REST API: Support querying for multiple post statuses.

Multiple post statuses can be specified by the usual CSV or array-propper format.

Props jnylen0, kadamwhite, websupporter.
Fixes #38420.


git-svn-id: https://develop.svn.wordpress.org/trunk@39104 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/rest-api/class-wp-rest-server.php

@@ -1183,6 +1183,12 @@ class WP_REST_Server {
 					if ( isset( $opts['description'] ) ) {
 						$arg_data['description'] = $opts['description'];
 					}
+					if ( isset( $opts['type'] ) ) {
+						$arg_data['type'] = $opts['type'];
+					}
+					if ( isset( $opts['items'] ) ) {
+						$arg_data['items'] = $opts['items'];
+					}
 					$endpoint_data['args'][ $key ] = $arg_data;
 				}
 			}

src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

@@ -30,7 +30,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 	protected function prepare_items_query( $prepared_args = array(), $request = null ) {
 		$query_args = parent::prepare_items_query( $prepared_args, $request );
 
-		if ( empty( $query_args['post_status'] ) || ! in_array( $query_args['post_status'], array( 'inherit', 'private', 'trash' ), true ) ) {
+		if ( empty( $query_args['post_status'] ) ) {
 			$query_args['post_status'] = 'inherit';
 		}
 
@@ -586,7 +586,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 	public function get_collection_params() {
 		$params = parent::get_collection_params();
 		$params['status']['default'] = 'inherit';
-		$params['status']['enum'] = array( 'inherit', 'private', 'trash' );
+		$params['status']['items']['enum'] = array( 'inherit', 'private', 'trash' );
 		$media_types = $this->get_media_types();
 
 		$params['media_type'] = array(

src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -2120,11 +2120,13 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 
 		$params['status'] = array(
 			'default'           => 'publish',
-			'description'       => __( 'Limit result set to posts assigned a specific status; can be comma-delimited list of status types.' ),
-			'enum'              => array_merge( array_keys( get_post_stati() ), array( 'any' ) ),
-			'sanitize_callback' => 'sanitize_key',
-			'type'              => 'string',
-			'validate_callback' => array( $this, 'validate_user_can_query_private_statuses' ),
+			'description'       => __( 'Limit result set to posts assigned one or more statuses.' ),
+			'type'              => 'array',
+			'items'             => array(
+				'enum'          => array_merge( array_keys( get_post_stati() ), array( 'any' ) ),
+				'type'          => 'string',
+			),
+			'sanitize_callback' => array( $this, 'sanitize_post_statuses' ),
 		);
 
 		$taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
@@ -2152,27 +2154,41 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 	}
 
 	/**
-	 * Validates whether the user can query private statuses.
+	 * Sanitizes and validates the list of post statuses, including whether the
+	 * user can query private statuses.
 	 *
 	 * @since 4.7.0
 	 * @access public
 	 *
-	 * @param  mixed           $value     Post status.
+	 * @param  string|array    $statuses  One or more post statuses.
 	 * @param  WP_REST_Request $request   Full details about the request.
 	 * @param  string          $parameter Additional parameter to pass to validation.
-	 * @return bool|WP_Error Whether the request can query private statuses, otherwise WP_Error object.
+	 * @return array|WP_Error A list of valid statuses, otherwise WP_Error object.
 	 */
-	public function validate_user_can_query_private_statuses( $value, $request, $parameter ) {
-		if ( 'publish' === $value ) {
-			return rest_validate_request_arg( $value, $request, $parameter );
+	public function sanitize_post_statuses( $statuses, $request, $parameter ) {
+		$statuses = wp_parse_slug_list( $statuses );
+
+		// The default status is different in WP_REST_Attachments_Controller
+		$attributes = $request->get_attributes();
+		$default_status = $attributes['args']['status']['default'];
+
+		foreach ( $statuses as $status ) {
+			if ( $status === $default_status ) {
+				continue;
+			}
+
+			$post_type_obj = get_post_type_object( $this->post_type );
+
+			if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
+				$result = rest_validate_request_arg( $status, $request, $parameter );
+				if ( is_wp_error( $result ) ) {
+					return $result;
+				}
+			} else {
+				return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden.' ), array( 'status' => rest_authorization_required_code() ) );
+			}
 		}
 
-		$post_type_obj = get_post_type_object( $this->post_type );
-
-		if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
-			return rest_validate_request_arg( $value, $request, $parameter );
-		}
-
-		return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden.' ), array( 'status' => rest_authorization_required_code() ) );
+		return $statuses;
 	}
 }

tests/phpunit/tests/rest-api/rest-attachments-controller.php

@@ -327,6 +327,37 @@ class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Control
 		$this->assertEquals( $attachment_id1, $data[0]['id'] );
 	}
 
+	public function test_get_items_multiple_statuses() {
+		// Logged out users can't make the request
+		wp_set_current_user( 0 );
+		$attachment_id1 = $this->factory->attachment->create_object( $this->test_file, 0, array(
+			'post_mime_type' => 'image/jpeg',
+			'post_excerpt'   => 'A sample caption',
+			'post_status'    => 'private',
+		) );
+		$attachment_id2 = $this->factory->attachment->create_object( $this->test_file, 0, array(
+			'post_mime_type' => 'image/jpeg',
+			'post_excerpt'   => 'A sample caption',
+			'post_status'    => 'trash',
+		) );
+		$request = new WP_REST_Request( 'GET', '/wp/v2/media' );
+		$request->set_param( 'status', array( 'private', 'trash' ) );
+		$response = $this->server->dispatch( $request );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		// Properly authorized users can make the request
+		wp_set_current_user( self::$editor_id );
+		$response = $this->server->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$data = $response->get_data();
+		$this->assertEquals( 2, count( $data ) );
+		$ids = array(
+			$data[0]['id'],
+			$data[1]['id'],
+		);
+		sort( $ids );
+		$this->assertEquals( array( $attachment_id1, $attachment_id2 ), $ids );
+	}
+
 	public function test_get_items_invalid_date() {
 		$request = new WP_REST_Request( 'GET', '/wp/v2/media' );
 		$request->set_param( 'after', rand_str() );

tests/phpunit/tests/rest-api/rest-posts-controller.php

@@ -310,6 +310,60 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
 		$this->assertEquals( 1, count( $response->get_data() ) );
 	}
 
+	public function test_get_items_multiple_statuses_string_query() {
+		wp_set_current_user( self::$editor_id );
+
+		$this->factory->post->create( array( 'post_status' => 'draft' ) );
+		$this->factory->post->create( array( 'post_status' => 'private' ) );
+		$this->factory->post->create( array( 'post_status' => 'publish' ) );
+
+		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
+		$request->set_param( 'context', 'edit' );
+		$request->set_param( 'status', 'draft,private' );
+
+		$response = $this->server->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$data = $response->get_data();
+		$this->assertEquals( 2, count( $data ) );
+		$statuses = array(
+			$data[0]['status'],
+			$data[1]['status'],
+		);
+		sort( $statuses );
+		$this->assertEquals( array( 'draft', 'private' ), $statuses );
+	}
+
+	public function test_get_items_multiple_statuses_array_query() {
+		wp_set_current_user( self::$editor_id );
+
+		$this->factory->post->create( array( 'post_status' => 'draft' ) );
+		$this->factory->post->create( array( 'post_status' => 'pending' ) );
+		$this->factory->post->create( array( 'post_status' => 'publish' ) );
+
+		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
+		$request->set_param( 'context', 'edit' );
+		$request->set_param( 'status', array( 'draft', 'pending' ) );
+
+		$response = $this->server->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$data = $response->get_data();
+		$this->assertEquals( 2, count( $data ) );
+		$statuses = array(
+			$data[0]['status'],
+			$data[1]['status'],
+		);
+		sort( $statuses );
+		$this->assertEquals( array( 'draft', 'pending' ), $statuses );
+	}
+
+	public function test_get_items_multiple_statuses_one_invalid_query() {
+		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
+		$request->set_param( 'context', 'edit' );
+		$request->set_param( 'status', array( 'draft', 'nonsense' ) );
+		$response = $this->server->dispatch( $request );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+	}
+
 	public function test_get_items_invalid_status_query() {
 		wp_set_current_user( 0 );
 		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
@@ -1963,6 +2017,19 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
 		$this->assertArrayHasKey( 'categories_exclude', $properties );
 	}
 
+	public function test_status_array_enum_args() {
+		$request = new WP_REST_Request( 'GET', '/wp/v2' );
+		$response = $this->server->dispatch( $request );
+		$data = $response->get_data();
+		$list_posts_args = $data['routes']['/wp/v2/posts']['endpoints'][0]['args'];
+		$status_arg = $list_posts_args['status'];
+		$this->assertEquals( 'array', $status_arg['type'] );
+		$this->assertEquals( array(
+			'type' => 'string',
+			'enum' => array( 'publish', 'future', 'draft', 'pending', 'private', 'trash', 'auto-draft', 'inherit', 'any' ),
+		), $status_arg['items'] );
+	}
+
 	public function test_get_additional_field_registration() {
 
 		$schema = array(

tests/phpunit/tests/rest-api/rest-schema-sanitization.php

@@ -86,4 +86,28 @@ class WP_Test_REST_Schema_Sanitization extends WP_UnitTestCase {
 		$this->assertEquals( array( 1, 2 ), rest_sanitize_value_from_schema( '1,2', $schema ) );
 		$this->assertEquals( array( 1, 2, 0 ), rest_sanitize_value_from_schema( '1,2,a', $schema ) );
 	}
+
+	public function test_type_array_with_enum() {
+		$schema = array(
+			'type'  => 'array',
+			'items' => array(
+				'enum' => array( 'chicken', 'ribs', 'brisket' ),
+				'type' => 'string',
+			),
+		);
+		$this->assertEquals( array( 'ribs', 'brisket' ), rest_sanitize_value_from_schema( array( 'ribs', 'brisket' ), $schema ) );
+		$this->assertEquals( array( 'coleslaw' ), rest_sanitize_value_from_schema( array( 'coleslaw' ), $schema ) );
+	}
+
+	public function test_type_array_with_enum_as_csv() {
+		$schema = array(
+			'type'  => 'array',
+			'items' => array(
+				'enum' => array( 'chicken', 'ribs', 'brisket' ),
+				'type' => 'string',
+			),
+		);
+		$this->assertEquals( array( 'ribs', 'chicken' ), rest_sanitize_value_from_schema( 'ribs,chicken', $schema ) );
+		$this->assertEquals( array( 'chicken', 'coleslaw' ), rest_sanitize_value_from_schema( 'chicken,coleslaw', $schema ) );
+	}
 }

tests/phpunit/tests/rest-api/rest-schema-validation.php

@@ -115,4 +115,28 @@ class WP_Test_REST_Schema_Validation extends WP_UnitTestCase {
 		$this->assertTrue( rest_validate_value_from_schema( '1,2,3', $schema ) );
 		$this->assertWPError( rest_validate_value_from_schema( 'lol', $schema ) );
 	}
+
+	public function test_type_array_with_enum() {
+		$schema = array(
+			'type'  => 'array',
+			'items' => array(
+				'enum' => array( 'chicken', 'ribs', 'brisket' ),
+				'type' => 'string',
+			),
+		);
+		$this->assertTrue( rest_validate_value_from_schema( array( 'ribs', 'brisket' ), $schema ) );
+		$this->assertWPError( rest_validate_value_from_schema( array( 'coleslaw' ), $schema ) );
+	}
+
+	public function test_type_array_with_enum_as_csv() {
+		$schema = array(
+			'type'  => 'array',
+			'items' => array(
+				'enum' => array( 'chicken', 'ribs', 'brisket' ),
+				'type' => 'string',
+			),
+		);
+		$this->assertTrue( rest_validate_value_from_schema( 'ribs,chicken', $schema ) );
+		$this->assertWPError( rest_validate_value_from_schema( 'chicken,coleslaw', $schema ) );
+	}
 }