From 32f2903248524eb5b0ca1eba80e1080d85b271a2 Mon Sep 17 00:00:00 2001 From: Boone Gorges Date: Sat, 31 Jan 2015 19:37:12 +0000 Subject: [PATCH] Prevent terms in a show_in_quick_edit=false taxonomy from being updated by a faked AJAX request. The UI for these taxonomies was hidden in [31308], but it remained possible to send a direct POST request to the `inline-edit` endpoint to bypass the restriction. The current changeset fixes this. Props meloniq. Fixes #26948. git-svn-id: https://develop.svn.wordpress.org/trunk@31313 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/ajax-actions.php | 11 ++++ tests/phpunit/tests/ajax/QuickEdit.php | 71 ++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 tests/phpunit/tests/ajax/QuickEdit.php diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php index 1e846fbdfd..23cb62fae3 100644 --- a/src/wp-admin/includes/ajax-actions.php +++ b/src/wp-admin/includes/ajax-actions.php @@ -1550,6 +1550,17 @@ function wp_ajax_inline_save() { if ( empty($data['ping_status']) ) $data['ping_status'] = 'closed'; + // Exclude terms from taxonomies that are not supposed to appear in Quick Edit. + if ( ! empty( $data['tax_input'] ) ) { + foreach ( $data['tax_input'] as $taxonomy => $terms ) { + $tax_object = get_taxonomy( $taxonomy ); + /** This filter is documented in wp-admin/includes/class-wp-posts-list-table.php */ + if ( ! apply_filters( 'quick_edit_show_taxonomy', $tax_object->show_in_quick_edit, $taxonomy, $post['post_type'] ) ) { + unset( $data['tax_input'][ $taxonomy ] ); + } + } + } + // Hack: wp_unique_post_slug() doesn't work for drafts, so we will fake that our post is published. if ( ! empty( $data['post_name'] ) && in_array( $post['post_status'], array( 'draft', 'pending' ) ) ) { $post['post_status'] = 'publish'; diff --git a/tests/phpunit/tests/ajax/QuickEdit.php b/tests/phpunit/tests/ajax/QuickEdit.php new file mode 100644 index 0000000000..ec37c5795d --- /dev/null +++ b/tests/phpunit/tests/ajax/QuickEdit.php @@ -0,0 +1,71 @@ + false, + 'hierarchical' => true, + ) ); + register_taxonomy( 'wptests_tax_2', 'post', array( + 'show_in_quick_edit' => true, + 'hierarchical' => true, + ) ); + + $t1 = $this->factory->term->create( array( + 'taxonomy' => 'wptests_tax_1', + ) ); + $t2 = $this->factory->term->create( array( + 'taxonomy' => 'wptests_tax_2', + ) ); + + // Become an administrator. + $this->_setRole( 'administrator' ); + + $post = $this->factory->post->create_and_get( array( + 'post_author' => get_current_user_id(), + ) ); + + // Set up a request. + $_POST['_inline_edit'] = wp_create_nonce( 'inlineeditnonce' ); + $_POST['post_ID'] = $post->ID; + $_POST['post_type'] = $post->post_type; + $_POST['content'] = $post->post_content; + $_POST['excerpt'] = $post->post_excerpt; + $_POST['_status'] = $post->post_status; + $_POST['post_status'] = $post->post_status; + $_POST['screen'] = 'post'; + $_POST['tax_input'] = array( + 'wptests_tax_1' => array( $t1 ), + 'wptests_tax_2' => array( $t2 ), + ); + + // Make the request. + try { + $this->_handleAjax( 'inline-save' ); + } catch ( WPAjaxDieContinueException $e ) { + unset( $e ); + } + + // wptests_tax_1 terms should have been refused. + $post_terms_1 = wp_get_object_terms( $post->ID, 'wptests_tax_1' ); + $this->assertEmpty( $post_terms_1 ); + + // wptests_tax_2 terms should have been added successfully. + $post_terms_2 = wp_get_object_terms( $post->ID, 'wptests_tax_2' ); + $this->assertEqualSets( array( $t2 ), wp_list_pluck( $post_terms_2, 'term_id' ) ); + } +}