From 4f685410b240987a9c06f61cd955e3cb7bbc933a Mon Sep 17 00:00:00 2001 From: Joe Hoyle Date: Tue, 8 Nov 2016 14:07:10 +0000 Subject: [PATCH] REST API: Remove get_allowed_query_vars() now `filter` is gone. Now all public query vars are not supoprted via `?filter` in the REST API, we can remove the get_allowed_query_vars() method and filter. To provide developers with a good altnerative to `filter`, the `"rest_{$this->post_type}_collection_params"` filter has been added. Props rmccue, rachelbacker, danielbachhuber. Fixes #38629. git-svn-id: https://develop.svn.wordpress.org/trunk@39162 602fd350-edb4-49c9-b593-d223f7449a82 --- .../class-wp-rest-posts-controller.php | 119 ++++-------------- 1 file changed, 27 insertions(+), 92 deletions(-) diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php index 42bcfb78fd..716f3297c0 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php @@ -815,23 +815,19 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { * @return array Items query arguments. */ protected function prepare_items_query( $prepared_args = array(), $request = null ) { - - $valid_vars = array_flip( $this->get_allowed_query_vars( $request ) ); $query_args = array(); - foreach ( $valid_vars as $var => $index ) { - if ( isset( $prepared_args[ $var ] ) ) { - /** - * Filters the query_vars used in get_items() for the constructed query. - * - * The dynamic portion of the hook name, `$var`, refers to the query_var key. - * - * @since 4.7.0 - * - * @param string $var The query_var value. - */ - $query_args[ $var ] = apply_filters( "rest_query_var-{$var}", $prepared_args[ $var ] ); - } + foreach ( $prepared_args as $key => $value ) { + /** + * Filters the query_vars used in get_items() for the constructed query. + * + * The dynamic portion of the hook name, `$key`, refers to the query_var key. + * + * @since 4.7.0 + * + * @param string $value The query_var value. + */ + $query_args[ $key ] = apply_filters( "rest_query_var-{$key}", $value ); } if ( 'post' !== $this->post_type || ! isset( $query_args['ignore_sticky_posts'] ) ) { @@ -845,82 +841,6 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { return $query_args; } - /** - * Retrieves all of the WP Query vars that are allowed for the REST API request. - * - * @since 4.7.0 - * @access protected - * - * @param WP_REST_Request $request Optional. Full details about the request. - * @return array Allowed query variables. - */ - protected function get_allowed_query_vars( $request = null ) { - global $wp; - - /** This filter is documented in wp-includes/class-wp.php */ - $valid_vars = apply_filters( 'query_vars', $wp->public_query_vars ); - - $post_type_obj = get_post_type_object( $this->post_type ); - if ( current_user_can( $post_type_obj->cap->edit_posts ) ) { - /** - * Filters the allowed 'private' query vars for authorized users. - * - * If the user has the `edit_posts` capability, we also allow use of - * private query parameters, which are only undesirable on the - * frontend, but are safe for use in query strings. - * - * To disable anyway, use - * `add_filter( 'rest_private_query_vars', '__return_empty_array' );` - * - * @since 4.7.0 - * - * @param array $private_query_vars Array of allowed query vars for authorized users. - */ - $private = apply_filters( 'rest_private_query_vars', $wp->private_query_vars ); - - $valid_vars = array_merge( $valid_vars, $private ); - } - - // Define our own in addition to WP's normal vars. - $rest_valid = array( - 'author__in', - 'author__not_in', - 'ignore_sticky_posts', - 'menu_order', - 'offset', - 'post__in', - 'post__not_in', - 'post_parent', - 'post_parent__in', - 'post_parent__not_in', - 'posts_per_page', - 'date_query', - 'post_name__in', - ); - - $valid_vars = array_merge( $valid_vars, $rest_valid ); - - /** - * Filters allowed query vars for the REST API. - * - * This filter allows you to add or remove query vars from the final allowed - * list for all requests, including unauthenticated ones. To alter the - * vars for editors only, see {@see 'rest_private_query_vars'}. - * - * @since 4.7.0 - * - * @param array { - * Array of allowed WP_Query query vars. - * - * @param string $allowed_query_var The query var to allow. - * @param WP_REST_Request $request Request object. - * } - */ - $valid_vars = apply_filters( 'rest_query_vars', $valid_vars, $request ); - - return $valid_vars; - } - /** * Checks the post_date_gmt or modified_gmt and prepare any post or * modified date for single post output. @@ -2195,7 +2115,22 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { ); } - return $params; + /** + * Filter collection parameters for the posts controller. + * + * The dynamic part of the filter `$this->post_type` refers to the post + * type slug for the controller. + * + * This filter registers the collection parameter, but does not map the + * collection parameter to an internal WP_Query parameter. Use the + * `rest_{$this->post_type}_query` filter to set WP_Query parameters. + * + * @since 4.7.0 + * + * @param $params JSON Schema-formatted collection parameters. + * @param WP_Post_Type $post_type_obj Post type object. + */ + return apply_filters( "rest_{$this->post_type}_collection_params", $params, $post_type_obj ); } /**