<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[56075] trunk: REST API: Check post meta update authorization only when value is changed.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/56075">56075</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/56075","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>kadamwhite</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2023-06-27 17:24:44 +0000 (Tue, 27 Jun 2023)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>REST API: Check post meta update authorization only when value is changed.
Resolves a bug where a post save will be reported as failed if the post includes any meta keys the current user does not have authorization to update, even when those meta values are unchanged.
Write authorization is now checked for a meta key only when the value of that key has changed, so that passing a REST response back unchanged will not cause failures.
Authorization is only needed when data will be updated.
Props ckoerner, TimothyBlynJacobs, spacedmonkey</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludesrestapifieldsclasswprestmetafieldsphp">trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php</a></li>
<li><a href="#trunktestsphpunittestsrestapirestpostmetafieldsphp">trunk/tests/phpunit/tests/rest-api/rest-post-meta-fields.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludesrestapifieldsclasswprestmetafieldsphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php 2023-06-27 17:22:59 UTC (rev 56074)
+++ trunk/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php 2023-06-27 17:24:44 UTC (rev 56075)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -368,6 +368,16 @@
</span><span class="cx" style="display: block; padding: 0 10px"> protected function update_meta_value( $object_id, $meta_key, $name, $value ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $meta_type = $this->get_meta_type();
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // Do the exact same check for a duplicate value as in update_metadata() to avoid update_metadata() returning false.
+ $old_value = get_metadata( $meta_type, $object_id, $meta_key );
+ $subtype = get_object_subtype( $meta_type, $object_id );
+
+ if ( is_array( $old_value ) && 1 === count( $old_value )
+ && $this->is_meta_value_same_as_stored_value( $meta_key, $subtype, $old_value[0], $value )
+ ) {
+ return true;
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( ! current_user_can( "edit_{$meta_type}_meta", $object_id, $meta_key ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px"> 'rest_cannot_update',
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -380,16 +390,6 @@
</span><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // Do the exact same check for a duplicate value as in update_metadata() to avoid update_metadata() returning false.
- $old_value = get_metadata( $meta_type, $object_id, $meta_key );
- $subtype = get_object_subtype( $meta_type, $object_id );
-
- if ( is_array( $old_value ) && 1 === count( $old_value )
- && $this->is_meta_value_same_as_stored_value( $meta_key, $subtype, $old_value[0], $value )
- ) {
- return true;
- }
-
</del><span class="cx" style="display: block; padding: 0 10px"> if ( ! update_metadata( $meta_type, $object_id, wp_slash( $meta_key ), wp_slash( $value ) ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px"> 'rest_meta_database_error',
</span></span></pre></div>
<a id="trunktestsphpunittestsrestapirestpostmetafieldsphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/rest-api/rest-post-meta-fields.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/rest-api/rest-post-meta-fields.php 2023-06-27 17:22:59 UTC (rev 56074)
+++ trunk/tests/phpunit/tests/rest-api/rest-post-meta-fields.php 2023-06-27 17:24:44 UTC (rev 56075)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2300,6 +2300,42 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @ticket 57745
+ */
+ public function test_update_meta_with_unchanged_values_and_custom_authentication() {
+ register_post_meta(
+ 'post',
+ 'authenticated',
+ array(
+ 'single' => true,
+ 'type' => 'boolean',
+ 'default' => false,
+ 'show_in_rest' => true,
+ 'auth_callback' => '__return_false',
+ )
+ );
+
+ add_post_meta( self::$post_id, 'authenticated', false );
+
+ $this->grant_write_permission();
+
+ $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+ $request->set_body_params(
+ array(
+ 'meta' => array(
+ 'authenticated' => false,
+ ),
+ )
+ );
+
+ $response = rest_get_server()->dispatch( $request );
+ $this->assertSame( 200, $response->get_status() );
+
+ $data = $response->get_data();
+ $this->assertSame( false, $data['meta']['authenticated'] );
+ }
+
+ /**
</ins><span class="cx" style="display: block; padding: 0 10px"> * @ticket 43392
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_register_meta_issues_doing_it_wrong_when_show_in_rest_is_true() {
</span></span></pre>
</div>
</div>
</body>
</html>