From 011e0b99a168745b3e10bdc8df27cf07c98418f8 Mon Sep 17 00:00:00 2001
From: Ryan McCue <rmccue@git.wordpress.org>
Date: Wed, 2 Nov 2016 03:36:40 +0000
Subject: [PATCH] REST API: Only expose formats supported by the current theme.

While it's valid to save any format to the database, and WordPress is totally fine with that, we should only include the formats specified by the theme in the schema.

Props danielbachhuber.
Fixes #38610.


git-svn-id: https://develop.svn.wordpress.org/trunk@39084 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../class-wp-rest-posts-controller.php        |  3 +-
 .../tests/rest-api/rest-posts-controller.php  | 49 +++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index e5d623705b..7c801a4c44 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -1923,10 +1923,11 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 					break;
 
 				case 'post-formats':
+					$supports_formats = get_theme_support( 'post-formats' );
 					$schema['properties']['format'] = array(
 						'description' => __( 'The format for the object.' ),
 						'type'        => 'string',
-						'enum'        => array_values( get_post_format_slugs() ),
+						'enum'        => $supports_formats ? array_values( $supports_formats[0] ) : array(),
 						'context'     => array( 'view', 'edit' ),
 					);
 					break;
diff --git a/tests/phpunit/tests/rest-api/rest-posts-controller.php b/tests/phpunit/tests/rest-api/rest-posts-controller.php
index 73864e9f57..d941f22d6a 100644
--- a/tests/phpunit/tests/rest-api/rest-posts-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-posts-controller.php
@@ -16,6 +16,8 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
 	protected static $author_id;
 	protected static $contributor_id;
 
+	protected static $supported_formats;
+
 	public static function wpSetUpBeforeClass( $factory ) {
 		self::$post_id = $factory->post->create();
 
@@ -28,9 +30,20 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
 		self::$contributor_id = $factory->user->create( array(
 			'role' => 'contributor',
 		) );
+
+		// Only support 'post' and 'gallery'
+		self::$supported_formats = get_theme_support( 'post-formats' );
+		add_theme_support( 'post-formats', array( 'post', 'gallery' ) );
 	}
 
 	public static function wpTearDownAfterClass() {
+		// Restore theme support for formats.
+		if ( self::$supported_formats ) {
+			add_theme_support( 'post-formats', self::$supported_formats );
+		} else {
+			remove_theme_support( 'post-formats' );
+		}
+
 		wp_delete_post( self::$post_id, true );
 
 		self::delete_user( self::$editor_id );
@@ -1078,6 +1091,24 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
 		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
 	}
 
+	/**
+	 * Test with a valid format, but one unsupported by the theme.
+	 *
+	 * https://core.trac.wordpress.org/ticket/38610
+	 */
+	public function test_create_post_with_unsupported_format() {
+		wp_set_current_user( self::$editor_id );
+
+		$request = new WP_REST_Request( 'POST', '/wp/v2/posts' );
+		$params = $this->set_post_data( array(
+			'format' => 'link',
+		) );
+		$request->set_body_params( $params );
+		$response = $this->server->dispatch( $request );
+
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+	}
+
 	public function test_create_update_post_with_featured_media() {
 
 		$file = DIR_TESTDATA . '/images/canola.jpg';
@@ -1497,6 +1528,24 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
 		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
 	}
 
+	/**
+	 * Test with a valid format, but one unsupported by the theme.
+	 *
+	 * https://core.trac.wordpress.org/ticket/38610
+	 */
+	public function test_update_post_with_unsupported_format() {
+		wp_set_current_user( self::$editor_id );
+
+		$request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+		$params = $this->set_post_data( array(
+			'format' => 'link',
+		) );
+		$request->set_body_params( $params );
+		$response = $this->server->dispatch( $request );
+
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+	}
+
 	public function test_update_post_ignore_readonly() {
 		wp_set_current_user( self::$editor_id );