Customize: Ensure `customize_autosaved` requests only use revision of logged-in user.

Props dlh, westonruter.
See #42433, #39896.
Fixes #42450.


git-svn-id: https://develop.svn.wordpress.org/trunk@42615 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/class-wp-customize-manager.php

@@ -1141,7 +1141,7 @@ final class WP_Customize_Manager {
 		if ( ! $changeset_post_id ) {
 			$this->_changeset_data = array();
 		} else {
-			if ( $this->autosaved() ) {
+			if ( $this->autosaved() && is_user_logged_in() ) {
 				$autosave_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
 				if ( $autosave_post ) {
 					$data = $this->get_changeset_post_data( $autosave_post->ID );
@@ -2902,10 +2902,12 @@ final class WP_Customize_Manager {
 				$post_array['edit_date'] = true; // Prevent date clearing.
 				$r                       = wp_update_post( wp_slash( $post_array ), true );
 
-				// Delete autosave revision when the changeset is updated.
-				$autosave_draft = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
-				if ( $autosave_draft ) {
-					wp_delete_post( $autosave_draft->ID, true );
+				// Delete autosave revision for user when the changeset is updated.
+				if ( ! empty( $args['user_id'] ) ) {
+					$autosave_draft = wp_get_post_autosave( $changeset_post_id, $args['user_id'] );
+					if ( $autosave_draft ) {
+						wp_delete_post( $autosave_draft->ID, true );
+					}
 				}
 			}
 		} else {
@@ -3548,6 +3550,11 @@ final class WP_Customize_Manager {
 	 * @since 4.9.0
 	 */
 	public function handle_dismiss_autosave_or_lock_request() {
+		// Calls to dismiss_user_auto_draft_changesets() and wp_get_post_autosave() require non-zero get_current_user_id().
+		if ( ! is_user_logged_in() ) {
+			wp_send_json_error( 'unauthenticated', 401 );
+		}
+
 		if ( ! $this->is_preview() ) {
 			wp_send_json_error( 'not_preview', 400 );
 		}
@@ -4649,7 +4656,9 @@ final class WP_Customize_Manager {
 		$changeset_post_id       = $this->changeset_post_id();
 		if ( ! $this->saved_starter_content_changeset && ! $this->autosaved() ) {
 			if ( $changeset_post_id ) {
-				$autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
+				if ( is_user_logged_in() ) {
+					$autosave_revision_post = wp_get_post_autosave( $changeset_post_id, get_current_user_id() );
+				}
 			} else {
 				$autosave_autodraft_posts = $this->get_changeset_posts(
 					array(

tests/phpunit/tests/ajax/CustomizeManager.php

@@ -552,8 +552,16 @@ class Tests_Ajax_CustomizeManager extends WP_Ajax_UnitTestCase {
 	 * @covers WP_Customize_Manager::dismiss_user_auto_draft_changesets()
 	 */
 	public function test_handle_dismiss_autosave_or_lock_request() {
-		$uuid         = wp_generate_uuid4();
-		$wp_customize = $this->set_up_valid_state( $uuid );
+		$uuid          = wp_generate_uuid4();
+		$wp_customize  = $this->set_up_valid_state( $uuid );
+		$valid_user_id = get_current_user_id();
+
+		// Temporarily remove user to test requirement that user is logged in. See #42450.
+		wp_set_current_user( 0 );
+		$this->make_ajax_call( 'customize_dismiss_autosave_or_lock' );
+		$this->assertFalse( $this->_last_response_parsed['success'] );
+		$this->assertEquals( 'unauthenticated', $this->_last_response_parsed['data'] );
+		wp_set_current_user( $valid_user_id );
 
 		$this->make_ajax_call( 'customize_dismiss_autosave_or_lock' );
 		$this->assertFalse( $this->_last_response_parsed['success'] );

tests/phpunit/tests/customize/manager.php

@@ -524,6 +524,16 @@ class Tests_WP_Customize_Manager extends WP_UnitTestCase {
 			),
 			wp_list_pluck( $wp_customize->changeset_data(), 'value' )
 		);
+
+		// If there is no user, don't fetch the most recent autosave. See #42450.
+		wp_set_current_user( 0 );
+		$wp_customize = new WP_Customize_Manager(
+			array(
+				'changeset_uuid' => $uuid,
+				'autosaved'      => true,
+			)
+		);
+		$this->assertEquals( $data, $wp_customize->changeset_data() );
 	}
 
 	/**