diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php index 08eb75611b..52c84e15a6 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php @@ -1,41 +1,67 @@ get_media_types(); + if ( ! empty( $request['media_type'] ) && isset( $media_types[ $request['media_type'] ] ) ) { $query_args['post_mime_type'] = $media_types[ $request['media_type'] ]; } + if ( ! empty( $request['mime_type'] ) ) { $parts = explode( '/', $request['mime_type'] ); if ( isset( $media_types[ $parts[0] ] ) && in_array( $request['mime_type'], $media_types[ $parts[0] ], true ) ) { $query_args['post_mime_type'] = $request['mime_type']; } } + return $query_args; } /** - * Check if a given request has access to create an attachment. + * Checks if a given request has access to create an attachment. * - * @param WP_REST_Request $request Full details about the request. + * @since 4.7.0 + * @access public + * + * @param WP_REST_Request $request Full details about the request. * @return WP_Error|true Boolean true if the attachment may be created, or a WP_Error if not. */ public function create_item_permissions_check( $request ) { $ret = parent::create_item_permissions_check( $request ); + if ( ! $ret || is_wp_error( $ret ) ) { return $ret; } @@ -48,6 +74,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { if ( ! empty( $request['post'] ) ) { $parent = $this->get_post( (int) $request['post'] ); $post_parent_type = get_post_type_object( $parent->post_type ); + if ( ! current_user_can( $post_parent_type->cap->edit_post, $request['post'] ) ) { return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to upload media to this resource.' ), array( 'status' => rest_authorization_required_code() ) ); } @@ -57,7 +84,10 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } /** - * Create a single attachment. + * Creates a single attachment. + * + * @since 4.7.0 + * @access public * * @param WP_REST_Request $request Full details about the request. * @return WP_Error|WP_REST_Response Response object on success, WP_Error object on failure. @@ -68,9 +98,10 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { return new WP_Error( 'rest_invalid_param', __( 'Invalid parent type.' ), array( 'status' => 400 ) ); } - // Get the file via $_FILES or raw data + // Get the file via $_FILES or raw data. $files = $request->get_file_params(); $headers = $request->get_headers(); + if ( ! empty( $files ) ) { $file = $this->upload_from_file( $files, $headers ); } else { @@ -90,9 +121,8 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { $file = $file['file']; // use image exif/iptc data for title and caption defaults if possible - // @codingStandardsIgnoreStart $image_meta = @wp_read_image_metadata( $file ); - // @codingStandardsIgnoreEnd + if ( ! empty( $image_meta ) ) { if ( empty( $request['title'] ) && trim( $image_meta['title'] ) && ! is_numeric( sanitize_title( $image_meta['title'] ) ) ) { $request['title'] = $image_meta['title']; @@ -113,6 +143,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } $id = wp_insert_post( $attachment, true ); + if ( is_wp_error( $id ) ) { if ( 'db_update_error' === $id->get_error_code() ) { $id->add_data( array( 'status' => 500 ) ); @@ -121,6 +152,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } return $id; } + $attachment = $this->get_post( $id ); // Include admin functions to get access to wp_generate_attachment_metadata(). @@ -133,6 +165,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } $fields_update = $this->update_additional_fields_for_object( $attachment, $request ); + if ( is_wp_error( $fields_update ) ) { return $fields_update; } @@ -146,18 +179,22 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { /** * Fires after a single attachment is created or updated via the REST API. * + * @since 4.7.0 + * * @param object $attachment Inserted attachment. * @param WP_REST_Request $request The request sent to the API. - * @param boolean $creating True when creating an attachment, false when updating. + * @param bool $creating True when creating an attachment, false when updating. */ do_action( 'rest_insert_attachment', $attachment, $request, true ); return $response; - } /** - * Update a single post. + * Updates a single attachment. + * + * @since 4.7.0 + * @access public * * @param WP_REST_Request $request Full details about the request. * @return WP_Error|WP_REST_Response Response object on success, WP_Error object on failure. @@ -166,7 +203,9 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { if ( ! empty( $request['post'] ) && in_array( get_post_type( $request['post'] ), array( 'revision', 'attachment' ), true ) ) { return new WP_Error( 'rest_invalid_param', __( 'Invalid parent type.' ), array( 'status' => 400 ) ); } + $response = parent::update_item( $request ); + if ( is_wp_error( $response ) ) { return $response; } @@ -181,6 +220,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { $attachment = $this->get_post( $request['id'] ); $fields_update = $this->update_additional_fields_for_object( $attachment, $request ); + if ( is_wp_error( $fields_update ) ) { return $fields_update; } @@ -189,14 +229,17 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { $response = $this->prepare_item_for_response( $attachment, $request ); $response = rest_ensure_response( $response ); - /* This action is documented in lib/endpoints/class-wp-rest-attachments-controller.php */ + /* This action is documented in wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php */ do_action( 'rest_insert_attachment', $data, $request, false ); return $response; } /** - * Prepare a single attachment for create or update. + * Prepares a single attachment for create or update. + * + * @since 4.7.0 + * @access public * * @param WP_REST_Request $request Request object. * @return WP_Error|stdClass $prepared_attachment Post object. @@ -220,9 +263,12 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } /** - * Prepare a single attachment output for response. + * Prepares a single attachment output for response. * - * @param WP_Post $post Post object. + * @since 4.7.0 + * @access public + * + * @param WP_Post $post Attachment object. * @param WP_REST_Request $request Request object. * @return WP_REST_Response Response object. */ @@ -261,14 +307,15 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } $full_src = wp_get_attachment_image_src( $post->ID, 'full' ); + if ( ! empty( $full_src ) ) { $data['media_details']['sizes']['full'] = array( - 'file' => wp_basename( $full_src[0] ), - 'width' => $full_src[1], - 'height' => $full_src[2], - 'mime_type' => $post->post_mime_type, - 'source_url' => $full_src[0], - ); + 'file' => wp_basename( $full_src[0] ), + 'width' => $full_src[1], + 'height' => $full_src[2], + 'mime_type' => $post->post_mime_type, + 'source_url' => $full_src[0], + ); } } else { $data['media_details']['sizes'] = new stdClass; @@ -284,19 +331,24 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { $response->add_links( $this->prepare_links( $post ) ); /** - * Filter an attachment returned from the API. + * Filters an attachment returned from the REST API. * * Allows modification of the attachment right before it is returned. * - * @param WP_REST_Response $response The response object. - * @param WP_Post $post The original attachment post. - * @param WP_REST_Request $request Request used to generate the response. + * @since 4.7.0 + * + * @param WP_REST_Response $response The response object. + * @param WP_Post $post The original attachment post. + * @param WP_REST_Request $request Request used to generate the response. */ return apply_filters( 'rest_prepare_attachment', $response, $post, $request ); } /** - * Get the Attachment's schema, conforming to JSON Schema. + * Retrieves the attachment's schema, conforming to JSON Schema. + * + * @since 4.7.0 + * @access public * * @return array Item schema as an array. */ @@ -312,6 +364,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { 'sanitize_callback' => 'sanitize_text_field', ), ); + $schema['properties']['caption'] = array( 'description' => __( 'The caption for the resource.' ), 'type' => 'string', @@ -320,6 +373,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { 'sanitize_callback' => 'wp_filter_post_kses', ), ); + $schema['properties']['description'] = array( 'description' => __( 'The description for the resource.' ), 'type' => 'string', @@ -328,6 +382,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { 'sanitize_callback' => 'wp_filter_post_kses', ), ); + $schema['properties']['media_type'] = array( 'description' => __( 'Type of resource.' ), 'type' => 'string', @@ -335,23 +390,27 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { 'context' => array( 'view', 'edit', 'embed' ), 'readonly' => true, ); + $schema['properties']['mime_type'] = array( 'description' => __( 'MIME type of resource.' ), 'type' => 'string', 'context' => array( 'view', 'edit', 'embed' ), 'readonly' => true, ); + $schema['properties']['media_details'] = array( 'description' => __( 'Details about the resource file, specific to its type.' ), 'type' => 'object', 'context' => array( 'view', 'edit', 'embed' ), 'readonly' => true, ); + $schema['properties']['post'] = array( 'description' => __( 'The id for the associated post of the resource.' ), 'type' => 'integer', 'context' => array( 'view', 'edit' ), ); + $schema['properties']['source_url'] = array( 'description' => __( 'URL to the original resource file.' ), 'type' => 'string', @@ -359,15 +418,19 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { 'context' => array( 'view', 'edit', 'embed' ), 'readonly' => true, ); + return $schema; } /** - * Handle an upload via raw POST data. + * Handles an upload via raw POST data. + * + * @since 4.7.0 + * @access protected * * @param array $data Supplied file data. * @param array $headers HTTP headers from the request. - * @return array|WP_Error Data from {@see wp_handle_sideload()}. + * @return array|WP_Error Data from wp_handle_sideload(). */ protected function upload_from_data( $data, $headers ) { if ( empty( $data ) ) { @@ -390,8 +453,8 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { if ( ! empty( $headers['content_md5'] ) ) { $content_md5 = array_shift( $headers['content_md5'] ); - $expected = trim( $content_md5 ); - $actual = md5( $data ); + $expected = trim( $content_md5 ); + $actual = md5( $data ); if ( $expected !== $actual ) { return new WP_Error( 'rest_upload_hash_mismatch', __( 'Content hash did not match expected.' ), array( 'status' => 412 ) ); @@ -423,15 +486,16 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { 'name' => $filename, 'type' => $type, ); + $overrides = array( 'test_form' => false, ); + $sideloaded = wp_handle_sideload( $file_data, $overrides ); if ( isset( $sideloaded['error'] ) ) { - // @codingStandardsIgnoreStart @unlink( $tmpfname ); - // @codingStandardsIgnoreEnd + return new WP_Error( 'rest_upload_sideload_error', $sideloaded['error'], array( 'status' => 500 ) ); } @@ -439,7 +503,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } /** - * Parse filename from a Content-Disposition header value. + * Parses filename from a Content-Disposition header value. * * As per RFC6266: * @@ -459,8 +523,11 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { * | ext-token "=" ext-value * ext-token = * - * @see http://tools.ietf.org/html/rfc2388 - * @see http://tools.ietf.org/html/rfc6266 + * @since 4.7.0 + * @access public + * + * @link http://tools.ietf.org/html/rfc2388 + * @link http://tools.ietf.org/html/rfc6266 * * @param string[] $disposition_header List of Content-Disposition header values. * @return string|null Filename if available, or null if not found. @@ -477,14 +544,17 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } list( $type, $attr_parts ) = explode( ';', $value, 2 ); + $attr_parts = explode( ';', $attr_parts ); $attributes = array(); + foreach ( $attr_parts as $part ) { if ( strpos( $part, '=' ) === false ) { continue; } list( $key, $value ) = explode( '=', $part, 2 ); + $attributes[ trim( $key ) ] = trim( $value ); } @@ -504,7 +574,10 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } /** - * Get the query params for collections of attachments. + * Retrieves the query params for collections of attachments. + * + * @since 4.7.0 + * @access public * * @return array Query parameters for the attachment collection as an array. */ @@ -513,42 +586,52 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { $params['status']['default'] = 'inherit'; $params['status']['enum'] = array( 'inherit', 'private', 'trash' ); $media_types = $this->get_media_types(); + $params['media_type'] = array( - 'default' => null, - 'description' => __( 'Limit result set to attachments of a particular media type.' ), - 'type' => 'string', - 'enum' => array_keys( $media_types ), - 'validate_callback' => 'rest_validate_request_arg', + 'default' => null, + 'description' => __( 'Limit result set to attachments of a particular media type.' ), + 'type' => 'string', + 'enum' => array_keys( $media_types ), + 'validate_callback' => 'rest_validate_request_arg', ); + $params['mime_type'] = array( - 'default' => null, - 'description' => __( 'Limit result set to attachments of a particular MIME type.' ), - 'type' => 'string', + 'default' => null, + 'description' => __( 'Limit result set to attachments of a particular MIME type.' ), + 'type' => 'string', ); + return $params; } /** - * Validate whether the user can query private statuses + * Validates whether the user can query private statuses. * - * @param mixed $value Status value. - * @param WP_REST_Request $request Request object. - * @param string $parameter Additional parameter to pass to validation. - * @return WP_Error|boolean Boolean true if the user may query, WP_Error if not. + * @since 4.7.0 + * @access public + * + * @param mixed $value Status value. + * @param WP_REST_Request $request Request object. + * @param string $parameter Additional parameter to pass for validation. + * @return WP_Error|bool True if the user may query, WP_Error if not. */ public function validate_user_can_query_private_statuses( $value, $request, $parameter ) { if ( 'inherit' === $value ) { return true; } + return parent::validate_user_can_query_private_statuses( $value, $request, $parameter ); } /** - * Handle an upload via multipart/form-data ($_FILES). + * Handles an upload via multipart/form-data ($_FILES). * - * @param array $files Data from $_FILES. + * @since 4.7.0 + * @access protected + * + * @param array $files Data from the `$_FILES` superglobal. * @param array $headers HTTP headers from the request. - * @return array|WP_Error Data from {@see wp_handle_upload()}. + * @return array|WP_Error Data from wp_handle_upload(). */ protected function upload_from_file( $files, $headers ) { if ( empty( $files ) ) { @@ -558,8 +641,9 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { // Verify hash, if given. if ( ! empty( $headers['content_md5'] ) ) { $content_md5 = array_shift( $headers['content_md5'] ); - $expected = trim( $content_md5 ); - $actual = md5_file( $files['file']['tmp_name'] ); + $expected = trim( $content_md5 ); + $actual = md5_file( $files['file']['tmp_name'] ); + if ( $expected !== $actual ) { return new WP_Error( 'rest_upload_hash_mismatch', __( 'Content hash did not match expected.' ), array( 'status' => 412 ) ); } @@ -569,13 +653,15 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { $overrides = array( 'test_form' => false, ); + // Bypasses is_uploaded_file() when running unit tests. if ( defined( 'DIR_TESTDATA' ) && DIR_TESTDATA ) { $overrides['action'] = 'wp_handle_mock_upload'; } - // Include admin functions to get access to wp_handle_upload(). + /** Include admin functions to get access to wp_handle_upload() */ require_once ABSPATH . 'wp-admin/includes/admin.php'; + $file = wp_handle_upload( $files['file'], $overrides ); if ( isset( $file['error'] ) ) { @@ -586,21 +672,28 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { } /** - * Get the supported media types. + * Retrieves the supported media types. * * Media types are considered the MIME type category. * - * @return array + * @since 4.7.0 + * @access protected + * + * @return array Array of supported media types. */ protected function get_media_types() { $media_types = array(); + foreach ( get_allowed_mime_types() as $mime_type ) { $parts = explode( '/', $mime_type ); + if ( ! isset( $media_types[ $parts[0] ] ) ) { $media_types[ $parts[0] ] = array(); } + $media_types[ $parts[0] ][] = $mime_type; } + return $media_types; }