From 0e818c7aeec602c83ed2817e5aa739c6f6ab76e9 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Tue, 30 Jan 2018 00:20:37 +0000 Subject: [PATCH] Customize: Ensure `customize_autosaved` requests only use revision of logged-in user. Props dlh, westonruter. See #42433, #39896. Fixes #42450. git-svn-id: https://develop.svn.wordpress.org/trunk@42615 602fd350-edb4-49c9-b593-d223f7449a82 --- .../class-wp-customize-manager.php | 21 +++++++++++++------ tests/phpunit/tests/ajax/CustomizeManager.php | 12 +++++++++-- tests/phpunit/tests/customize/manager.php | 10 +++++++++ 3 files changed, 35 insertions(+), 8 deletions(-) diff --git a/src/wp-includes/class-wp-customize-manager.php b/src/wp-includes/class-wp-customize-manager.php index 2cddb70370..f2042bbbeb 100644 --- a/src/wp-includes/class-wp-customize-manager.php +++ b/src/wp-includes/class-wp-customize-manager.php @@ -1141,7 +1141,7 @@ final class WP_Customize_Manager { if ( ! $changeset_post_id ) { $this->_changeset_data = array(); } else { - if ( $this->autosaved() ) { + if ( $this->autosaved() && is_user_logged_in() ) { $autosave_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); if ( $autosave_post ) { $data = $this->get_changeset_post_data( $autosave_post->ID ); @@ -2902,10 +2902,12 @@ final class WP_Customize_Manager { $post_array['edit_date'] = true; // Prevent date clearing. $r = wp_update_post( wp_slash( $post_array ), true ); - // Delete autosave revision when the changeset is updated. - $autosave_draft = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); - if ( $autosave_draft ) { - wp_delete_post( $autosave_draft->ID, true ); + // Delete autosave revision for user when the changeset is updated. + if ( ! empty( $args['user_id'] ) ) { + $autosave_draft = wp_get_post_autosave( $changeset_post_id, $args['user_id'] ); + if ( $autosave_draft ) { + wp_delete_post( $autosave_draft->ID, true ); + } } } } else { @@ -3548,6 +3550,11 @@ final class WP_Customize_Manager { * @since 4.9.0 */ public function handle_dismiss_autosave_or_lock_request() { + // Calls to dismiss_user_auto_draft_changesets() and wp_get_post_autosave() require non-zero get_current_user_id(). + if ( ! is_user_logged_in() ) { + wp_send_json_error( 'unauthenticated', 401 ); + } + if ( ! $this->is_preview() ) { wp_send_json_error( 'not_preview', 400 ); } @@ -4649,7 +4656,9 @@ final class WP_Customize_Manager { $changeset_post_id = $this->changeset_post_id(); if ( ! $this->saved_starter_content_changeset && ! $this->autosaved() ) { if ( $changeset_post_id ) { - $autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); + if ( is_user_logged_in() ) { + $autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() ); + } } else { $autosave_autodraft_posts = $this->get_changeset_posts( array( diff --git a/tests/phpunit/tests/ajax/CustomizeManager.php b/tests/phpunit/tests/ajax/CustomizeManager.php index 32d17e891f..933b9920ec 100644 --- a/tests/phpunit/tests/ajax/CustomizeManager.php +++ b/tests/phpunit/tests/ajax/CustomizeManager.php @@ -552,8 +552,16 @@ class Tests_Ajax_CustomizeManager extends WP_Ajax_UnitTestCase { * @covers WP_Customize_Manager::dismiss_user_auto_draft_changesets() */ public function test_handle_dismiss_autosave_or_lock_request() { - $uuid = wp_generate_uuid4(); - $wp_customize = $this->set_up_valid_state( $uuid ); + $uuid = wp_generate_uuid4(); + $wp_customize = $this->set_up_valid_state( $uuid ); + $valid_user_id = get_current_user_id(); + + // Temporarily remove user to test requirement that user is logged in. See #42450. + wp_set_current_user( 0 ); + $this->make_ajax_call( 'customize_dismiss_autosave_or_lock' ); + $this->assertFalse( $this->_last_response_parsed['success'] ); + $this->assertEquals( 'unauthenticated', $this->_last_response_parsed['data'] ); + wp_set_current_user( $valid_user_id ); $this->make_ajax_call( 'customize_dismiss_autosave_or_lock' ); $this->assertFalse( $this->_last_response_parsed['success'] ); diff --git a/tests/phpunit/tests/customize/manager.php b/tests/phpunit/tests/customize/manager.php index 5af7826d0c..cdadf019f4 100644 --- a/tests/phpunit/tests/customize/manager.php +++ b/tests/phpunit/tests/customize/manager.php @@ -524,6 +524,16 @@ class Tests_WP_Customize_Manager extends WP_UnitTestCase { ), wp_list_pluck( $wp_customize->changeset_data(), 'value' ) ); + + // If there is no user, don't fetch the most recent autosave. See #42450. + wp_set_current_user( 0 ); + $wp_customize = new WP_Customize_Manager( + array( + 'changeset_uuid' => $uuid, + 'autosaved' => true, + ) + ); + $this->assertEquals( $data, $wp_customize->changeset_data() ); } /**