Prevent terms in a show_in_quick_edit=false taxonomy from being updated by a faked AJAX request.

The UI for these taxonomies was hidden in [31308], but it remained possible to send a direct POST request to the `inline-edit` endpoint to bypass the restriction. The current changeset fixes this. Props meloniq. Fixes #26948. git-svn-id: https://develop.svn.wordpress.org/trunk@31313 602fd350-edb4-49c9-b593-d223f7449a82
2015-01-31 19:37:12 +00:00 · 2015-01-31 19:37:12 +00:00 · 32f2903248
parent 2d737796d2
commit 32f2903248
2 changed files with 82 additions and 0 deletions
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@ -1550,6 +1550,17 @@ function wp_ajax_inline_save() {
 	if ( empty($data['ping_status']) )
 		$data['ping_status'] = 'closed';

+	// Exclude terms from taxonomies that are not supposed to appear in Quick Edit.
+	if ( ! empty( $data['tax_input'] ) ) {
+		foreach ( $data['tax_input'] as $taxonomy => $terms ) {
+			$tax_object = get_taxonomy( $taxonomy );
+			/** This filter is documented in wp-admin/includes/class-wp-posts-list-table.php */
+			if ( ! apply_filters( 'quick_edit_show_taxonomy', $tax_object->show_in_quick_edit, $taxonomy, $post['post_type'] ) ) {
+				unset( $data['tax_input'][ $taxonomy ] );
+			}
+		}
+	}
+
 	// Hack: wp_unique_post_slug() doesn't work for drafts, so we will fake that our post is published.
 	if ( ! empty( $data['post_name'] ) && in_array( $post['post_status'], array( 'draft', 'pending' ) ) ) {
 		$post['post_status'] = 'publish';
--- a/tests/phpunit/tests/ajax/QuickEdit.php
+++ b/tests/phpunit/tests/ajax/QuickEdit.php
@ -0,0 +1,71 @@
+<?php
+
+/**
+ * Admin ajax functions to be tested
+ */
+require_once( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
+
+/**
+ * Testing Quick Edit AJAX functionality.
+ *
+ * @group ajax
+ */
+class Tests_Ajax_QuickEdit extends WP_Ajax_UnitTestCase {
+
+	/**
+	 * @group 26948
+	 */
+	public function test_dont_process_terms_if_taxonomy_does_not_allow_show_on_quick_edit() {
+		register_taxonomy( 'wptests_tax_1', 'post', array(
+			'show_in_quick_edit' => false,
+			'hierarchical' => true,
+		) );
+		register_taxonomy( 'wptests_tax_2', 'post', array(
+			'show_in_quick_edit' => true,
+			'hierarchical' => true,
+		) );
+
+		$t1 = $this->factory->term->create( array(
+			'taxonomy' => 'wptests_tax_1',
+		) );
+		$t2 = $this->factory->term->create( array(
+			'taxonomy' => 'wptests_tax_2',
+		) );
+
+		// Become an administrator.
+		$this->_setRole( 'administrator' );
+
+		$post = $this->factory->post->create_and_get( array(
+			'post_author' => get_current_user_id(),
+		) );
+
+		// Set up a request.
+		$_POST['_inline_edit'] = wp_create_nonce( 'inlineeditnonce' );
+		$_POST['post_ID'] = $post->ID;
+		$_POST['post_type'] = $post->post_type;
+		$_POST['content'] = $post->post_content;
+		$_POST['excerpt'] = $post->post_excerpt;
+		$_POST['_status'] = $post->post_status;
+		$_POST['post_status'] = $post->post_status;
+		$_POST['screen'] = 'post';
+		$_POST['tax_input'] = array(
+			'wptests_tax_1' => array( $t1 ),
+			'wptests_tax_2' => array( $t2 ),
+		);
+
+		// Make the request.
+		try {
+			$this->_handleAjax( 'inline-save' );
+		} catch ( WPAjaxDieContinueException $e ) {
+			unset( $e );
+		}
+
+		// wptests_tax_1 terms should have been refused.
+		$post_terms_1 = wp_get_object_terms( $post->ID, 'wptests_tax_1' );
+		$this->assertEmpty( $post_terms_1 );
+
+		// wptests_tax_2 terms should have been added successfully.
+		$post_terms_2 = wp_get_object_terms( $post->ID, 'wptests_tax_2' );
+		$this->assertEqualSets( array( $t2 ), wp_list_pluck( $post_terms_2, 'term_id' ) );
+	}
+}