wp-admin/about.php index 68fa12422f..a04c923a54 100644 --- a/wp-admin/about.php +++ b/wp-admin/about.php @@ -64,6 +64,26 @@ require_once ABSPATH . 'wp-admin/admin-header.php';

+

+ Version %s addressed some security issues.' ), + '5.5.4' + ); + ?> + the release notes.' ), + sprintf( + /* translators: %s: WordPress version */ + esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), + sanitize_title( '5.5.4' ) + ) + ); + ?> +

password_check_passed[ $post->ID ] ) ) { + // Password previously checked and approved. + return false; + } + + return ! current_user_can( 'edit_post', $post->ID ); + } + /** * Retrieves a collection of posts. * @@ -315,7 +355,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { // Allow access to all password protected posts if the context is edit. if ( 'edit' === $request['context'] ) { - add_filter( 'post_password_required', '__return_false' ); + add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); } $posts = array(); @@ -331,7 +371,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { // Reset filter. if ( 'edit' === $request['context'] ) { - remove_filter( 'post_password_required', '__return_false' ); + remove_filter( 'post_password_required', array( $this, 'check_password_required' ) ); } $page = (int) $query_args['paged']; @@ -446,7 +486,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { // Allow access to all password protected posts if the context is edit. if ( 'edit' === $request['context'] ) { - add_filter( 'post_password_required', '__return_false' ); + add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); } if ( $post ) { @@ -474,8 +514,14 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { return false; } - // Edit context always gets access to password-protected posts. - if ( 'edit' === $request['context'] ) { + /* + * Users always gets access to password protected content in the edit + * context if they have the `edit_post` meta capability. + */ + if ( + 'edit' === $request['context'] && + current_user_can( 'edit_post', $post->ID ) + ) { return true; } @@ -1666,8 +1712,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { $has_password_filter = false; if ( $this->can_access_password_content( $post, $request ) ) { + $this->password_check_passed[ $post->ID ] = true; // Allow access to the post, permissions already checked before. - add_filter( 'post_password_required', '__return_false' ); + add_filter( 'post_password_required', array( $this, 'check_password_required' ), 10, 2 ); $has_password_filter = true; } @@ -1705,7 +1752,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { if ( $has_password_filter ) { // Reset filter. - remove_filter( 'post_password_required', '__return_false' ); + remove_filter( 'post_password_required', array( $this, 'check_password_required' ) ); } if ( rest_is_field_included( 'author', $fields ) ) { diff --git a/wp-includes/version.php b/wp-includes/version.php index 9ed99baf00..4a64fba90e 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.5.4-alpha-50722'; +$wp_version = '5.5.4-alpha-50725'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.