This hardens WordPress against a common vector which uses multiple user identifiers in a single `system.multicall` call. In the event that authentication fails, all following authentication attempts ''in that call'' will also fail.
Props dd32, johnbillion.
Fixes#34336
git-svn-id: https://develop.svn.wordpress.org/trunk@35366 602fd350-edb4-49c9-b593-d223f7449a82
* Change the 3rd arg from `args` to `width`
* Change `wp_image_sizes_args` filter to `wp_get_attachment_image_sizes`
Updates unit tests.
Props joemcgill.
Fixes#34379.
git-svn-id: https://develop.svn.wordpress.org/trunk@35355 602fd350-edb4-49c9-b593-d223f7449a82
This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.
Fixes#34299
git-svn-id: https://develop.svn.wordpress.org/trunk@35351 602fd350-edb4-49c9-b593-d223f7449a82
This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.
Fixes#34299
git-svn-id: https://develop.svn.wordpress.org/trunk@35342 602fd350-edb4-49c9-b593-d223f7449a82
The `notify_moderator` filter makes it possible to override the value for the `moderation_notify` option, which controls whether to send new comment emails to "site moderators", that is to say, the owner of the admin email for the site and the post author if they have the ability to modify the comment.
The `notify_post_author` filter likewise makes it possible to override the value for the `comments_notify` option, which controls whether to send new comment emails to the post author. If the post author is the comment author, default behavior is not to send the notification. Note: enabling or disabling notifications via this hook could also affect other recipients added via the 'comment_notification_recipients' filter in `wp_notify_postauthor()`, if hooked.
Passing a falsey value to either of the new filters will prevent notifications from being sent, regardless of their corresponding option values.
Adds tests.
Props coffee2code, adamsilverstein, DrewAPicture.
Fixes#761.
git-svn-id: https://develop.svn.wordpress.org/trunk@35339 602fd350-edb4-49c9-b593-d223f7449a82
[34247] made the 'public' paramater of `register_taxonomy()` work by blocking
requests for non-public taxonomy archives during `parse_request()`. Blocking
taxonomy archive requests this late means that it's impossible to register an
independent query var that matches the slug of a non-public taxonomy. By
moving the block to `register_taxonomy()` - not allowing these taxonomies to
register their query vars in the first place - we free up the slug for other
use. In addition, we free up a bit of processing (no need to look for the query
var in `parse_request()` and better parallel the way non-public post types
work. See `register_post_type()`.
Non-public taxonomy archives that are requested using `?taxonomy=tax_name` are
still blocked during `parse_request`. It's only custom query vars -
`?tax_name=term` - that are affected by this change.
Props mboynes.
Fixes#21949.
git-svn-id: https://develop.svn.wordpress.org/trunk@35333 602fd350-edb4-49c9-b593-d223f7449a82
[34561] instituted the policy of forcing pagination for comments. This strategy
was intended to avert problems when 'page_comments' is set to 0 - as it is by
default - and the number of comments on a given post rises into the hundreds or
thousands. By forcing pagination in all cases, we ensured that WordPress would
not time out by processing unwieldy numbers of comments on a given pageload.
The strategy proves problematic, however, because comment permalinks are
generated using the page of the comment. Forcing pagination for posts that
were not previously paginated would change the URL of all comments that do not
appear on the default comment page.
This changeset reintroduces the 'page_comments' setting and its corresponding
checkbox on Settings > Discussion. A number of tests, which were written after
[34561], are modified to work now that 'page_comments' will, once again, be
disabled by default.
See #8071.
git-svn-id: https://develop.svn.wordpress.org/trunk@35331 602fd350-edb4-49c9-b593-d223f7449a82
Also move style rule from `customize-nav-menus.css` to `customize-controls.css` so that widgets button is properly styled when `nav_menus` component is excluded from loading. See [35304]. See #33327.
Props westonruter, DrewAPicture.
Fixes#33552.
git-svn-id: https://develop.svn.wordpress.org/trunk@35307 602fd350-edb4-49c9-b593-d223f7449a82
The `autoload` argument value is passed along to `update_option()` which has accepted an `$autoload` parameter since [31628].
Props westonruter, dlh.
See #26394.
Fixes#33499.
git-svn-id: https://develop.svn.wordpress.org/trunk@35305 602fd350-edb4-49c9-b593-d223f7449a82
The same indicator on the nav menus admin page is now present for nav menu items in the Customizer. When a menu item is present for a post type that is no longer registered, the menu item will appear with the indicator.
Props kucrut, westonruter.
Fixes#33665.
git-svn-id: https://develop.svn.wordpress.org/trunk@35302 602fd350-edb4-49c9-b593-d223f7449a82
Cuts down on unnecessary queries, especially in environments that rely on
post meta a lot. Reverts [32997].
Props ap.koponen, swissspidy.
Fixes#34368.
git-svn-id: https://develop.svn.wordpress.org/trunk@35299 602fd350-edb4-49c9-b593-d223f7449a82
Introduces more flexibility in filtering all parts of the document title,the
separator, and a way to short-circuit title generation. Plugins can now also
check for theme support and reliably filter the entire output. See #18548.
Deprecates `wp_title()`.
Fixes#31078.
git-svn-id: https://develop.svn.wordpress.org/trunk@35294 602fd350-edb4-49c9-b593-d223f7449a82
Widgets panel will not wait to display until the preview loads.
Also fixes problems with `margin-top` in panels where other panels' `active` states change, as well as ensuring sections of deactivated panel collapse before panel is hidden to prevent the pane from becoming empty of controls.
Fixes#33052.
Fixes#33567.
git-svn-id: https://develop.svn.wordpress.org/trunk@35231 602fd350-edb4-49c9-b593-d223f7449a82
[34997] caused `get_term()` to return an error object in the case when
`$taxonomy` did not match the taxonomy of the located term. This was an
inadvertant change from the previous behavior, when `get_term()` would return
null in these cases.
Props dlh.
See #14162. Fixes#34332.
git-svn-id: https://develop.svn.wordpress.org/trunk@35227 602fd350-edb4-49c9-b593-d223f7449a82
Using more than one instance of `WP_UnitTest_Factory` causes all kinds of craziness, due to out-of-sync internal generator sequences. Since we want to use `setUpBeforeClass`, we were creating ad hoc instances. To avoid that, we were injecting one `static` instance via Dependency Injection in `wpSetUpBeforeClass`. All tests should really use the `static` instance, so we will remove the instance prop `$factory`.
Replace `$this->factory` with `self::$factory` over 2000 times.
Rewrite all of the tests that were hard-coding dynamic values.
#YOLOFriday
git-svn-id: https://develop.svn.wordpress.org/trunk@35225 602fd350-edb4-49c9-b593-d223f7449a82
They were added 3 years ago in [846/tests] because tests weren't excluded from the normal runs.
Reverts [35209] because it doesn't work with Xdebug.
`Tests_Ajax_Response::test_response_charset_in_header` is the only test which needs to run in a separate process, see [975/tests].
See #31491.
git-svn-id: https://develop.svn.wordpress.org/trunk@35211 602fd350-edb4-49c9-b593-d223f7449a82
Most of the Ajax tests are running in a separate PHP process, and thus PHPUnit attempts to preserve the global state from the parent process by serializing all globals. But this doesn't work for external object caches so we have to disable this "feature".
See #31491.
git-svn-id: https://develop.svn.wordpress.org/trunk@35209 602fd350-edb4-49c9-b593-d223f7449a82
This makes it way easier to add fixtures, and tear them down, without needing to instantiate `WP_UnitTest_Factory` in every class - removes the need to call `commit_transaction()` in each individual class.
See #30017, #33968.
git-svn-id: https://develop.svn.wordpress.org/trunk@35186 602fd350-edb4-49c9-b593-d223f7449a82
The `create_many()` number should be padded by just one, to account for the
user created by the test suite. Introduced in [35114].
We also don't have to create so many fixtures to run this test.
See #28631.
git-svn-id: https://develop.svn.wordpress.org/trunk@35123 602fd350-edb4-49c9-b593-d223f7449a82
By default, `WP_Query` will not cache query results when using a persistent
object cache. The lazyload tests, however, depend on the cache being set during
each `WP_Query`, because the object cache is cleared between tests.
See #31491.
git-svn-id: https://develop.svn.wordpress.org/trunk@35112 602fd350-edb4-49c9-b593-d223f7449a82
Some cache backends may use a class name other than `WP_Object_Cache` for their
cache drop-in. For example, certain versions of the APC Object Cache plugin
have a shim called `APC_Object_Cache`.
See #31491.
git-svn-id: https://develop.svn.wordpress.org/trunk@35108 602fd350-edb4-49c9-b593-d223f7449a82
It should be `'Y-m-d H:i:s'` in order to match the regex in `get_gmt_from_date()` if `'timezone_string'` option is not set.
Props pbearne.
Fixes#34277.
git-svn-id: https://develop.svn.wordpress.org/trunk@35091 602fd350-edb4-49c9-b593-d223f7449a82
The data stored in the cache should be raw database query results, not
`WP_Term` objects (which may be modified by plugins, and may contain additional
properties that shouldn't be cached).
If term relationships caches were handled in `wp_get_object_terms()` - where
a database query takes place - it would be straightforward to cache raw data.
See #34239. Since, in fact, `get_the_terms()` caches the value it gets from
`wp_get_object_terms()`, we need a technique that allows us to get raw data
from a `WP_Term` object. Mirroring `WP_User`, we introduce a `data` property
on term objects, which `get_the_terms()` uses to fetch cacheable term info.
Fixes#34262.
git-svn-id: https://develop.svn.wordpress.org/trunk@35032 602fd350-edb4-49c9-b593-d223f7449a82
The test, introduced in [33724], was intended to demonstrate the behavior of
`example.com?tag=foo` routing. But an error in the test setup meant that a
URL-encoded tag object was being set as the value of 'tag'. Due to a quirk in
the way that `parse_request()` parses query vars, an object value for 'tag'
would inadvertently produce correct results in certain cases. But it's not a
usage we actively support, and it's not what was meant to be tested.
See #33532, #34262.
git-svn-id: https://develop.svn.wordpress.org/trunk@35030 602fd350-edb4-49c9-b593-d223f7449a82
After [34997], the `$taxonomy` parameter of `get_term()` is optional. This
changeset brings `get_term_field()` in line with the new usage.
Adds unit tests for `get_term_field()`.
Props DrewAPicture.
See #34245.
git-svn-id: https://develop.svn.wordpress.org/trunk@35028 602fd350-edb4-49c9-b593-d223f7449a82
A valid `$network_id` or `null`/`false` is expected as the first parameter for `_network_option()`. If something other than that is passed, we immediately return `false` rather than attempting to guess what network was intended.
See #28290.
git-svn-id: https://develop.svn.wordpress.org/trunk@35025 602fd350-edb4-49c9-b593-d223f7449a82
This better aligns with expectations and matches the structure used by `_blog_option()`. The `_site_option()` functions remain as an appropriate method for working with the current network.
See #28290.
git-svn-id: https://develop.svn.wordpress.org/trunk@35024 602fd350-edb4-49c9-b593-d223f7449a82
Upload space of 0 is now more possible via r35016 and should be respected rather than modified to a default of 10MB.
Fixes#34037.
git-svn-id: https://develop.svn.wordpress.org/trunk@35017 602fd350-edb4-49c9-b593-d223f7449a82
Previously, an value matching `empty()` would have been bypassed in favor of the default setting for 100MB.
Related #19538, r19639, r19652, where we saw the bug, fixed the bug, and then unfixed the bug so that it was not a surprise in a point release.
See #34037.
git-svn-id: https://develop.svn.wordpress.org/trunk@35016 602fd350-edb4-49c9-b593-d223f7449a82
As the number of multidimensional settings (serialized options and theme mods) increase for a given ID base (e.g. a widget of a certain type), the number of calls to the `multidimensional` methods on `WP_Customize_Setting` increase exponentially, and the time for the preview to refresh grows in time exponentially as well.
To improve performance, this change reduces the number of filters needed to preview the settings off of a multidimensional root from N to 1. This improves performance from `O(n^2)` to `O(n)`, but the linear increase is so low that the performance is essentially `O(1)` in comparison. This is achieved by introducing the concept of an "aggregated multidimensional" setting, where the root value of the multidimensional serialized setting value gets cached in a static array variable shared across all settings.
Also improves performance by only adding preview filters if there is actually a need to do so: there is no need to add a filter if there is an initial value and if there is no posted value for a given setting (if it is not dirty).
Fixes#32103.
git-svn-id: https://develop.svn.wordpress.org/trunk@35007 602fd350-edb4-49c9-b593-d223f7449a82
A side effect of this change is that terms stored in the cache no longer have
an `object_id` associated with them. Previously, `object_id` had always been
cached when the term cache was populated via `wp_get_object_terms()`, a
strategy that was mostly harmless but still incorrect.
See #14162.
git-svn-id: https://develop.svn.wordpress.org/trunk@34999 602fd350-edb4-49c9-b593-d223f7449a82
`get_term()` now returns a `WP_Term` object, instead of a `stdClass` object.
Cache support and sanitization filters for individual terms are now more
centralized. For example, `get_term_by()` is able to cast results of its query
to a `WP_Term` object by passing it through `get_term()`.
The `$taxonomy` parameter for `get_term()` is now optional, as terms ought to
be unique to a taxonomy (ie, shared terms no longer exist). In cases where
`get_term()` detects that the term matching the specified term_id is from the
wrong taxonomy, it checks to see if you've requested a shared term, and if so,
it splits the term. This is used only for fallback purposes.
The elimination of shared terms allows the caching strategy for terms to be
simplified. Individual terms are now cached in a single 'terms' bucket.
Props flixos90, boonebgorges, scribu, dipesh.kakadiya.
See #14162.
git-svn-id: https://develop.svn.wordpress.org/trunk@34997 602fd350-edb4-49c9-b593-d223f7449a82
It's back, and it's better than ever: an overhaul of role-related arguments
in `WP_User_Query`. This updated version of the previously-reverted [34875]
includes support for the use of `$blog_id` without specifying a `$role`, for
a 99.7% reduced chance of breaking wordpress.org and other large sites.
Props boonebgorges, swissspidy.
Fixes#22212.
git-svn-id: https://develop.svn.wordpress.org/trunk@34959 602fd350-edb4-49c9-b593-d223f7449a82
The `$screen` parameter in both functions can now accept a single screen ID, `WP_Screen` object, or an array of screen IDs.
Adds tests.
Props coffee2code, iamfriendly, madalinungureanu, mordauk, igmoweb, meloniq, DrewAPicture.
See #15000.
git-svn-id: https://develop.svn.wordpress.org/trunk@34951 602fd350-edb4-49c9-b593-d223f7449a82
Since [14031] the container can be omitted in `wp_nav_menu()`. It can not
however in `wp_page_menu()`, which creates a conflict if it is set as
the fallback, Let's make sure there is always a valid container tag.
Fixes#33974.
git-svn-id: https://develop.svn.wordpress.org/trunk@34950 602fd350-edb4-49c9-b593-d223f7449a82
Previously, the `name` fallback was failing in the case where the current user
was 0, due to a loose comparison between 0 (the current user) and `null` (the
value that is used to trigger the `name` fallback).
Props bobbingwide.
Fixes#20845.
git-svn-id: https://develop.svn.wordpress.org/trunk@34947 602fd350-edb4-49c9-b593-d223f7449a82
Pass a keyword with a leading hyphen to exclude posts containing that keyword.
For example, 'taco -onions' will return posts that contain the word 'taco' but
do not contain the word 'onions'.
Props akibjorklund.
Fixes#33988.
git-svn-id: https://develop.svn.wordpress.org/trunk@34934 602fd350-edb4-49c9-b593-d223f7449a82
Baby API was born at 2.8KLOC on October 8th at 2:30 UTC. API has lots
of growing to do, so wish it the best of luck.
Thanks to everyone who helped along the way:
Props rmccue, rachelbaker, danielbachhuber, joehoyle, drewapicture,
adamsilverstein, netweb, tlovett1, shelob9, kadamwhite, pento,
westonruter, nikv, tobych, redsweater, alecuf, pollyplummer, hurtige,
bpetty, oso96_2000, ericlewis, wonderboymusic, joshkadis, mordauk,
jdgrimes, johnbillion, jeremyfelt, thiago-negri, jdolan, pkevan,
iseulde, thenbrent, maxcutler, kwight, markoheijnen, phh, natewr,
jjeaton, shprink, mattheu, quasel, jmusal, codebykat, hubdotcom,
tapsboy, QWp6t, pushred, jaredcobb, justinsainton, japh, matrixik,
jorbin, frozzare, codfish, michael-arestad, kellbot, ironpaperweight,
simonlampen, alisspers, eliorivero, davidbhayes, JohnDittmar, dimadin,
traversal, cmmarslender, Toddses, kokarn, welcher, and ericpedia.
Fixes#33982.
git-svn-id: https://develop.svn.wordpress.org/trunk@34928 602fd350-edb4-49c9-b593-d223f7449a82
We should not be storing the `WP_User` object in the cache, as it may contain
usermeta and other data that's cache elsewhere.
Props dd32.
See #24635.
git-svn-id: https://develop.svn.wordpress.org/trunk@34919 602fd350-edb4-49c9-b593-d223f7449a82
For the past 6 years, WordPress has operated as an oEmbed consumer, allowing users to easily embed content from other sites. By adding oEmbed provider support, this allows any oEmbed consumer to embed posts from WordPress sites.
In addition to creating an oEmbed provider, WordPress' oEmbed consumer code has been enhanced to work with any site that provides oEmbed data (as long as it matches some strict security rules), and provides a preview from within the post editor.
For security, embeds appear within a sandboxed iframe - the iframe content is a template that can be styled or replaced entirely by the theme on the provider site.
Props swissspidy, pento, melchoyce, netweb, pfefferle, johnbillion, extendwings, davidbinda, danielbachhuber, SergeyBiryukov, afercia
Fixes#32522.
git-svn-id: https://develop.svn.wordpress.org/trunk@34903 602fd350-edb4-49c9-b593-d223f7449a82
Originally introduced in [34601], this was necessary to avoid test pollution. Now that things have been separated and written to play nicely, we can remove this.
See #34037.
git-svn-id: https://develop.svn.wordpress.org/trunk@34902 602fd350-edb4-49c9-b593-d223f7449a82
* Move all tests to a new 'multisite/uploadIsUserOverQuota.php'
* Use `get_space_allowed` and `pre_get_space_used` filters to help avoid test pollution.
See #34037.
git-svn-id: https://develop.svn.wordpress.org/trunk@34901 602fd350-edb4-49c9-b593-d223f7449a82
Provides a specific test for a case where a non-numeric strings are assigned to `blog_upload_space` at both the site and network levels.
See #34037.
git-svn-id: https://develop.svn.wordpress.org/trunk@34900 602fd350-edb4-49c9-b593-d223f7449a82
* Move all tests to a new 'multisite/isUploadSpaceAvailable.php'
* Store original `blog_upload_space` values before the class is loaded.
* Restore these values after each test tear down to avoid pollution.
Commit to testing `is_upload_space_available()` itself by always filtering the amount of space used through `pre_get_space_used`. This allows us to sanely test without worrying about the local environment. In the future, we may be able to remove some of these tests as `get_upload_space_available()` tests are built out and reliable.
See #34037.
git-svn-id: https://develop.svn.wordpress.org/trunk@34899 602fd350-edb4-49c9-b593-d223f7449a82
* Move all tests to a new `multisite/getSpaceAllowed.php`
* Store original `blog_upload_space` values before the class is loaded.
* Restore these values after each test tear down to avoid pollution.
* Add a comprehensive set of expectations and results via data provider.
See #34037.
git-svn-id: https://develop.svn.wordpress.org/trunk@34898 602fd350-edb4-49c9-b593-d223f7449a82
WordPress.org was taken down due to as Otto42 describes:
The previous version of this function added the query piece for the meta key = blog_id.capabilities, regardless of whether or not a role was requested. This limits the users returned to those with some defined role on this particular multisite instance.
See #22212
git-svn-id: https://develop.svn.wordpress.org/trunk@34880 602fd350-edb4-49c9-b593-d223f7449a82
The ajax delete comment tests are intermittently failing. Many of the assertions make it hard to tell why they are failing. This adds a message to one of those assertions that contains some info on what is being asserted with the goal that it helps developers understand why the failure is failing.
See #33968
git-svn-id: https://develop.svn.wordpress.org/trunk@34879 602fd350-edb4-49c9-b593-d223f7449a82
* 'role' now accepts an array or comma-separated list of role names. When passing multiple values for 'role', `WP_User_Query` will only match users that have all of the specified roles.
* 'role__in' accepts an array of role names, and allow the filtering of matched users to those with at least one of the specified roles.
* 'role__not_in' accepts an array of role names, and allows the filtering of matched users to those who have none of the specified roles.
Props swissspidy, mordauk, barrykooij, sirbrillig.
Fixes#22212.
git-svn-id: https://develop.svn.wordpress.org/trunk@34875 602fd350-edb4-49c9-b593-d223f7449a82