<?php
/**
* WordPress Post Administration API.
*
* @package WordPress
* @subpackage Administration
*/
/**
* Renames `$_POST` data from form names to DB post columns.
*
* Manipulates `$_POST` directly.
*
* @since 2.6.0
*
* @param bool $update Whether the post already exists.
* @param array|null $post_data Optional. The array of post data to process.
* Defaults to the `$_POST` superglobal.
* @return array|WP_Error Array of post data on success, WP_Error on failure.
*/
function _wp_translate_postdata( $update = false, $post_data = null ) {
if ( empty( $post_data ) ) {
$post_data = &$_POST;
}
if ( $update ) {
$post_data['ID'] = (int) $post_data['post_ID'];
}
$ptype = get_post_type_object( $post_data['post_type'] );
if ( $update && ! current_user_can( 'edit_post', $post_data['ID'] ) ) {
if ( 'page' === $post_data['post_type'] ) {
return new WP_Error( 'edit_others_pages', __( 'Sorry, you are not allowed to edit pages as this user.' ) );
} else {
return new WP_Error( 'edit_others_posts', __( 'Sorry, you are not allowed to edit posts as this user.' ) );
}
} elseif ( ! $update && ! current_user_can( $ptype->cap->create_posts ) ) {
if ( 'page' === $post_data['post_type'] ) {
return new WP_Error( 'edit_others_pages', __( 'Sorry, you are not allowed to create pages as this user.' ) );
} else {
return new WP_Error( 'edit_others_posts', __( 'Sorry, you are not allowed to create posts as this user.' ) );
}
}
if ( isset( $post_data['content'] ) ) {
$post_data['post_content'] = $post_data['content'];
}
if ( isset( $post_data['excerpt'] ) ) {
$post_data['post_excerpt'] = $post_data['excerpt'];
}
if ( isset( $post_data['parent_id'] ) ) {
$post_data['post_parent'] = (int) $post_data['parent_id'];
}
if ( isset( $post_data['trackback_url'] ) ) {
$post_data['to_ping'] = $post_data['trackback_url'];
}
$post_data['user_ID'] = get_current_user_id();
if ( ! empty( $post_data['post_author_override'] ) ) {
$post_data['post_author'] = (int) $post_data['post_author_override'];
} else {
if ( ! empty( $post_data['post_author'] ) ) {
$post_data['post_author'] = (int) $post_data['post_author'];
} else {
$post_data['post_author'] = (int) $post_data['user_ID'];
}
}
if ( isset( $post_data['user_ID'] ) && ( $post_data['post_author'] !== $post_data['user_ID'] )
&& ! current_user_can( $ptype->cap->edit_others_posts ) ) {
if ( $update ) {
if ( 'page' === $post_data['post_type'] ) {
return new WP_Error( 'edit_others_pages', __( 'Sorry, you are not allowed to edit pages as this user.' ) );
} else {
return new WP_Error( 'edit_others_posts', __( 'Sorry, you are not allowed to edit posts as this user.' ) );
}
} else {
if ( 'page' === $post_data['post_type'] ) {
return new WP_Error( 'edit_others_pages', __( 'Sorry, you are not allowed to create pages as this user.' ) );
} else {
return new WP_Error( 'edit_others_posts', __( 'Sorry, you are not allowed to create posts as this user.' ) );
}
}
}
if ( ! empty( $post_data['post_status'] ) ) {
$post_data['post_status'] = sanitize_key( $post_data['post_status'] );
// No longer an auto-draft.
if ( 'auto-draft' === $post_data['post_status'] ) {
$post_data['post_status'] = 'draft';
}
if ( ! get_post_status_object( $post_data['post_status'] ) ) {
unset( $post_data['post_status'] );
}
}
// What to do based on which button they pressed.
if ( isset( $post_data['saveasdraft'] ) && '' !== $post_data['saveasdraft'] ) {
$post_data['post_status'] = 'draft';
}
if ( isset( $post_data['saveasprivate'] ) && '' !== $post_data['saveasprivate'] ) {
$post_data['post_status'] = 'private';
}
if ( isset( $post_data['publish'] ) && ( '' !== $post_data['publish'] )
&& ( ! isset( $post_data['post_status'] ) || 'private' !== $post_data['post_status'] )
) {
$post_data['post_status'] = 'publish';
}
if ( isset( $post_data['advanced'] ) && '' !== $post_data['advanced'] ) {
$post_data['post_status'] = 'draft';
}
if ( isset( $post_data['pending'] ) && '' !== $post_data['pending'] ) {
$post_data['post_status'] = 'pending';
}
if ( isset( $post_data['ID'] ) ) {
$post_id = $post_data['ID'];
} else {
$post_id = false;
}
$previous_status = $post_id ? get_post_field( 'post_status', $post_id ) : false;
if ( isset( $post_data['post_status'] ) && 'private' === $post_data['post_status'] && ! current_user_can( $ptype->cap->publish_posts ) ) {
$post_data['post_status'] = $previous_status ? $previous_status : 'pending';
}
$published_statuses = array( 'publish', 'future' );
/*
* Posts 'submitted for approval' are submitted to $_POST the same as if they were being published.
* Change status from 'publish' to 'pending' if user lacks permissions to publish or to resave published posts.
*/
if ( isset( $post_data['post_status'] )
&& ( in_array( $post_data['post_status'], $published_statuses, true )
&& ! current_user_can( $ptype->cap->publish_posts ) )
) {
if ( ! in_array( $previous_status, $published_statuses, true ) || ! current_user_can( 'edit_post', $post_id ) ) {
$post_data['post_status'] = 'pending';
}
}
if ( ! isset( $post_data['post_status'] ) ) {
$post_data['post_status'] = 'auto-draft' === $previous_status ? 'draft' : $previous_status;
}
if ( isset( $post_data['post_password'] ) && ! current_user_can( $ptype->cap->publish_posts ) ) {
unset( $post_data['post_password'] );
}
if ( ! isset( $post_data['comment_status'] ) ) {
$post_data['comment_status'] = 'closed';
}
if ( ! isset( $post_data['ping_status'] ) ) {
$post_data['ping_status'] = 'closed';
}
foreach ( array( 'aa', 'mm', 'jj', 'hh', 'mn' ) as $timeunit ) {
if ( ! empty( $post_data[ 'hidden_' . $timeunit ] ) && $post_data[ 'hidden_' . $timeunit ] !== $post_data[ $timeunit ] ) {
$post_data['edit_date'] = '1';
break;
}
}
if ( ! empty( $post_data['edit_date'] ) ) {
$aa = $post_data['aa'];
$mm = $post_data['mm'];
$jj = $post_data['jj'];
$hh = $post_data['hh'];
$mn = $post_data['mn'];
$ss = $post_data['ss'];
$aa = ( $aa <= 0 ) ? gmdate( 'Y' ) : $aa;
$mm = ( $mm <= 0 ) ? gmdate( 'n' ) : $mm;
$jj = ( $jj > 31 ) ? 31 : $jj;
$jj = ( $jj <= 0 ) ? gmdate( 'j' ) : $jj;
$hh = ( $hh > 23 ) ? $hh - 24 : $hh;
$mn = ( $mn > 59 ) ? $mn - 60 : $mn;
$ss = ( $ss > 59 ) ? $ss - 60 : $ss;
$post_data['post_date'] = sprintf( '%04d-%02d-%02d %02d:%02d:%02d', $aa, $mm, $jj, $hh, $mn, $ss );
$valid_date = wp_checkdate( $mm, $jj, $aa, $post_data['post_date'] );
if ( ! $valid_date ) {
return new WP_Error( 'invalid_date', __( 'Invalid date.' ) );
}
/*
* Only assign a post date if the user has explicitly set a new value.
* See #59125 and #19907.
*/
$previous_date = $post_id ? get_post_field( 'post_date', $post_id ) : false;
if ( $previous_date && $previous_date !== $post_data['post_date'] ) {
$post_data['edit_date'] = true;
$post_data['post_date_gmt'] = get_gmt_from_date( $post_data['post_date'] );
} else {
$post_data['edit_date'] = false;
unset( $post_data['post_date'] );
unset( $post_data['post_date_gmt'] );
}
}
if ( isset( $post_data['post_category'] ) ) {
$category_object = get_taxonomy( 'category' );
if ( ! current_user_can( $category_object->cap->assign_terms ) ) {
unset( $post_data['post_category'] );
}
}
return $post_data;
}
/**
* Returns only allowed post data fields.
*
* @since 5.0.1
*
* @param array|WP_Error|null $post_data The array of post data to process, or an error object.
* Defaults to the `$_POST` superglobal.
* @return array|WP_Error Array of post data on success, WP_Error on failure.
*/
function _wp_get_allowed_postdata( $post_data = null ) {
if ( empty( $post_data ) ) {
$post_data = $_POST;
}
// Pass through errors.
if ( is_wp_error( $post_data ) ) {
return $post_data;
}
return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
}
/**
* Updates an existing post with values provided in `$_POST`.
*
* If post data is passed as an argument, it is treated as an array of data
* keyed appropriately for turning into a post object.
*
* If post data is not passed, the `$_POST` global variable is used instead.
*
* @since 1.5.0
*
* @global wpdb $wpdb WordPress database abstraction object.
*
* @param array|null $post_data Optional. The array of post data to process.
* Defaults to the `$_POST` superglobal.
* @return int Post ID.
*/
function edit_post( $post_data = null ) {
global $wpdb;
if ( empty( $post_data ) ) {
$post_data = &$_POST;
}
// Clear out any data in internal vars.
unset( $post_data['filter'] );
$post_id = (int) $post_data['post_ID'];
$post = get_post( $post_id );
$post_data['post_type'] = $post->post_type;
$post_data['post_mime_type'] = $post->post_mime_type;
if ( ! empty( $post_data['post_status'] ) ) {
$post_data['post_status'] = sanitize_key( $post_data['post_status'] );
if ( 'inherit' === $post_data['post_status'] ) {
unset( $post_data['post_status'] );
}
}
$ptype = get_post_type_object( $post_data['post_type'] );
if ( ! current_user_can( 'edit_post', $post_id ) ) {
if ( 'page' === $post_data['post_type'] ) {
wp_die( __( 'Sorry, you are not allowed to edit this page.' ) );
} else {
wp_die( __( 'Sorry, you are not allowed to edit this post.' ) );
}
}
if ( post_type_supports( $ptype->name, 'revisions' ) ) {
$revisions = wp_get_post_revisions(
$post_id,
array(
'order' => 'ASC',
'posts_per_page' => 1,
)
);
$revision = current( $revisions );
// Check if the revisions have been upgraded.
if ( $revisions && _wp_get_post_revision_version( $revision ) < 1 ) {
_wp_upgrade_revisions_of_post( $post, wp_get_post_revisions( $post_id ) );
}
}
if ( isset( $post_data['visibility'] ) ) {
switch ( $post_data['visibility'] ) {
case 'public':
$post_data['post_password'] = '';
break;
case 'password':
unset( $post_data['sticky'] );
break;
case 'private':
$post_data['post_status'] = 'private';
$post_data['post_password'] = '';
unset( $post_data['sticky'] );
break;
}
}
$post_data = _wp_translate_postdata( true, $post_data );
if ( is_wp_error( $post_data ) ) {
wp_die( $post_data->get_error_message() );
}
$translated = _wp_get_allowed_postdata( $post_data );
// Post formats.
if ( isset( $post_data['post_format'] ) ) {
set_post_format( $post_id, $post_data['post_format'] );
}
$format_meta_urls = array( 'url', 'link_url', 'quote_source_url' );
foreach ( $format_meta_urls as $format_meta_url ) {
$keyed = '_format_' . $format_meta_url;
if ( isset( $post_data[ $keyed ] ) ) {
update_post_meta( $post_id, $keyed, wp_slash( sanitize_url( wp_unslash( $post_data[ $keyed ] ) ) ) );
}
}
$format_keys = array( 'quote', 'quote_source_name', 'image', 'gallery', 'audio_embed', 'video_embed' );
foreach ( $format_keys as $key ) {
$keyed = '_format_' . $key;
if ( isset( $post_data[ $keyed ] ) ) {
if ( current_user_can( 'unfiltered_html' ) ) {
update_post_meta( $post_id, $keyed, $post_data[ $keyed ] );
} else {
update_post_meta( $post_id, $keyed, wp_filter_post_kses( $post_data[ $keyed ] ) );
}
}
}
if ( 'attachment' === $post_data['post_type'] && preg_match( '#^(audio|video)/#', $post_data['post_mime_type'] ) ) {
$id3data = wp_get_attachment_metadata( $post_id );
if ( ! is_array( $id3data ) ) {
$id3data = array();
}
foreach ( wp_get_attachment_id3_keys( $post, 'edit' ) as $key => $label ) {
if ( isset( $post_data[ 'id3_' . $key ] ) ) {
$id3data[ $key ] = sanitize_text_field( wp_unslash( $post_data[ 'id3_' . $key ] ) );
}
}
wp_update_attachment_metadata( $post_id, $id3data );
}
// Meta stuff.
if ( isset( $post_data['meta'] ) && $post_data['meta'] ) {
foreach ( $post_data['meta'] as $key => $value ) {
$meta = get_post_meta_by_id( $key );
if ( ! $meta ) {
continue;
}
if ( (int) $meta->post_id !== $post_id ) {
continue;
}
if ( is_protected_meta( $meta->meta_key, 'post' )
|| ! current_user_can( 'edit_post_meta', $post_id,