Grouped backports for the 4.9 branch.

- REST API: Increase the specificity of capability checks for collections when the `edit` context is in use.
- Menus: Prevent HTML in menu item titles from being rendered unexpectedly.

Merges [60814], [60815], [60816] to the 4.9 branch.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, phillsav, rmccue, timothyblynjacobs, vortfu, westonruter , whyisjake, zieladam.

git-svn-id: https://develop.svn.wordpress.org/branches/4.9@60837 602fd350-edb4-49c9-b593-d223f7449a82

Author: desrosj

src/wp-admin/js/customize-nav-menus.js

@@ -517,7 +517,13 @@
 				return;
 			}
 
-			this.currentMenuControl.addItemToMenu( menu_item.attributes );
+			// Leave the title as empty to reuse the original title as a placeholder if set.
+			var nav_menu_item = Object.assign( {}, menu_item.attributes );
+			if ( nav_menu_item.title === nav_menu_item.original_title ) {
+				nav_menu_item.title = '';
+			}
+
+			this.currentMenuControl.addItemToMenu( nav_menu_item );
 
 			$( menuitemTpl ).find( '.menu-item-handle' ).addClass( 'item-added' );
 		},
@@ -2971,7 +2977,6 @@
 				item,
 				{
 					nav_menu_term_id: menuControl.params.menu_id,
-					original_title: item.title,
 					position: position
 				}
 			);

src/wp-admin/js/nav-menu.js

@@ -1168,20 +1168,27 @@ var wpNavMenu;
 		},
 
 		eventOnClickMenuSave : function() {
-			var locs = '',
-			menuName = $('#menu-name'),
-			menuNameVal = menuName.val();
-			// Cancel and warn if invalid menu name
+			var menuName = $('#menu-name'),
+				menuNameVal = menuName.val();
+
+			// Cancel and warn if invalid menu name.
 			if( !menuNameVal || menuNameVal == menuName.attr('title') || !menuNameVal.replace(/\s+/, '') ) {
 				menuName.parent().addClass('form-invalid');
 				return false;
 			}
-			// Copy menu theme locations
+			// Copy menu theme locations.
+			// Note: This appears to be dead code since #nav-menu-theme-locations no longer exists, perhaps removed in r32842.
+			var $updateNavMenu = $('#update-nav-menu');
 			$('#nav-menu-theme-locations select').each(function() {
-				locs += '<input type="hidden" name="' + this.name + '" value="' + $(this).val() + '" />';
+				$updateNavMenu.append(
+					$( '<input>', {
+						type: 'hidden',
+						name: this.name,
+						value: $( this ).val()
+					} )
+				);
 			});
-			$('#update-nav-menu').append( locs );
-			// Update menu item position data
+			// Update menu item position data.
 			api.menuList.find('.menu-item-data-position').val( function(index) { return index + 1; } );
 			window.onbeforeunload = null;
 
@@ -1221,7 +1228,10 @@ var wpNavMenu;
 			$item;
 
 			if( ! $items.length ) {
-				$('.categorychecklist', panel).html( '<li><p>' + navMenuL10n.noResultsFound + '</p></li>' );
+				var li = $( '<li>' );
+				var p = $( '<p>', { text: navMenuL10n.noResultsFound } );
+				li.append( p );
+				$('.categorychecklist', panel).empty().append( li );
 				$( '.spinner', panel ).removeClass( 'is-active' );
 				wrapper.addClass( 'has-no-menu-item' );
 				return;

src/wp-includes/class-wp-customize-nav-menus.php

@@ -158,13 +158,15 @@ public function load_available_items_query( $type = 'post_type', $object = 'page
 				);
 			} elseif ( 'post' !== $object && 0 === $page && $post_type->has_archive ) {
 				// Add a post type archive link.
+				$title   = $post_type->labels->archives;
 				$items[] = array(
-					'id'         => $object . '-archive',
-					'title'      => $post_type->labels->archives,
-					'type'       => 'post_type_archive',
-					'type_label' => __( 'Post Type Archive' ),
-					'object'     => $object,
-					'url'        => get_post_type_archive_link( $object ),
+					'id'             => $object_name . '-archive',
+					'title'          => $title,
+					'original_title' => $title,
+					'type'           => 'post_type_archive',
+					'type_label'     => __( 'Post Type Archive' ),
+					'object'         => $object_name,
+					'url'            => get_post_type_archive_link( $object_name ),
 				);
 			}
 
@@ -193,14 +195,17 @@ public function load_available_items_query( $type = 'post_type', $object = 'page
 					/* translators: %d: ID of a post */
 					$post_title = sprintf( __( '#%d (no title)' ), $post->ID );
 				}
+
+				$title   = html_entity_decode( $post_title, ENT_QUOTES, get_bloginfo( 'charset' ) );
 				$items[] = array(
-					'id'         => "post-{$post->ID}",
-					'title'      => html_entity_decode( $post_title, ENT_QUOTES, get_bloginfo( 'charset' ) ),
-					'type'       => 'post_type',
-					'type_label' => get_post_type_object( $post->post_type )->labels->singular_name,
-					'object'     => $post->post_type,
-					'object_id'  => intval( $post->ID ),
-					'url'        => get_permalink( intval( $post->ID ) ),
+					'id'             => "post-{$post->ID}",
+					'title'          => $title,
+					'original_title' => $title,
+					'type'           => 'post_type',
+					'type_label'     => get_post_type_object( $post->post_type )->labels->singular_name,
+					'object'         => $post->post_type,
+					'object_id'      => (int) $post->ID,
+					'url'            => get_permalink( (int) $post->ID ),
 				);
 			}
 		} elseif ( 'taxonomy' === $type ) {
@@ -221,14 +226,16 @@ public function load_available_items_query( $type = 'post_type', $object = 'page
 			}
 
 			foreach ( $terms as $term ) {
+				$title   = html_entity_decode( $term->name, ENT_QUOTES, get_bloginfo( 'charset' ) );
 				$items[] = array(
-					'id'         => "term-{$term->term_id}",
-					'title'      => html_entity_decode( $term->name, ENT_QUOTES, get_bloginfo( 'charset' ) ),
-					'type'       => 'taxonomy',
-					'type_label' => get_taxonomy( $term->taxonomy )->labels->singular_name,
-					'object'     => $term->taxonomy,
-					'object_id'  => intval( $term->term_id ),
-					'url'        => get_term_link( intval( $term->term_id ), $term->taxonomy ),
+					'id'             => "term-{$term->term_id}",
+					'title'          => $title,
+					'original_title' => $title,
+					'type'           => 'taxonomy',
+					'type_label'     => get_taxonomy( $term->taxonomy )->labels->singular_name,
+					'object'         => $term->taxonomy,
+					'object_id'      => (int) $term->term_id,
+					'url'            => get_term_link( (int) $term->term_id, $term->taxonomy ),
 				);
 			}
 		}

src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php

@@ -56,7 +56,6 @@ class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting {
 		'classes'          => '',
 		'xfn'              => '',
 		'status'           => 'publish',
-		'original_title'   => '',
 		'nav_menu_term_id' => 0, // This will be supplied as the $menu_id arg for wp_update_nav_menu_item().
 		'_invalid'         => false,
 	);
@@ -211,7 +210,8 @@ public function flush_cached_value( $menu_id, $menu_item_id ) {
 	 * @return array|false Instance data array, or false if the item is marked for deletion.
 	 */
 	public function value() {
-		if ( $this->is_previewed && $this->_previewed_blog_id === get_current_blog_id() ) {
+		$type_label = null;
+		if ( $this->is_previewed && get_current_blog_id() === $this->_previewed_blog_id ) {
 			$undefined  = new stdClass(); // Symbol.
 			$post_value = $this->post_value( $undefined );
 
@@ -220,9 +220,6 @@ public function value() {
 			} else {
 				$value = $post_value;
 			}
-			if ( ! empty( $value ) && empty( $value['original_title'] ) ) {
-				$value['original_title'] = $this->get_original_title( (object) $value );
-			}
 		} elseif ( isset( $this->value ) ) {
 			$value = $this->value;
 		} else {
@@ -234,6 +231,9 @@ public function value() {
 				if ( $post && self::POST_TYPE === $post->post_type ) {
 					$is_title_empty = empty( $post->post_title );
 					$value = (array) wp_setup_nav_menu_item( $post );
+					if ( isset( $value['type_label'] ) ) {
+						$type_label = $value['type_label'];
+					}
 					if ( $is_title_empty ) {
 						$value['title'] = '';
 					}
@@ -250,20 +250,39 @@ public function value() {
 			$value = $this->value;
 		}
 
-		if ( ! empty( $value ) && empty( $value['type_label'] ) ) {
-			$value['type_label'] = $this->get_type_label( (object) $value );
+		// These properties are read-only and are part of the setting for use in the Customizer UI.
+		if ( is_array( $value ) ) {
+			$value_obj               = (object) $value;
+			$value['type_label']     = isset( $type_label ) ? $type_label : $this->get_type_label( $value_obj );
+			$value['original_title'] = $this->get_original_title( $value_obj );
 		}
 
 		return $value;
 	}
 
+	/**
+	 * Prepares the value for editing on the client.
+	 *
+	 * @since 6.8.3
+	 *
+	 * @return array|false Value prepared for the client.
+	 */
+	public function js_value() {
+		$value = parent::js_value();
+		if ( is_array( $value ) && isset( $value['original_title'] ) ) {
+			// Decode entities for the sake of displaying the original title as a placeholder.
+			$value['original_title'] = html_entity_decode( $value['original_title'], ENT_QUOTES, get_bloginfo( 'charset' ) );
+		}
+		return $value;
+	}
+
 	/**
 	 * Get original title.
 	 *
 	 * @since 4.7.0
 	 *
 	 * @param object $item Nav menu item.
-	 * @return string The original title.
+	 * @return string The original title, without entity decoding.
 	 */
 	protected function get_original_title( $item ) {
 		$original_title = '';
@@ -289,7 +308,6 @@ protected function get_original_title( $item ) {
 				$original_title = $original_object->labels->archives;
 			}
 		}
-		$original_title = html_entity_decode( $original_title, ENT_QUOTES, get_bloginfo( 'charset' ) );
 		return $original_title;
 	}
 
@@ -347,10 +365,6 @@ protected function populate_value() {
 			unset( $this->value['post_status'] );
 		}
 
-		if ( ! isset( $this->value['original_title'] ) ) {
-			$this->value['original_title'] = $this->get_original_title( (object) $this->value );
-		}
-
 		if ( ! isset( $this->value['nav_menu_term_id'] ) && $this->post_id > 0 ) {
 			$menus = wp_get_post_terms( $this->post_id, WP_Customize_Nav_Menu_Setting::TAXONOMY, array(
 				'fields' => 'ids',
@@ -586,11 +600,8 @@ public function value_as_wp_post_nav_menu_item() {
 		$item->menu_order = $item->position;
 		unset( $item->position );
 
-		if ( empty( $item->original_title ) ) {
-			$item->original_title = $this->get_original_title( $item );
-		}
 		if ( empty( $item->title ) && ! empty( $item->original_title ) ) {
-			$item->title = $item->original_title;
+			$item->title = $item->original_title; // This is NOT entity-decoded. It comes from self::get_original_title().
 		}
 		if ( $item->title ) {
 			$item->post_title = $item->title;
@@ -640,7 +651,7 @@ public function value_as_wp_post_nav_menu_item() {
 	 *
 	 * @since 4.3.0
 	 *
-	 * @param array $menu_item_value The value to sanitize.
+	 * @param array|false $value The menu item value to sanitize.
 	 * @return array|false|null|WP_Error Null or WP_Error if an input isn't valid. False if it is marked for deletion.
 	 *                                   Otherwise the sanitized value.
 	 */
@@ -694,8 +705,6 @@ public function sanitize( $menu_item_value ) {
 			$menu_item_value[ $key ] = implode( ' ', array_map( 'sanitize_html_class', $value ) );
 		}
 
-		$menu_item_value['original_title'] = sanitize_text_field( $menu_item_value['original_title'] );
-
 		// Apply the same filters as when calling wp_insert_post().
 
 		/** This filter is documented in wp-includes/post.php */

src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -338,7 +338,13 @@ public function get_items( $request ) {
 		$posts = array();
 
 		foreach ( $query_result as $post ) {
-			if ( ! $this->check_read_permission( $post ) ) {
+			if ( 'edit' === $request['context'] ) {
+				$permission = $this->check_update_permission( $post );
+			} else {
+				$permission = $this->check_read_permission( $post );
+			}
+
+			if ( ! $permission ) {
 				continue;
 			}
 

src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

@@ -318,6 +318,9 @@ public function get_items( $request ) {
 		$response = array();
 
 		foreach ( $query_result as $term ) {
+			if ( 'edit' === $request['context'] && ! current_user_can( 'edit_term', $term->term_id ) ) {
+				continue;
+			}
 			$data = $this->prepare_item_for_response( $term, $request );
 			$response[] = $this->prepare_response_for_collection( $data );
 		}

src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -179,7 +179,7 @@ public function get_items_permissions_check( $request ) {
 		}
 
 		if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
-			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
+			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit users.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
 		if ( in_array( $request['orderby'], array( 'email', 'registered_date' ), true ) && ! current_user_can( 'list_users' ) ) {
@@ -293,6 +293,10 @@ public function get_items( $request ) {
 		$users = array();
 
 		foreach ( $query->results as $user ) {
+			if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+				continue;
+			}
+
 			$data = $this->prepare_item_for_response( $user, $request );
 			$users[] = $this->prepare_response_for_collection( $data );
 		}
@@ -387,9 +391,11 @@ public function get_item_permissions_check( $request ) {
 			return true;
 		}
 
-		if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
-			return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
-		} elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
+		if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+			return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) );
+		}
+
+		if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
 			return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
@@ -890,7 +896,7 @@ public function prepare_item_for_response( $user, $request ) {
 			$data['slug'] = $user->user_nicename;
 		}
 
-		if ( in_array( 'roles', $fields, true ) ) {
+		if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
 			// Defensively call array_values() to ensure an array is returned.
 			$data['roles'] = array_values( $user->roles );
 		}

tests/phpunit/tests/customize/nav-menu-item-setting.php

@@ -89,7 +89,6 @@ function test_construct() {
 			'classes' => '',
 			'xfn' => '',
 			'status' => 'publish',
-			'original_title' => '',
 			'nav_menu_term_id' => 0,
 			'_invalid' => false,
 		);
@@ -543,7 +542,7 @@ function test_sanitize() {
 			'classes' => 'hello  inject',
 			'xfn' => 'hello  inject',
 			'status' => 'draft',
-			'original_title' => 'Hi',
+			'original_title'   => 'Hi<script>unfilteredHtml()</script>',
 			'nav_menu_term_id' => 0,
 		);
 
@@ -841,7 +840,6 @@ function test_value_as_wp_post_nav_menu_item() {
 			'classes'          => '',
 			'xfn'              => '',
 			'status'           => 'publish',
-			'original_title'   => '',
 			'nav_menu_term_id' => 0,
 			'_invalid'         => false,
 		);

tests/phpunit/tests/customize/nav-menus.php

@@ -170,6 +170,7 @@ function test_load_available_items_query_returns_post_item_with_page_number() {
 		$expected = array(
 			'id'         => "post-{$post_id}",
 			'title'      => 'Post Title',
+			'original_title'      => 'Post Title',
 			'type'       => 'post_type',
 			'type_label' => 'Post',
 			'object'     => 'post',
@@ -197,6 +198,7 @@ function test_load_available_items_query_returns_page_item() {
 		$expected = array(
 			'id'         => "post-{$page_id}",
 			'title'      => 'Page Title',
+			'original_title'      => 'Page Title',
 			'type'       => 'post_type',
 			'type_label' => 'Page',
 			'object'     => 'page',
@@ -223,6 +225,7 @@ function test_load_available_items_query_returns_post_item() {
 		$expected = array(
 			'id'         => "post-{$post_id}",
 			'title'      => 'Post Title',
+			'original_title'      => 'Post Title',
 			'type'       => 'post_type',
 			'type_label' => 'Post',
 			'object'     => 'post',
@@ -249,6 +252,7 @@ function test_load_available_items_query_returns_term_item() {
 		$expected = array(
 			'id'         => "term-{$term_id}",
 			'title'      => 'Term Title',
+			'original_title' => 'Term Title',
 			'type'       => 'taxonomy',
 			'type_label' => 'Category',
 			'object'     => 'category',