Prevent terms in a show_in_quick_edit=false taxonomy from being updated by a faked AJAX request.
The UI for these taxonomies was hidden in [31308], but it remained possible to send a direct POST request to the `inline-edit` endpoint to bypass the restriction. The current changeset fixes this. Props meloniq. Fixes #26948. git-svn-id: https://develop.svn.wordpress.org/trunk@31313 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
2d737796d2
commit
32f2903248
|
@ -1550,6 +1550,17 @@ function wp_ajax_inline_save() {
|
|||
if ( empty($data['ping_status']) )
|
||||
$data['ping_status'] = 'closed';
|
||||
|
||||
// Exclude terms from taxonomies that are not supposed to appear in Quick Edit.
|
||||
if ( ! empty( $data['tax_input'] ) ) {
|
||||
foreach ( $data['tax_input'] as $taxonomy => $terms ) {
|
||||
$tax_object = get_taxonomy( $taxonomy );
|
||||
/** This filter is documented in wp-admin/includes/class-wp-posts-list-table.php */
|
||||
if ( ! apply_filters( 'quick_edit_show_taxonomy', $tax_object->show_in_quick_edit, $taxonomy, $post['post_type'] ) ) {
|
||||
unset( $data['tax_input'][ $taxonomy ] );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Hack: wp_unique_post_slug() doesn't work for drafts, so we will fake that our post is published.
|
||||
if ( ! empty( $data['post_name'] ) && in_array( $post['post_status'], array( 'draft', 'pending' ) ) ) {
|
||||
$post['post_status'] = 'publish';
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
<?php
|
||||
|
||||
/**
|
||||
* Admin ajax functions to be tested
|
||||
*/
|
||||
require_once( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
|
||||
|
||||
/**
|
||||
* Testing Quick Edit AJAX functionality.
|
||||
*
|
||||
* @group ajax
|
||||
*/
|
||||
class Tests_Ajax_QuickEdit extends WP_Ajax_UnitTestCase {
|
||||
|
||||
/**
|
||||
* @group 26948
|
||||
*/
|
||||
public function test_dont_process_terms_if_taxonomy_does_not_allow_show_on_quick_edit() {
|
||||
register_taxonomy( 'wptests_tax_1', 'post', array(
|
||||
'show_in_quick_edit' => false,
|
||||
'hierarchical' => true,
|
||||
) );
|
||||
register_taxonomy( 'wptests_tax_2', 'post', array(
|
||||
'show_in_quick_edit' => true,
|
||||
'hierarchical' => true,
|
||||
) );
|
||||
|
||||
$t1 = $this->factory->term->create( array(
|
||||
'taxonomy' => 'wptests_tax_1',
|
||||
) );
|
||||
$t2 = $this->factory->term->create( array(
|
||||
'taxonomy' => 'wptests_tax_2',
|
||||
) );
|
||||
|
||||
// Become an administrator.
|
||||
$this->_setRole( 'administrator' );
|
||||
|
||||
$post = $this->factory->post->create_and_get( array(
|
||||
'post_author' => get_current_user_id(),
|
||||
) );
|
||||
|
||||
// Set up a request.
|
||||
$_POST['_inline_edit'] = wp_create_nonce( 'inlineeditnonce' );
|
||||
$_POST['post_ID'] = $post->ID;
|
||||
$_POST['post_type'] = $post->post_type;
|
||||
$_POST['content'] = $post->post_content;
|
||||
$_POST['excerpt'] = $post->post_excerpt;
|
||||
$_POST['_status'] = $post->post_status;
|
||||
$_POST['post_status'] = $post->post_status;
|
||||
$_POST['screen'] = 'post';
|
||||
$_POST['tax_input'] = array(
|
||||
'wptests_tax_1' => array( $t1 ),
|
||||
'wptests_tax_2' => array( $t2 ),
|
||||
);
|
||||
|
||||
// Make the request.
|
||||
try {
|
||||
$this->_handleAjax( 'inline-save' );
|
||||
} catch ( WPAjaxDieContinueException $e ) {
|
||||
unset( $e );
|
||||
}
|
||||
|
||||
// wptests_tax_1 terms should have been refused.
|
||||
$post_terms_1 = wp_get_object_terms( $post->ID, 'wptests_tax_1' );
|
||||
$this->assertEmpty( $post_terms_1 );
|
||||
|
||||
// wptests_tax_2 terms should have been added successfully.
|
||||
$post_terms_2 = wp_get_object_terms( $post->ID, 'wptests_tax_2' );
|
||||
$this->assertEqualSets( array( $t2 ), wp_list_pluck( $post_terms_2, 'term_id' ) );
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue