diff --git a/lib/endpoints/class-wp-rest-attachments-controller.php b/lib/endpoints/class-wp-rest-attachments-controller.php index 3fd95f1c0d..e28f20ce80 100755 --- a/lib/endpoints/class-wp-rest-attachments-controller.php +++ b/lib/endpoints/class-wp-rest-attachments-controller.php @@ -2,6 +2,21 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { + /** + * Determine the allowed query_vars for a get_items() response and + * prepare for WP_Query. + * + * @param array $prepared_args + * @return array $query_args + */ + protected function prepare_items_query( $prepared_args = array() ) { + $query_args = parent::prepare_items_query( $prepared_args ); + if ( empty( $query_args['post_status'] ) || ! in_array( $query_args['post_status'], array( 'inherit', 'private', 'trash' ) ) ) { + $query_args['post_status'] = 'inherit'; + } + return $query_args; + } + /** * Check if a given request has access to create an attachment. * @@ -414,9 +429,26 @@ public function get_collection_params() { 'default' => null, 'sanitize_callback' => 'absint', ); + $params['status']['default'] = 'inherit'; + $params['status']['enum'] = array( 'inherit', 'private', 'trash' ); return $params; } + /** + * Validate whether the user can query private statuses + * + * @param mixed $value + * @param WP_REST_Request $request + * @param string $parameter + * @return WP_Error|bool + */ + public function validate_user_can_query_private_statuses( $value, $request, $parameter ) { + if ( 'inherit' === $value ) { + return true; + } + return parent::validate_user_can_query_private_statuses( $value, $request, $parameter ); + } + /** * Handle an upload via multipart/form-data ($_FILES) * diff --git a/lib/endpoints/class-wp-rest-posts-controller.php b/lib/endpoints/class-wp-rest-posts-controller.php index bbafa6f9c9..e7de07c9ac 100755 --- a/lib/endpoints/class-wp-rest-posts-controller.php +++ b/lib/endpoints/class-wp-rest-posts-controller.php @@ -539,10 +539,6 @@ protected function prepare_items_query( $prepared_args = array() ) { } } - if ( empty( $query_args['post_status'] ) && 'attachment' === $this->post_type ) { - $query_args['post_status'] = 'inherit'; - } - if ( 'post' !== $this->post_type || ! isset( $query_args['ignore_sticky_posts'] ) ) { $query_args['ignore_sticky_posts'] = true; } @@ -1626,7 +1622,7 @@ public function get_collection_params() { } $params['status'] = array( - 'default' => 'attachment' === $this->post_type ? 'inherit' : 'publish', + 'default' => 'publish', 'description' => __( 'Limit result set to posts assigned a specific status.' ), 'sanitize_callback' => 'sanitize_key', 'type' => 'string', @@ -1647,7 +1643,7 @@ public function get_collection_params() { * @return WP_Error|bool */ public function validate_user_can_query_private_statuses( $value, $request, $parameter ) { - if ( 'publish' === $value || ( 'attachment' === $this->post_type && 'inherit' === $value ) ) { + if ( 'publish' === $value ) { return true; } $post_type_obj = get_post_type_object( $this->post_type ); diff --git a/tests/test-rest-attachments-controller.php b/tests/test-rest-attachments-controller.php index dcadbe1145..f467ff23d3 100644 --- a/tests/test-rest-attachments-controller.php +++ b/tests/test-rest-attachments-controller.php @@ -54,6 +54,28 @@ public function test_context_param() { $this->assertEquals( array( 'view', 'embed', 'edit' ), $data['endpoints'][0]['args']['context']['enum'] ); } + public function test_registered_query_params() { + $request = new WP_REST_Request( 'OPTIONS', '/wp/v2/media' ); + $response = $this->server->dispatch( $request ); + $data = $response->get_data(); + $keys = array_keys( $data['endpoints'][0]['args'] ); + sort( $keys ); + $this->assertEquals( array( + 'author', + 'context', + 'exclude', + 'filter', + 'include', + 'order', + 'orderby', + 'page', + 'parent', + 'per_page', + 'search', + 'status', + ), $keys ); + } + public function test_get_items() { wp_set_current_user( 0 ); $id1 = $this->factory->attachment->create_object( $this->test_file, 0, array( @@ -145,6 +167,41 @@ public function test_get_items_parent() { $this->assertEquals( 0, count( $data ) ); } + public function test_get_items_invalid_status_param_is_discarded() { + wp_set_current_user( $this->editor_id ); + $attachment_id1 = $this->factory->attachment->create_object( $this->test_file, 0, array( + 'post_mime_type' => 'image/jpeg', + 'post_excerpt' => 'A sample caption', + ) ); + $request = new WP_REST_Request( 'GET', '/wp/v2/media' ); + $request->set_param( 'status', 'publish' ); + $request->set_param( 'context', 'edit' ); + $response = $this->server->dispatch( $request ); + $data = $response->get_data(); + $this->assertCount( 1, $data ); + $this->assertEquals( 'inherit', $data[0]['status'] ); + } + + public function test_get_items_private_status() { + // Logged out users can't make the request + wp_set_current_user( 0 ); + $attachment_id1 = $this->factory->attachment->create_object( $this->test_file, 0, array( + 'post_mime_type' => 'image/jpeg', + 'post_excerpt' => 'A sample caption', + 'post_status' => 'private', + ) ); + $request = new WP_REST_Request( 'GET', '/wp/v2/media' ); + $request->set_param( 'status', 'private' ); + $response = $this->server->dispatch( $request ); + $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); + // Properly authorized users can make the request + wp_set_current_user( $this->editor_id ); + $response = $this->server->dispatch( $request ); + $this->assertEquals( 200, $response->get_status() ); + $data = $response->get_data(); + $this->assertEquals( $attachment_id1, $data[0]['id'] ); + } + public function test_get_item() { $attachment_id = $this->factory->attachment->create_object( $this->test_file, 0, array( 'post_mime_type' => 'image/jpeg',