class.wpcom-json-api-update-post-endpoint.php — Jetpack – WP Security, Backup, Speed, & Growth 12.0.2

jetpack / json-endpoints / class.wpcom-json-api-update-post-endpoint.php

jetpack / json-endpoints Last commit date

class.wpcom-json-api-update-post-endpoint.php

1008 lines

1	<?php // phpcs:ignore WordPress.Files.FileName.InvalidClassFileName
2	/**
3	* Update post endpoint.
4	*
5	* Endpoints:
6	* Create a post: /sites/%s/posts/new
7	* Update a post: /sites/%s/posts/%d
8	* Delete a post: /sites/%s/posts/%d/delete
9	* Restore a post: /sites/%s/posts/%d/restore
10	*/
11
12	new WPCOM_JSON_API_Update_Post_Endpoint(
13	array(
14	'description' => 'Create a post.',
15	'group' => 'posts',
16	'stat' => 'posts:new',
17	'new_version' => '1.2',
18	'max_version' => '1',
19	'method' => 'POST',
20	'path' => '/sites/%s/posts/new',
21	'path_labels' => array(
22	'$site' => '(int\|string) Site ID or domain',
23	),
24
25	'request_format' => array(
26	// explicitly document all input.
27	'date' => "(ISO 8601 datetime) The post's creation time.",
28	'title' => '(HTML) The post title.',
29	'content' => '(HTML) The post content.',
30	'excerpt' => '(HTML) An optional post excerpt.',
31	'slug' => '(string) The name (slug) for the post, used in URLs.',
32	'author' => '(string) The username or ID for the user to assign the post to.',
33	'publicize' => '(array\|bool) True or false if the post be shared to external services. An array of services if we only want to share to a select few. Defaults to true.',
34	'publicize_message' => '(string) Custom message to be shared to external services.',
35	'status' => array(
36	'publish' => 'Publish the post.',
37	'private' => 'Privately publish the post.',
38	'draft' => 'Save the post as a draft.',
39	'pending' => 'Mark the post as pending editorial approval.',
40	'auto-draft' => 'Save a placeholder for a newly created post, with no content.',
41	),
42	'sticky' => array(
43	'false' => 'Post is not marked as sticky.',
44	'true' => 'Stick the post to the front page.',
45	),
46	'password' => '(string) The plaintext password protecting the post, or, more likely, the empty string if the post is not password protected.',
47	'parent' => "(int) The post ID of the new post's parent.",
48	'type' => "(string) The post type. Defaults to 'post'. Post types besides post and page need to be whitelisted using the <code>rest_api_allowed_post_types</code> filter.",
49	'categories' => '(array\|string) Comma-separated list or array of categories (name or id)',
50	'tags' => '(array\|string) Comma-separated list or array of tags (name or id)',
51	'format' => array_merge( array( 'default' => 'Use default post format' ), get_post_format_strings() ),
52	'featured_image' => '(string) The post ID of an existing attachment to set as the featured image. Pass an empty string to delete the existing image.',
53	'media' => '(media) An array of files to attach to the post. To upload media, the entire request should be multipart/form-data encoded. Multiple media items will be displayed in a gallery. Accepts jpg, jpeg, png, gif, pdf, doc, ppt, odt, pptx, docx, pps, ppsx, xls, xlsx, key. Audio and Video may also be available. See <code>allowed_file_types</code> in the options response of the site endpoint. <br /><br /><strong>Example</strong>:<br />' .
54	"<code>curl \<br />--form 'title=Image' \<br />--form 'media[]=@/path/to/file.jpg' \<br />-H 'Authorization: BEARER your-token' \<br />'https://public-api.wordpress.com/rest/v1/sites/123/posts/new'</code>",
55	'media_urls' => '(array) An array of URLs for images to attach to a post. Sideloads the media in for a post.',
56	'metadata' => '(array) Array of metadata objects containing the following properties: `key` (metadata key), `id` (meta ID), `previous_value` (if set, the action will only occur for the provided previous value), `value` (the new value to set the meta to), `operation` (the operation to perform: `update` or `add`; defaults to `update`). All unprotected meta keys are available by default for read requests. Both unprotected and protected meta keys are avaiable for authenticated requests with proper capabilities. Protected meta keys can be made available with the <code>rest_api_allowed_public_metadata</code> filter.',
57	'comments_open' => "(bool) Should the post be open to comments? Defaults to the blog's preference.",
58	'pings_open' => "(bool) Should the post be open to comments? Defaults to the blog's preference.",
59	'likes_enabled' => "(bool) Should the post be open to likes? Defaults to the blog's preference.",
60	'sharing_enabled' => '(bool) Should sharing buttons show on this post? Defaults to true.',
61	'menu_order' => '(int) (Pages Only) the order pages should appear in. Use 0 to maintain alphabetical order.',
62	),
63
64	'example_request' => 'https://public-api.wordpress.com/rest/v1/sites/82974409/posts/new/',
65
66	'example_request_data' => array(
67	'headers' => array(
68	'authorization' => 'Bearer YOUR_API_TOKEN',
69	),
70
71	'body' => array(
72	'title' => 'Hello World',
73	'content' => 'Hello. I am a test post. I was created by the API',
74	'tags' => 'tests',
75	'categories' => 'API',
76	),
77	),
78	)
79	);
80
81	new WPCOM_JSON_API_Update_Post_Endpoint(
82	array(
83	'description' => 'Edit a post.',
84	'group' => 'posts',
85	'stat' => 'posts:1:POST',
86	'new_version' => '1.2',
87	'max_version' => '1',
88	'method' => 'POST',
89	'path' => '/sites/%s/posts/%d',
90	'path_labels' => array(
91	'$site' => '(int\|string) Site ID or domain',
92	'$post_ID' => '(int) The post ID',
93	),
94
95	'request_format' => array(
96	'date' => "(ISO 8601 datetime) The post's creation time.",
97	'title' => '(HTML) The post title.',
98	'content' => '(HTML) The post content.',
99	'excerpt' => '(HTML) An optional post excerpt.',
100	'slug' => '(string) The name (slug) for the post, used in URLs.',
101	'author' => '(string) The username or ID for the user to assign the post to.',
102	'publicize' => '(array\|bool) True or false if the post be shared to external services. An array of services if we only want to share to a select few. Defaults to true.',
103	'publicize_message' => '(string) Custom message to be shared to external services.',
104	'status' => array(
105	'publish' => 'Publish the post.',
106	'private' => 'Privately publish the post.',
107	'draft' => 'Save the post as a draft.',
108	'pending' => 'Mark the post as pending editorial approval.',
109	'trash' => 'Set the post as trashed.',
110	),
111	'sticky' => array(
112	'false' => 'Post is not marked as sticky.',
113	'true' => 'Stick the post to the front page.',
114	),
115	'password' => '(string) The plaintext password protecting the post, or, more likely, the empty string if the post is not password protected.',
116	'parent' => "(int) The post ID of the new post's parent.",
117	'categories' => '(array\|string) Comma-separated list or array of categories (name or id)',
118	'tags' => '(array\|string) Comma-separated list or array of tags (name or id)',
119	'format' => array_merge( array( 'default' => 'Use default post format' ), get_post_format_strings() ),
120	'comments_open' => '(bool) Should the post be open to comments?',
121	'pings_open' => '(bool) Should the post be open to comments?',
122	'likes_enabled' => '(bool) Should the post be open to likes?',
123	'menu_order' => '(int) (Pages Only) the order pages should appear in. Use 0 to maintain alphabetical order.',
124	'sharing_enabled' => '(bool) Should sharing buttons show on this post?',
125	'featured_image' => '(string) The post ID of an existing attachment to set as the featured image. Pass an empty string to delete the existing image.',
126	'media' => '(media) An array of files to attach to the post. To upload media, the entire request should be multipart/form-data encoded. Multiple media items will be displayed in a gallery. Accepts jpg, jpeg, png, gif, pdf, doc, ppt, odt, pptx, docx, pps, ppsx, xls, xlsx, key. Audio and Video may also be available. See <code>allowed_file_types</code> in the options resposne of the site endpoint. <br /><br /><strong>Example</strong>:<br />' .
127	"<code>curl \<br />--form 'title=Image' \<br />--form 'media[]=@/path/to/file.jpg' \<br />-H 'Authorization: BEARER your-token' \<br />'https://public-api.wordpress.com/rest/v1/sites/123/posts/new'</code>",
128	'media_urls' => '(array) An array of URLs for images to attach to a post. Sideloads the media in for a post.',
129	'metadata' => '(array) Array of metadata objects containing the following properties: `key` (metadata key), `id` (meta ID), `previous_value` (if set, the action will only occur for the provided previous value), `value` (the new value to set the meta to), `operation` (the operation to perform: `update` or `add`; defaults to `update`). All unprotected meta keys are available by default for read requests. Both unprotected and protected meta keys are available for authenticated requests with proper capabilities. Protected meta keys can be made available with the <code>rest_api_allowed_public_metadata</code> filter.',
130	),
131
132	'example_request' => 'https://public-api.wordpress.com/rest/v1/sites/82974409/posts/881',
133
134	'example_request_data' => array(
135	'headers' => array(
136	'authorization' => 'Bearer YOUR_API_TOKEN',
137	),
138
139	'body' => array(
140	'title' => 'Hello World (Again)',
141	'content' => 'Hello. I am an edited post. I was edited by the API',
142	'tags' => 'tests',
143	'categories' => 'API',
144	),
145	),
146	)
147	);
148
149	new WPCOM_JSON_API_Update_Post_Endpoint(
150	array(
151	'description' => 'Delete a post. Note: If the trash is enabled, this request will send the post to the trash. A second request will permanently delete the post.',
152	'group' => 'posts',
153	'stat' => 'posts:1:delete',
154	'new_version' => '1.1',
155	'max_version' => '1',
156	'method' => 'POST',
157	'path' => '/sites/%s/posts/%d/delete',
158	'path_labels' => array(
159	'$site' => '(int\|string) Site ID or domain',
160	'$post_ID' => '(int) The post ID',
161	),
162
163	'example_request' => 'https://public-api.wordpress.com/rest/v1/sites/82974409/posts/$post_ID/delete/',
164
165	'example_request_data' => array(
166	'headers' => array(
167	'authorization' => 'Bearer YOUR_API_TOKEN',
168	),
169	),
170	)
171	);
172
173	new WPCOM_JSON_API_Update_Post_Endpoint(
174	array(
175	'description' => 'Restore a post or page from the trash to its previous status.',
176	'group' => 'posts',
177	'stat' => 'posts:1:restore',
178
179	'method' => 'POST',
180	'new_version' => '1.1',
181	'max_version' => '1',
182	'path' => '/sites/%s/posts/%d/restore',
183	'path_labels' => array(
184	'$site' => '(int\|string) Site ID or domain',
185	'$post_ID' => '(int) The post ID',
186	),
187
188	'example_request' => 'https://public-api.wordpress.com/rest/v1/sites/82974409/posts/$post_ID/restore/',
189
190	'example_request_data' => array(
191	'headers' => array(
192	'authorization' => 'Bearer YOUR_API_TOKEN',
193	),
194	),
195	)
196	);
197
198	/**
199	* Update post endpoint class.
200	*/
201	class WPCOM_JSON_API_Update_Post_Endpoint extends WPCOM_JSON_API_Post_Endpoint {
202	/**
203	* WPCOM_JSON_API_Update_Post_Endpoint constructor.
204	*
205	* @param array $args Args.
206	*/
207	public function __construct( $args ) {
208	parent::__construct( $args );
209	if ( $this->api->ends_with( $this->path, '/delete' ) ) {
210	$this->post_object_format['status']['deleted'] = 'The post has been deleted permanently.';
211	}
212	}
213
214	/**
215	* Update post API callback.
216	*
217	* /sites/%s/posts/new -> $blog_id
218	* /sites/%s/posts/%d -> $blog_id, $post_id
219	* /sites/%s/posts/%d/delete -> $blog_id, $post_id
220	* /sites/%s/posts/%d/restore -> $blog_id, $post_id
221	*
222	* @param string $path API path.
223	* @param int $blog_id Blog ID.
224	* @param int $post_id Post ID.
225	*
226	* @return array\|bool\|WP_Error
227	*/
228	public function callback( $path = '', $blog_id = 0, $post_id = 0 ) {
229	$blog_id = $this->api->switch_to_blog_and_validate_user( $this->api->get_blog_id( $blog_id ) );
230	if ( is_wp_error( $blog_id ) ) {
231	return $blog_id;
232	}
233
234	if ( $this->api->ends_with( $path, '/delete' ) ) {
235	return $this->delete_post( $path, $blog_id, $post_id );
236	} elseif ( $this->api->ends_with( $path, '/restore' ) ) {
237	return $this->restore_post( $path, $blog_id, $post_id );
238	} else {
239	return $this->write_post( $path, $blog_id, $post_id );
240	}
241	}
242
243	/**
244	* Create or update a post.
245	*
246	* /sites/%s/posts/new -> $blog_id
247	* /sites/%s/posts/%d -> $blog_id, $post_id
248	*
249	* @param string $path API path.
250	* @param int $blog_id Blog ID.
251	* @param int $post_id Post ID.
252	*/
253	public function write_post( $path, $blog_id, $post_id ) {
254	$new = $this->api->ends_with( $path, '/new' );
255	$args = $this->query_args();
256
257	// unhook publicize, it's hooked again later -- without this, skipping services is impossible.
258	if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
259	remove_action( 'save_post', array( $GLOBALS['publicize_ui']->publicize, 'async_publicize_post' ), 100, 2 );
260	add_action( 'rest_api_inserted_post', array( $GLOBALS['publicize_ui']->publicize, 'async_publicize_post' ) );
261	}
262
263	if ( $new ) {
264	$input = $this->input( true );
265
266	// default to post.
267	if ( empty( $input['type'] ) ) {
268	$input['type'] = 'post';
269	}
270
271	if ( 'revision' === $input['type'] ) {
272	if ( ! isset( $input['parent'] ) ) {
273	return new WP_Error( 'invalid_input', 'Invalid request input', 400 );
274	}
275	$input['status'] = 'inherit'; // force inherit for revision type.
276	$input['slug'] = $input['parent'] . '-autosave-v1';
277	} elseif ( ! isset( $input['title'] ) && ! isset( $input['content'] ) && ! isset( $input['excerpt'] ) ) {
278	return new WP_Error( 'invalid_input', 'Invalid request input', 400 );
279	}
280
281	$post_type = get_post_type_object( $input['type'] );
282
283	if ( ! $this->is_post_type_allowed( $input['type'] ) ) {
284	return new WP_Error( 'unknown_post_type', 'Unknown post type', 404 );
285	}
286
287	if ( ! empty( $input['author'] ) ) {
288	$author_id = $this->parse_and_set_author( $input['author'], $input['type'] );
289	unset( $input['author'] );
290	if ( is_wp_error( $author_id ) ) {
291	return $author_id;
292	}
293	}
294
295	if ( 'publish' === $input['status'] ) {
296	if ( ! current_user_can( $post_type->cap->publish_posts ) ) {
297	if ( current_user_can( $post_type->cap->edit_posts ) ) {
298	$input['status'] = 'pending';
299	} else {
300	return new WP_Error( 'unauthorized', 'User cannot publish posts', 403 );
301	}
302	}
303	} elseif ( ! current_user_can( $post_type->cap->edit_posts ) ) {
304	return new WP_Error( 'unauthorized', 'User cannot edit posts', 403 );
305	}
306	} else {
307	$input = $this->input( false );
308
309	if ( ! is_array( $input ) \|\| ! $input ) {
310	return new WP_Error( 'invalid_input', 'Invalid request input', 400 );
311	}
312
313	if ( isset( $input['status'] ) && 'trash' === $input['status'] && ! current_user_can( 'delete_post', $post_id ) ) {
314	return new WP_Error( 'unauthorized', 'User cannot delete post', 403 );
315	}
316
317	$post = get_post( $post_id );
318	$_post_type = ( ! empty( $input['type'] ) ) ? $input['type'] : $post->post_type;
319	$post_type = get_post_type_object( $_post_type );
320	if ( ! $post \|\| is_wp_error( $post ) ) {
321	return new WP_Error( 'unknown_post', 'Unknown post', 404 );
322	}
323
324	if ( ! current_user_can( 'edit_post', $post->ID ) ) {
325	return new WP_Error( 'unauthorized', 'User cannot edit post', 403 );
326	}
327
328	if ( ! empty( $input['author'] ) ) {
329	$author_id = $this->parse_and_set_author( $input['author'], $_post_type );
330	unset( $input['author'] );
331	if ( is_wp_error( $author_id ) ) {
332	return $author_id;
333	}
334	}
335
336	if ( ( isset( $input['status'] ) && 'publish' === $input['status'] ) && 'publish' !== $post->post_status && ! current_user_can( 'publish_post', $post->ID ) ) {
337	$input['status'] = 'pending';
338	}
339	$last_status = $post->post_status;
340	$new_status = isset( $input['status'] ) ? $input['status'] : $last_status;
341
342	// Make sure that drafts get the current date when transitioning to publish if not supplied in the post.
343	$date_in_past = ( strtotime( $post->post_date_gmt ) < time() );
344	if ( 'publish' === $new_status && 'draft' === $last_status && ! isset( $input['date_gmt'] ) && $date_in_past ) {
345	$input['date_gmt'] = gmdate( 'Y-m-d H:i:s' );
346	}
347
348	// Untrash a post so that the proper hooks get called as well as the comments get untrashed.
349	if ( 'trash' === $last_status && 'trash' !== $new_status && isset( $post->ID ) ) {
350	wp_untrash_post( $post->ID );
351	$untashed_post = get_post( $post->ID );
352	// Lets make sure that we use the revert the slug.
353	if ( isset( $untashed_post->post_name ) && $untashed_post->post_name . '__trashed' === $input['slug'] ) {
354	unset( $input['slug'] );
355	}
356	}
357	}
358
359	if ( function_exists( 'wpcom_switch_to_locale' ) ) {
360	// fixes calypso-pre-oss #12476: respect blog locale when creating the post slug.
361	wpcom_switch_to_locale( get_blog_lang_code( $blog_id ) );
362	}
363
364	// If date was set, $this->input will set date_gmt, date still needs to be adjusted for the blog's offset.
365	if ( isset( $input['date_gmt'] ) ) {
366	$gmt_offset = get_option( 'gmt_offset' );
367	$time_with_offset = strtotime( $input['date_gmt'] ) + $gmt_offset * HOUR_IN_SECONDS;
368	$input['date'] = gmdate( 'Y-m-d H:i:s', $time_with_offset );
369	}
370
371	if ( ! empty( $author_id ) && get_current_user_id() !== $author_id ) {
372	if ( ! current_user_can( $post_type->cap->edit_others_posts ) ) {
373	return new WP_Error( 'unauthorized', "User is not allowed to publish others' posts.", 403 );
374	} elseif ( ! user_can( $author_id, $post_type->cap->edit_posts ) ) {
375	return new WP_Error( 'unauthorized', 'Assigned author cannot publish post.', 403 );
376	}
377	}
378
379	if ( ! is_post_type_hierarchical( $post_type->name ) && 'revision' !== $post_type->name ) {
380	unset( $input['parent'] );
381	}
382
383	$tax_input = array();
384
385	foreach ( array(
386	'categories' => 'category',
387	'tags' => 'post_tag',
388	) as $key => $taxonomy ) {
389	if ( ! isset( $input[ $key ] ) ) {
390	continue;
391	}
392
393	$tax_input[ $taxonomy ] = array();
394
395	$is_hierarchical = is_taxonomy_hierarchical( $taxonomy );
396
397	if ( is_array( $input[ $key ] ) ) {
398	$terms = $input[ $key ];
399	} else {
400	$terms = explode( ',', $input[ $key ] );
401	}
402
403	foreach ( $terms as $term ) {
404	/**
405	* `curl --data 'category[]=123'` should be interpreted as a category ID,
406	* not a category whose name is '123'.
407	*
408	* Consequence: To add a category/tag whose name is '123', the client must
409	* first look up its ID.
410	*/
411	$term = (string) $term; // ctype_digit compat.
412	if ( ctype_digit( $term ) ) {
413	$term = (int) $term;
414	}
415
416	$term_info = term_exists( $term, $taxonomy );
417
418	if ( ! $term_info ) {
419	// A term ID that doesn't already exist. Ignore it: we don't know what name to give it.
420	if ( is_int( $term ) ) {
421	continue;
422	}
423	// only add a new tag/cat if the user has access to.
424	$tax = get_taxonomy( $taxonomy );
425
426	// see https://core.trac.wordpress.org/ticket/26409 .
427	if ( 'category' === $taxonomy && ! current_user_can( $tax->cap->edit_terms ) ) {
428	continue;
429	} elseif ( ! current_user_can( $tax->cap->assign_terms ) ) {
430	continue;
431	}
432
433	$term_info = wp_insert_term( $term, $taxonomy );
434	}
435
436	if ( ! is_wp_error( $term_info ) ) {
437	if ( $is_hierarchical ) {
438	// Categories must be added by ID.
439	$tax_input[ $taxonomy ][] = (int) $term_info['term_id'];
440	} elseif ( is_int( $term ) ) { // Tags must be added by name.
441	$term = get_term( $term, $taxonomy );
442	$tax_input[ $taxonomy ][] = $term->name;
443	} else {
444	$tax_input[ $taxonomy ][] = $term;
445	}
446	}
447	}
448	}
449
450	if ( isset( $input['categories'] ) && empty( $tax_input['category'] ) && 'revision' !== $post_type->name ) {
451	$tax_input['category'][] = get_option( 'default_category' );
452	}
453
454	unset( $input['tags'], $input['categories'] );
455
456	$insert = array();
457
458	if ( ! empty( $input['slug'] ) ) {
459	$insert['post_name'] = $input['slug'];
460	unset( $input['slug'] );
461	}
462
463	if ( isset( $input['comments_open'] ) ) {
464	$insert['comment_status'] = ( true === $input['comments_open'] ) ? 'open' : 'closed';
465	}
466
467	if ( isset( $input['pings_open'] ) ) {
468	$insert['ping_status'] = ( true === $input['pings_open'] ) ? 'open' : 'closed';
469	}
470
471	unset( $input['comments_open'], $input['pings_open'] );
472
473	if ( isset( $input['menu_order'] ) ) {
474	$insert['menu_order'] = $input['menu_order'];
475	unset( $input['menu_order'] );
476	}
477
478	$publicize = isset( $input['publicize'] ) ? $input['publicize'] : null;
479	unset( $input['publicize'] );
480
481	$publicize_custom_message = isset( $input['publicize_message'] ) ? $input['publicize_message'] : null;
482	unset( $input['publicize_message'] );
483
484	if ( isset( $input['featured_image'] ) ) {
485	$featured_image = trim( $input['featured_image'] );
486	$delete_featured_image = empty( $featured_image );
487	unset( $input['featured_image'] );
488	}
489
490	$metadata = isset( $input['metadata'] ) ? $input['metadata'] : null;
491	unset( $input['metadata'] );
492
493	$likes = isset( $input['likes_enabled'] ) ? $input['likes_enabled'] : null;
494	unset( $input['likes_enabled'] );
495
496	$sharing = isset( $input['sharing_enabled'] ) ? $input['sharing_enabled'] : null;
497	unset( $input['sharing_enabled'] );
498
499	$sticky = isset( $input['sticky'] ) ? $input['sticky'] : null;
500	unset( $input['sticky'] );
501
502	foreach ( $input as $key => $value ) {
503	$insert[ "post_$key" ] = $value;
504	}
505
506	if ( ! empty( $author_id ) ) {
507	$insert['post_author'] = absint( $author_id );
508	}
509
510	if ( ! empty( $tax_input ) ) {
511	$insert['tax_input'] = $tax_input;
512	}
513
514	$has_media = isset( $input['media'] ) && $input['media'] ? count( $input['media'] ) : false;
515	$has_media_by_url = isset( $input['media_urls'] ) && $input['media_urls'] ? count( $input['media_urls'] ) : false;
516
517	if ( $new ) {
518
519	if ( isset( $input['content'] ) && ! has_shortcode( $input['content'], 'gallery' ) && ( $has_media \|\| $has_media_by_url ) ) {
520	switch ( ( $has_media + $has_media_by_url ) ) {
521	case 0:
522	// No images - do nothing.
523	break;
524	case 1:
525	// 1 image - make it big.
526	$input['content'] = "[gallery size=full columns=1]\n\n" . $input['content'];
527	$insert['post_content'] = $input['content'];
528	break;
529	default:
530	// Several images - 3 column gallery.
531	$input['content'] = "[gallery]\n\n" . $input['content'];
532	$insert['post_content'] = $input['content'];
533	break;
534	}
535	}
536
537	$post_id = wp_insert_post( add_magic_quotes( $insert ), true );
538	} else {
539	$insert['ID'] = $post->ID;
540
541	// wp_update_post ignores date unless edit_date is set
542	// See: https://codex.wordpress.org/Function_Reference/wp_update_post#Scheduling_posts
543	// See: https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/post.php#L3302 .
544	if ( isset( $input['date_gmt'] ) \|\| isset( $input['date'] ) ) {
545	$insert['edit_date'] = true;
546	}
547
548	// this two-step process ensures any changes submitted along with status=trash get saved before trashing.
549	if ( isset( $input['status'] ) && 'trash' === $input['status'] ) {
550	// if we insert it with status='trash', it will get double-trashed, so insert it as a draft first.
551	unset( $insert['status'] );
552	$post_id = wp_update_post( (object) $insert );
553	// now call wp_trash_post so post_meta gets set and any filters get called.
554	wp_trash_post( $post_id );
555	} else {
556	$post_id = wp_update_post( (object) $insert );
557	}
558	}
559
560	if ( ! $post_id \|\| is_wp_error( $post_id ) ) {
561	return $post_id;
562	}
563
564	// make sure this post actually exists and is not an error of some kind (ie, trying to load media in the posts endpoint).
565	$post_check = $this->get_post_by( 'ID', $post_id, $args['context'] );
566	if ( is_wp_error( $post_check ) ) {
567	return $post_check;
568	}
569
570	if ( $has_media ) {
571	$this->api->trap_wp_die( 'upload_error' );
572	foreach ( $input['media'] as $media_item ) {
573	$_FILES['.api.media.item.'] = $media_item;
574	// check for WP_Error if we ever actually need $media_id .
575	$media_id = media_handle_upload( '.api.media.item.', $post_id ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
576	}
577	$this->api->trap_wp_die( null );
578
579	unset( $_FILES['.api.media.item.'] );
580	}
581
582	if ( $has_media_by_url ) {
583	foreach ( $input['media_urls'] as $url ) {
584	$this->handle_media_sideload( $url, $post_id );
585	}
586	}
587
588	// Set like status for the post.
589	/** This filter is documented in modules/likes.php */
590	$sitewide_likes_enabled = (bool) apply_filters( 'wpl_is_enabled_sitewide', ! get_option( 'disabled_likes' ) );
591	if ( $new ) {
592	if ( $sitewide_likes_enabled ) {
593	if ( false === $likes ) {
594	update_post_meta( $post_id, 'switch_like_status', 0 );
595	} else {
596	delete_post_meta( $post_id, 'switch_like_status' );
597	}
598	} elseif ( $likes ) {
599	update_post_meta( $post_id, 'switch_like_status', 1 );
600	} else {
601	delete_post_meta( $post_id, 'switch_like_status' );
602	}
603	} elseif ( isset( $likes ) ) {
604	if ( $sitewide_likes_enabled ) {
605	if ( false === $likes ) {
606	update_post_meta( $post_id, 'switch_like_status', 0 );
607	} else {
608	delete_post_meta( $post_id, 'switch_like_status' );
609	}
610	} elseif ( true === $likes ) {
611	update_post_meta( $post_id, 'switch_like_status', 1 );
612	} else {
613	delete_post_meta( $post_id, 'switch_like_status' );
614	}
615	}
616
617	// Set sharing status of the post.
618	if ( $new ) {
619	$sharing_enabled = isset( $sharing ) ? (bool) $sharing : true;
620	if ( false === $sharing_enabled ) {
621	update_post_meta( $post_id, 'sharing_disabled', 1 );
622	}
623	} elseif ( isset( $sharing ) && true === $sharing ) {
624	delete_post_meta( $post_id, 'sharing_disabled' );
625	} elseif ( isset( $sharing ) && false == $sharing ) { // phpcs:ignore Universal.Operators.StrictComparisons.LooseEqual
626	update_post_meta( $post_id, 'sharing_disabled', 1 );
627	}
628
629	if ( isset( $sticky ) ) {
630	if ( true === $sticky ) {
631	stick_post( $post_id );
632	} else {
633	unstick_post( $post_id );
634	}
635	}
636
637	// WPCOM Specific (Jetpack's will get bumped elsewhere
638	// Tracks how many posts are published and sets meta
639	// so we can track some other cool stats (like likes & comments on posts published).
640	if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
641	if (
642	( $new && 'publish' === $input['status'] )
643	\|\| (
644	! $new && isset( $last_status )
645	&& 'publish' !== $last_status
646	&& isset( $new_status )
647	&& 'publish' === $new_status
648	)
649	) {
650	/** This action is documented in modules/widgets/social-media-icons.php */
651	do_action( 'jetpack_bump_stats_extras', 'api-insights-posts', $this->api->token_details['client_id'] );
652	update_post_meta( $post_id, '_rest_api_published', 1 );
653	update_post_meta( $post_id, '_rest_api_client_id', $this->api->token_details['client_id'] );
654	}
655	}
656
657	// We ask the user/dev to pass Publicize services he/she wants activated for the post, but Publicize expects us
658	// to instead flag the ones we don't want to be skipped. proceed with said logic.
659	// any posts coming from Path (client ID 25952) should also not publicize.
660	if ( false === $publicize \|\| ( isset( $this->api->token_details['client_id'] ) && 25952 === (int) $this->api->token_details['client_id'] ) ) {
661	// No publicize at all, skip all by ID.
662	foreach ( $GLOBALS['publicize_ui']->publicize->get_services( 'all' ) as $name => $service ) {
663	delete_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $name );
664	$service_connections = $GLOBALS['publicize_ui']->publicize->get_connections( $name );
665	if ( ! $service_connections ) {
666	continue;
667	}
668	foreach ( $service_connections as $service_connection ) {
669	update_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $service_connection->unique_id, 1 );
670	}
671	}
672	} elseif ( is_array( $publicize ) && ( count( $publicize ) > 0 ) ) {
673	foreach ( $GLOBALS['publicize_ui']->publicize->get_services( 'all' ) as $name => $service ) {
674	/*
675	* We support both indexed and associative arrays:
676	* * indexed are to pass entire services
677	* * associative are to pass specific connections per service
678	*
679	* We do support mixed arrays: mixed integer and string keys (see 3rd example below).
680	*
681	* EG: array( 'twitter', 'facebook') will only publicize to those, ignoring the other available services
682	* Form data: publicize[]=twitter&publicize[]=facebook
683	* EG: array( 'twitter' => '(int) $pub_conn_id_0, (int) $pub_conn_id_3', 'facebook' => (int) $pub_conn_id_7 ) will publicize to two Twitter accounts, and one Facebook connection, of potentially many.
684	* Form data: publicize[twitter]=$pub_conn_id_0,$pub_conn_id_3&publicize[facebook]=$pub_conn_id_7
685	* EG: array( 'twitter', 'facebook' => '(int) $pub_conn_id_0, (int) $pub_conn_id_3' ) will publicize to all available Twitter accounts, but only 2 of potentially many Facebook connections
686	* Form data: publicize[]=twitter&publicize[facebook]=$pub_conn_id_0,$pub_conn_id_3
687	*/
688
689	// Delete any stale SKIP value for the service by name. We'll add it back by ID.
690	delete_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $name );
691
692	// Get the user's connections.
693	$service_connections = $GLOBALS['publicize_ui']->publicize->get_connections( $name );
694
695	// if the user doesn't have any connections for this service, move on.
696	if ( ! $service_connections ) {
697	continue;
698	}
699
700	if ( ! in_array( $name, $publicize, true ) && ! array_key_exists( $name, $publicize ) ) {
701	// Skip the whole service by adding each connection ID.
702	foreach ( $service_connections as $service_connection ) {
703	update_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $service_connection->unique_id, 1 );
704	}
705	} elseif ( ! empty( $publicize[ $name ] ) ) {
706	// Seems we're being asked to only push to [a] specific connection[s].
707	// Explode the list on commas, which will also support a single passed ID.
708	$requested_connections = explode( ',', ( preg_replace( '/[\s]*/', '', $publicize[ $name ] ) ) );
709	// Flag the connections we can't match with the requested list to be skipped.
710	foreach ( $service_connections as $service_connection ) {
711	if ( ! in_array( $service_connection->meta['connection_data']->id, $requested_connections, true ) ) {
712	update_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $service_connection->unique_id, 1 );
713	} else {
714	delete_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $service_connection->unique_id );
715	}
716	}
717	} else {
718	// delete all SKIP values; it's okay to publish to all connected IDs for this service.
719	foreach ( $service_connections as $service_connection ) {
720	delete_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $service_connection->unique_id );
721	}
722	}
723	}
724	}
725
726	if ( $publicize_custom_message !== null ) {
727	if ( empty( $publicize_custom_message ) ) {
728	delete_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_MESS );
729	} else {
730	update_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_MESS, trim( $publicize_custom_message ) );
731	}
732	}
733
734	if ( ! empty( $insert['post_format'] ) ) {
735	if ( 'default' !== strtolower( $insert['post_format'] ) ) {
736	set_post_format( $post_id, $insert['post_format'] );
737	} else {
738	set_post_format( $post_id, get_option( 'default_post_format' ) );
739	}
740	}
741
742	if ( isset( $featured_image ) ) {
743	$this->parse_and_set_featured_image( $post_id, $delete_featured_image, $featured_image );
744	}
745
746	if ( ! empty( $metadata ) ) {
747	foreach ( (array) $metadata as $meta ) {
748
749	$meta = (object) $meta;
750
751	if (
752	in_array( $meta->key, Jetpack_SEO_Posts::POST_META_KEYS_ARRAY, true ) &&
753	! Jetpack_SEO_Utils::is_enabled_jetpack_seo()
754	) {
755	return new WP_Error( 'unauthorized', __( 'SEO tools are not enabled for this site.', 'jetpack' ), 403 );
756	}
757
758	$existing_meta_item = new stdClass();
759
760	if ( empty( $meta->operation ) ) {
761	$meta->operation = 'update';
762	}
763
764	if ( ! empty( $meta->value ) ) {
765	if ( 'true' == $meta->value ) { // phpcs:ignore Universal.Operators.StrictComparisons.LooseEqual
766	$meta->value = true;
767	}
768	if ( 'false' == $meta->value ) { // phpcs:ignore Universal.Operators.StrictComparisons.LooseEqual
769	$meta->value = false;
770	}
771	}
772
773	if ( ! empty( $meta->id ) ) {
774	$meta->id = absint( $meta->id );
775	$existing_meta_item = get_metadata_by_mid( 'post', $meta->id );
776	if ( $post_id !== (int) $existing_meta_item->post_id ) {
777	// Only allow updates for metadata on this post.
778	continue;
779	}
780	}
781
782	$unslashed_meta_key = wp_unslash( $meta->key ); // should match what the final key will be.
783	$meta->key = wp_slash( $meta->key );
784	$unslashed_existing_meta_key = wp_unslash( $existing_meta_item->meta_key );
785	$existing_meta_item->meta_key = wp_slash( $existing_meta_item->meta_key );
786
787	// make sure that the meta id passed matches the existing meta key.
788	if ( ! empty( $meta->id ) && ! empty( $meta->key ) ) {
789	$meta_by_id = get_metadata_by_mid( 'post', $meta->id );
790	if ( $meta_by_id->meta_key !== $meta->key ) {
791	continue; // skip this meta.
792	}
793	}
794
795	switch ( $meta->operation ) {
796	case 'delete':
797	if ( ! empty( $meta->id ) && ! empty( $existing_meta_item->meta_key ) && current_user_can( 'delete_post_meta', $post_id, $unslashed_existing_meta_key ) ) {
798	delete_metadata_by_mid( 'post', $meta->id );
799	} elseif ( ! empty( $meta->key ) && ! empty( $meta->previous_value ) && current_user_can( 'delete_post_meta', $post_id, $unslashed_meta_key ) ) {
800	delete_post_meta( $post_id, $meta->key, $meta->previous_value );
801	} elseif ( ! empty( $meta->key ) && current_user_can( 'delete_post_meta', $post_id, $unslashed_meta_key ) ) {
802	delete_post_meta( $post_id, $meta->key );
803	}
804
805	break;
806	case 'add':
807	if ( ! empty( $meta->id ) \|\| ! empty( $meta->previous_value ) ) {
808	break;
809	} elseif ( ! empty( $meta->key ) && ! empty( $meta->value ) && ( current_user_can( 'add_post_meta', $post_id, $unslashed_meta_key ) ) \|\| WPCOM_JSON_API_Metadata::is_public( $meta->key ) ) {
810	add_post_meta( $post_id, $meta->key, $meta->value );
811	}
812
813	break;
814	case 'update':
815	if ( ! isset( $meta->value ) ) {
816	break;
817	} elseif ( ! empty( $meta->id ) && ! empty( $existing_meta_item->meta_key ) && ( current_user_can( 'edit_post_meta', $post_id, $unslashed_existing_meta_key ) \|\| WPCOM_JSON_API_Metadata::is_public( $meta->key ) ) ) {
818	update_metadata_by_mid( 'post', $meta->id, $meta->value );
819	} elseif ( ! empty( $meta->key ) && ! empty( $meta->previous_value ) && ( current_user_can( 'edit_post_meta', $post_id, $unslashed_meta_key ) \|\| WPCOM_JSON_API_Metadata::is_public( $meta->key ) ) ) {
820	update_post_meta( $post_id, $meta->key, $meta->value, $meta->previous_value );
821	} elseif ( ! empty( $meta->key ) && ( current_user_can( 'edit_post_meta', $post_id, $unslashed_meta_key ) \|\| WPCOM_JSON_API_Metadata::is_public( $meta->key ) ) ) {
822	update_post_meta( $post_id, $meta->key, $meta->value );
823	}
824
825	break;
826	}
827	}
828	}
829
830	/**
831	* Fires when a post is created via the REST API.
832	*
833	* @module json-api
834	*
835	* @since 2.3.0
836	*
837	* @param int $post_id Post ID.
838	* @param array $insert Data used to build the post.
839	* @param string $new New post URL suffix.
840	*/
841	do_action( 'rest_api_inserted_post', $post_id, $insert, $new );
842
843	$return = $this->get_post_by( 'ID', $post_id, $args['context'] );
844	if ( ! $return \|\| is_wp_error( $return ) ) {
845	return $return;
846	}
847
848	if ( isset( $input['type'] ) && 'revision' === $input['type'] ) {
849	$return['preview_nonce'] = wp_create_nonce( 'post_preview_' . $input['parent'] );
850	}
851
852	if ( isset( $sticky ) ) {
853	// workaround for sticky test occasionally failing, maybe a race condition with stick_post() above.
854	$return['sticky'] = ( true === $sticky );
855	}
856
857	/** This action is documented in json-endpoints/class.wpcom-json-api-site-settings-endpoint.php */
858	do_action( 'wpcom_json_api_objects', 'posts' );
859
860	return $return;
861	}
862
863	/**
864	* Delete a post.
865	*
866	* /sites/%s/posts/%d/delete -> $blog_id, $post_id
867	*
868	* @param string $path API path.
869	* @param array $blog_id Blog ID.
870	* @param array $post_id Post ID.
871	*
872	* @return array\|WP_Error
873	*/
874	public function delete_post( $path, $blog_id, $post_id ) {
875	$post = get_post( $post_id );
876	if ( ! $post \|\| is_wp_error( $post ) ) {
877	return new WP_Error( 'unknown_post', 'Unknown post', 404 );
878	}
879
880	if ( ! $this->is_post_type_allowed( $post->post_type ) ) {
881	return new WP_Error( 'unknown_post_type', 'Unknown post type', 404 );
882	}
883
884	if ( ! current_user_can( 'delete_post', $post->ID ) ) {
885	return new WP_Error( 'unauthorized', 'User cannot delete posts', 403 );
886	}
887
888	$args = $this->query_args();
889	$return = $this->get_post_by( 'ID', $post->ID, $args['context'] );
890	if ( ! $return \|\| is_wp_error( $return ) ) {
891	return $return;
892	}
893
894	/** This action is documented in json-endpoints/class.wpcom-json-api-site-settings-endpoint.php */
895	do_action( 'wpcom_json_api_objects', 'posts' );
896
897	// we need to call wp_trash_post so that untrash will work correctly for all post types.
898	if ( 'trash' === $post->post_status ) {
899	wp_delete_post( $post->ID );
900	} else {
901	wp_trash_post( $post->ID );
902	}
903
904	$status = get_post_status( $post->ID );
905	if ( false === $status ) {
906	$return['status'] = 'deleted';
907	return $return;
908	}
909
910	return $this->get_post_by( 'ID', $post->ID, $args['context'] );
911	}
912
913	/**
914	* Restore a post.
915	*
916	* /sites/%s/posts/%d/restore -> $blog_id, $post_id
917	*
918	* @param string $path API path.
919	* @param int $blog_id Blog ID.
920	* @param int $post_id Post ID.
921	*
922	* @return array\|WP_Error
923	*/
924	public function restore_post( $path, $blog_id, $post_id ) {
925	$args = $this->query_args();
926	$post = get_post( $post_id );
927
928	if ( ! $post \|\| is_wp_error( $post ) ) {
929	return new WP_Error( 'unknown_post', 'Unknown post', 404 );
930	}
931
932	if ( ! current_user_can( 'delete_post', $post->ID ) ) {
933	return new WP_Error( 'unauthorized', 'User cannot restore trashed posts', 403 );
934	}
935
936	/** This action is documented in json-endpoints/class.wpcom-json-api-site-settings-endpoint.php */
937	do_action( 'wpcom_json_api_objects', 'posts' );
938
939	wp_untrash_post( $post->ID );
940
941	return $this->get_post_by( 'ID', $post->ID, $args['context'] );
942	}
943
944	/**
945	* Set or delete a post's featured image.
946	*
947	* @param int $post_id Post ID.
948	* @param bool $delete_featured_image Whether to delete the featured image.
949	* @param int $featured_image Thumbnail ID to attach.
950	*
951	* @return null\|int\|bool
952	*/
953	private function parse_and_set_featured_image( $post_id, $delete_featured_image, $featured_image ) {
954	if ( $delete_featured_image ) {
955	delete_post_thumbnail( $post_id );
956	return;
957	}
958
959	$featured_image = (string) $featured_image;
960
961	// if we got a post ID, we can just set it as the thumbnail.
962	if ( ctype_digit( $featured_image ) && 'attachment' === get_post_type( $featured_image ) ) {
963	set_post_thumbnail( $post_id, $featured_image );
964	return $featured_image;
965	}
966
967	$featured_image_id = $this->handle_media_sideload( $featured_image, $post_id, 'image' );
968
969	if ( empty( $featured_image_id ) \|\| ! is_int( $featured_image_id ) ) {
970	return false;
971	}
972
973	set_post_thumbnail( $post_id, $featured_image_id );
974	return $featured_image_id;
975	}
976
977	/**
978	* Get the Author ID for a post.
979	*
980	* @param int\|string $author Author ID.
981	* @param string $post_type Post type.
982	*
983	* @return int\|WP_Error
984	*/
985	private function parse_and_set_author( $author = null, $post_type = 'post' ) {
986	if ( empty( $author ) \|\| ! post_type_supports( $post_type, 'author' ) ) {
987	return get_current_user_id();
988	}
989
990	$author = (string) $author;
991	if ( ctype_digit( $author ) ) {
992	$_user = get_user_by( 'id', $author );
993	if ( ! $_user \|\| is_wp_error( $_user ) ) {
994	return new WP_Error( 'invalid_author', 'Invalid author provided' );
995	}
996
997	return $_user->ID;
998	}
999
1000	$_user = get_user_by( 'login', $author );
1001	if ( ! $_user \|\| is_wp_error( $_user ) ) {
1002	return new WP_Error( 'invalid_author', 'Invalid author provided' );
1003	}
1004
1005	return $_user->ID;
1006	}
1007	}
1008