class.wpcom-json-api-update-post-endpoint.php — Jetpack – WP Security, Backup, Speed, & Growth 13.8.2

jetpack / json-endpoints / class.wpcom-json-api-update-post-endpoint.php

jetpack / json-endpoints Last commit date

class.wpcom-json-api-update-post-endpoint.php

1009 lines

1	<?php // phpcs:ignore WordPress.Files.FileName.InvalidClassFileName
2	/**
3	* Update post endpoint.
4	*
5	* Endpoints:
6	* Create a post: /sites/%s/posts/new
7	* Update a post: /sites/%s/posts/%d
8	* Delete a post: /sites/%s/posts/%d/delete
9	* Restore a post: /sites/%s/posts/%d/restore
10	*/
11
12	new WPCOM_JSON_API_Update_Post_Endpoint(
13	array(
14	'description' => 'Create a post.',
15	'group' => 'posts',
16	'stat' => 'posts:new',
17	'new_version' => '1.2',
18	'max_version' => '1',
19	'method' => 'POST',
20	'path' => '/sites/%s/posts/new',
21	'path_labels' => array(
22	'$site' => '(int\|string) Site ID or domain',
23	),
24
25	'request_format' => array(
26	// explicitly document all input.
27	'date' => "(ISO 8601 datetime) The post's creation time.",
28	'title' => '(HTML) The post title.',
29	'content' => '(HTML) The post content.',
30	'excerpt' => '(HTML) An optional post excerpt.',
31	'slug' => '(string) The name (slug) for the post, used in URLs.',
32	'author' => '(string) The username or ID for the user to assign the post to.',
33	'publicize' => '(array\|bool) True or false if the post be shared to external services. An array of services if we only want to share to a select few. Defaults to true.',
34	'publicize_message' => '(string) Custom message to be shared to external services.',
35	'status' => array(
36	'publish' => 'Publish the post.',
37	'private' => 'Privately publish the post.',
38	'draft' => 'Save the post as a draft.',
39	'pending' => 'Mark the post as pending editorial approval.',
40	'auto-draft' => 'Save a placeholder for a newly created post, with no content.',
41	),
42	'sticky' => array(
43	'false' => 'Post is not marked as sticky.',
44	'true' => 'Stick the post to the front page.',
45	),
46	'password' => '(string) The plaintext password protecting the post, or, more likely, the empty string if the post is not password protected.',
47	'parent' => "(int) The post ID of the new post's parent.",
48	'type' => "(string) The post type. Defaults to 'post'. Post types besides post and page need to be whitelisted using the <code>rest_api_allowed_post_types</code> filter.",
49	'categories' => '(array\|string) Comma-separated list or array of categories (name or id)',
50	'tags' => '(array\|string) Comma-separated list or array of tags (name or id)',
51	'format' => array_merge( array( 'default' => 'Use default post format' ), get_post_format_strings() ),
52	'featured_image' => '(string) The post ID of an existing attachment to set as the featured image. Pass an empty string to delete the existing image.',
53	'media' => '(media) An array of files to attach to the post. To upload media, the entire request should be multipart/form-data encoded. Multiple media items will be displayed in a gallery. Accepts jpg, jpeg, png, gif, pdf, doc, ppt, odt, pptx, docx, pps, ppsx, xls, xlsx, key. Audio and Video may also be available. See <code>allowed_file_types</code> in the options response of the site endpoint. <br /><br /><strong>Example</strong>:<br />' .
54	"<code>curl \<br />--form 'title=Image' \<br />--form 'media[]=@/path/to/file.jpg' \<br />-H 'Authorization: BEARER your-token' \<br />'https://public-api.wordpress.com/rest/v1/sites/123/posts/new'</code>",
55	'media_urls' => '(array) An array of URLs for images to attach to a post. Sideloads the media in for a post.',
56	'metadata' => '(array) Array of metadata objects containing the following properties: `key` (metadata key), `id` (meta ID), `previous_value` (if set, the action will only occur for the provided previous value), `value` (the new value to set the meta to), `operation` (the operation to perform: `update` or `add`; defaults to `update`). All unprotected meta keys are available by default for read requests. Both unprotected and protected meta keys are avaiable for authenticated requests with proper capabilities. Protected meta keys can be made available with the <code>rest_api_allowed_public_metadata</code> filter.',
57	'comments_open' => "(bool) Should the post be open to comments? Defaults to the blog's preference.",
58	'pings_open' => "(bool) Should the post be open to comments? Defaults to the blog's preference.",
59	'likes_enabled' => "(bool) Should the post be open to likes? Defaults to the blog's preference.",
60	'sharing_enabled' => '(bool) Should sharing buttons show on this post? Defaults to true.',
61	'menu_order' => '(int) (Pages Only) the order pages should appear in. Use 0 to maintain alphabetical order.',
62	),
63
64	'example_request' => 'https://public-api.wordpress.com/rest/v1/sites/82974409/posts/new/',
65
66	'example_request_data' => array(
67	'headers' => array(
68	'authorization' => 'Bearer YOUR_API_TOKEN',
69	),
70
71	'body' => array(
72	'title' => 'Hello World',
73	'content' => 'Hello. I am a test post. I was created by the API',
74	'tags' => 'tests',
75	'categories' => 'API',
76	),
77	),
78	)
79	);
80
81	new WPCOM_JSON_API_Update_Post_Endpoint(
82	array(
83	'description' => 'Edit a post.',
84	'group' => 'posts',
85	'stat' => 'posts:1:POST',
86	'new_version' => '1.2',
87	'max_version' => '1',
88	'method' => 'POST',
89	'path' => '/sites/%s/posts/%d',
90	'path_labels' => array(
91	'$site' => '(int\|string) Site ID or domain',
92	'$post_ID' => '(int) The post ID',
93	),
94
95	'request_format' => array(
96	'date' => "(ISO 8601 datetime) The post's creation time.",
97	'title' => '(HTML) The post title.',
98	'content' => '(HTML) The post content.',
99	'excerpt' => '(HTML) An optional post excerpt.',
100	'slug' => '(string) The name (slug) for the post, used in URLs.',
101	'author' => '(string) The username or ID for the user to assign the post to.',
102	'publicize' => '(array\|bool) True or false if the post be shared to external services. An array of services if we only want to share to a select few. Defaults to true.',
103	'publicize_message' => '(string) Custom message to be shared to external services.',
104	'status' => array(
105	'publish' => 'Publish the post.',
106	'private' => 'Privately publish the post.',
107	'draft' => 'Save the post as a draft.',
108	'pending' => 'Mark the post as pending editorial approval.',
109	'trash' => 'Set the post as trashed.',
110	),
111	'sticky' => array(
112	'false' => 'Post is not marked as sticky.',
113	'true' => 'Stick the post to the front page.',
114	),
115	'password' => '(string) The plaintext password protecting the post, or, more likely, the empty string if the post is not password protected.',
116	'parent' => "(int) The post ID of the new post's parent.",
117	'categories' => '(array\|string) Comma-separated list or array of categories (name or id)',
118	'tags' => '(array\|string) Comma-separated list or array of tags (name or id)',
119	'format' => array_merge( array( 'default' => 'Use default post format' ), get_post_format_strings() ),
120	'comments_open' => '(bool) Should the post be open to comments?',
121	'pings_open' => '(bool) Should the post be open to comments?',
122	'likes_enabled' => '(bool) Should the post be open to likes?',
123	'menu_order' => '(int) (Pages Only) the order pages should appear in. Use 0 to maintain alphabetical order.',
124	'sharing_enabled' => '(bool) Should sharing buttons show on this post?',
125	'featured_image' => '(string) The post ID of an existing attachment to set as the featured image. Pass an empty string to delete the existing image.',
126	'media' => '(media) An array of files to attach to the post. To upload media, the entire request should be multipart/form-data encoded. Multiple media items will be displayed in a gallery. Accepts jpg, jpeg, png, gif, pdf, doc, ppt, odt, pptx, docx, pps, ppsx, xls, xlsx, key. Audio and Video may also be available. See <code>allowed_file_types</code> in the options resposne of the site endpoint. <br /><br /><strong>Example</strong>:<br />' .
127	"<code>curl \<br />--form 'title=Image' \<br />--form 'media[]=@/path/to/file.jpg' \<br />-H 'Authorization: BEARER your-token' \<br />'https://public-api.wordpress.com/rest/v1/sites/123/posts/new'</code>",
128	'media_urls' => '(array) An array of URLs for images to attach to a post. Sideloads the media in for a post.',
129	'metadata' => '(array) Array of metadata objects containing the following properties: `key` (metadata key), `id` (meta ID), `previous_value` (if set, the action will only occur for the provided previous value), `value` (the new value to set the meta to), `operation` (the operation to perform: `update` or `add`; defaults to `update`). All unprotected meta keys are available by default for read requests. Both unprotected and protected meta keys are available for authenticated requests with proper capabilities. Protected meta keys can be made available with the <code>rest_api_allowed_public_metadata</code> filter.',
130	),
131
132	'example_request' => 'https://public-api.wordpress.com/rest/v1/sites/82974409/posts/881',
133
134	'example_request_data' => array(
135	'headers' => array(
136	'authorization' => 'Bearer YOUR_API_TOKEN',
137	),
138
139	'body' => array(
140	'title' => 'Hello World (Again)',
141	'content' => 'Hello. I am an edited post. I was edited by the API',
142	'tags' => 'tests',
143	'categories' => 'API',
144	),
145	),
146	)
147	);
148
149	new WPCOM_JSON_API_Update_Post_Endpoint(
150	array(
151	'description' => 'Delete a post. Note: If the trash is enabled, this request will send the post to the trash. A second request will permanently delete the post.',
152	'group' => 'posts',
153	'stat' => 'posts:1:delete',
154	'new_version' => '1.1',
155	'max_version' => '1',
156	'method' => 'POST',
157	'path' => '/sites/%s/posts/%d/delete',
158	'path_labels' => array(
159	'$site' => '(int\|string) Site ID or domain',
160	'$post_ID' => '(int) The post ID',
161	),
162
163	'example_request' => 'https://public-api.wordpress.com/rest/v1/sites/82974409/posts/$post_ID/delete/',
164
165	'example_request_data' => array(
166	'headers' => array(
167	'authorization' => 'Bearer YOUR_API_TOKEN',
168	),
169	),
170	)
171	);
172
173	new WPCOM_JSON_API_Update_Post_Endpoint(
174	array(
175	'description' => 'Restore a post or page from the trash to its previous status.',
176	'group' => 'posts',
177	'stat' => 'posts:1:restore',
178
179	'method' => 'POST',
180	'new_version' => '1.1',
181	'max_version' => '1',
182	'path' => '/sites/%s/posts/%d/restore',
183	'path_labels' => array(
184	'$site' => '(int\|string) Site ID or domain',
185	'$post_ID' => '(int) The post ID',
186	),
187
188	'example_request' => 'https://public-api.wordpress.com/rest/v1/sites/82974409/posts/$post_ID/restore/',
189
190	'example_request_data' => array(
191	'headers' => array(
192	'authorization' => 'Bearer YOUR_API_TOKEN',
193	),
194	),
195	)
196	);
197
198	/**
199	* Update post endpoint class.
200	*/
201	class WPCOM_JSON_API_Update_Post_Endpoint extends WPCOM_JSON_API_Post_Endpoint {
202	/**
203	* WPCOM_JSON_API_Update_Post_Endpoint constructor.
204	*
205	* @param array $args Args.
206	*/
207	public function __construct( $args ) {
208	parent::__construct( $args );
209	if ( $this->api->ends_with( $this->path, '/delete' ) ) {
210	$this->post_object_format['status']['deleted'] = 'The post has been deleted permanently.';
211	}
212	}
213
214	/**
215	* Update post API callback.
216	*
217	* /sites/%s/posts/new -> $blog_id
218	* /sites/%s/posts/%d -> $blog_id, $post_id
219	* /sites/%s/posts/%d/delete -> $blog_id, $post_id
220	* /sites/%s/posts/%d/restore -> $blog_id, $post_id
221	*
222	* @param string $path API path.
223	* @param int $blog_id Blog ID.
224	* @param int $post_id Post ID.
225	*
226	* @return array\|bool\|WP_Error
227	*/
228	public function callback( $path = '', $blog_id = 0, $post_id = 0 ) {
229	$blog_id = $this->api->switch_to_blog_and_validate_user( $this->api->get_blog_id( $blog_id ) );
230	if ( is_wp_error( $blog_id ) ) {
231	return $blog_id;
232	}
233
234	if ( $this->api->ends_with( $path, '/delete' ) ) {
235	return $this->delete_post( $path, $blog_id, $post_id );
236	} elseif ( $this->api->ends_with( $path, '/restore' ) ) {
237	return $this->restore_post( $path, $blog_id, $post_id );
238	} else {
239	return $this->write_post( $path, $blog_id, $post_id );
240	}
241	}
242
243	/**
244	* Create or update a post.
245	*
246	* /sites/%s/posts/new -> $blog_id
247	* /sites/%s/posts/%d -> $blog_id, $post_id
248	*
249	* @param string $path API path.
250	* @param int $blog_id Blog ID.
251	* @param int $post_id Post ID.
252	*/
253	public function write_post( $path, $blog_id, $post_id ) {
254	$delete_featured_image = null;
255	$new = $this->api->ends_with( $path, '/new' );
256	$args = $this->query_args();
257
258	// unhook publicize, it's hooked again later -- without this, skipping services is impossible.
259	if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
260	remove_action( 'save_post', array( $GLOBALS['publicize_ui']->publicize, 'async_publicize_post' ), 100, 2 );
261	add_action( 'rest_api_inserted_post', array( $GLOBALS['publicize_ui']->publicize, 'async_publicize_post' ) );
262	}
263
264	if ( $new ) {
265	$input = $this->input( true );
266
267	// default to post.
268	if ( empty( $input['type'] ) ) {
269	$input['type'] = 'post';
270	}
271
272	if ( 'revision' === $input['type'] ) {
273	if ( ! isset( $input['parent'] ) ) {
274	return new WP_Error( 'invalid_input', 'Invalid request input', 400 );
275	}
276	$input['status'] = 'inherit'; // force inherit for revision type.
277	$input['slug'] = $input['parent'] . '-autosave-v1';
278	} elseif ( ! isset( $input['title'] ) && ! isset( $input['content'] ) && ! isset( $input['excerpt'] ) ) {
279	return new WP_Error( 'invalid_input', 'Invalid request input', 400 );
280	}
281
282	$post_type = get_post_type_object( $input['type'] );
283
284	if ( ! $this->is_post_type_allowed( $input['type'] ) ) {
285	return new WP_Error( 'unknown_post_type', 'Unknown post type', 404 );
286	}
287
288	if ( ! empty( $input['author'] ) ) {
289	$author_id = $this->parse_and_set_author( $input['author'], $input['type'] );
290	unset( $input['author'] );
291	if ( is_wp_error( $author_id ) ) {
292	return $author_id;
293	}
294	}
295
296	if ( 'publish' === $input['status'] ) {
297	if ( ! current_user_can( $post_type->cap->publish_posts ) ) {
298	if ( current_user_can( $post_type->cap->edit_posts ) ) {
299	$input['status'] = 'pending';
300	} else {
301	return new WP_Error( 'unauthorized', 'User cannot publish posts', 403 );
302	}
303	}
304	} elseif ( ! current_user_can( $post_type->cap->edit_posts ) ) {
305	return new WP_Error( 'unauthorized', 'User cannot edit posts', 403 );
306	}
307	} else {
308	$input = $this->input( false );
309
310	if ( ! is_array( $input ) \|\| ! $input ) {
311	return new WP_Error( 'invalid_input', 'Invalid request input', 400 );
312	}
313
314	if ( isset( $input['status'] ) && 'trash' === $input['status'] && ! current_user_can( 'delete_post', $post_id ) ) {
315	return new WP_Error( 'unauthorized', 'User cannot delete post', 403 );
316	}
317
318	$post = get_post( $post_id );
319	$_post_type = ( ! empty( $input['type'] ) ) ? $input['type'] : $post->post_type;
320	$post_type = get_post_type_object( $_post_type );
321	if ( ! $post \|\| is_wp_error( $post ) ) {
322	return new WP_Error( 'unknown_post', 'Unknown post', 404 );
323	}
324
325	if ( ! current_user_can( 'edit_post', $post->ID ) ) {
326	return new WP_Error( 'unauthorized', 'User cannot edit post', 403 );
327	}
328
329	if ( ! empty( $input['author'] ) ) {
330	$author_id = $this->parse_and_set_author( $input['author'], $_post_type );
331	unset( $input['author'] );
332	if ( is_wp_error( $author_id ) ) {
333	return $author_id;
334	}
335	}
336
337	if ( ( isset( $input['status'] ) && 'publish' === $input['status'] ) && 'publish' !== $post->post_status && ! current_user_can( 'publish_post', $post->ID ) ) {
338	$input['status'] = 'pending';
339	}
340	$last_status = $post->post_status;
341	$new_status = isset( $input['status'] ) ? $input['status'] : $last_status;
342
343	// Make sure that drafts get the current date when transitioning to publish if not supplied in the post.
344	$date_in_past = ( strtotime( $post->post_date_gmt ) < time() );
345	if ( 'publish' === $new_status && 'draft' === $last_status && ! isset( $input['date_gmt'] ) && $date_in_past ) {
346	$input['date_gmt'] = gmdate( 'Y-m-d H:i:s' );
347	}
348
349	// Untrash a post so that the proper hooks get called as well as the comments get untrashed.
350	if ( 'trash' === $last_status && 'trash' !== $new_status && isset( $post->ID ) ) {
351	wp_untrash_post( $post->ID );
352	$untashed_post = get_post( $post->ID );
353	// Lets make sure that we use the revert the slug.
354	if ( isset( $untashed_post->post_name ) && $untashed_post->post_name . '__trashed' === $input['slug'] ) {
355	unset( $input['slug'] );
356	}
357	}
358	}
359
360	if ( function_exists( 'wpcom_switch_to_locale' ) ) {
361	// fixes calypso-pre-oss #12476: respect blog locale when creating the post slug.
362	wpcom_switch_to_locale( get_blog_lang_code( $blog_id ) );
363	}
364
365	// If date was set, $this->input will set date_gmt, date still needs to be adjusted for the blog's offset.
366	if ( isset( $input['date_gmt'] ) ) {
367	$gmt_offset = get_option( 'gmt_offset' );
368	$time_with_offset = strtotime( $input['date_gmt'] ) + $gmt_offset * HOUR_IN_SECONDS;
369	$input['date'] = gmdate( 'Y-m-d H:i:s', $time_with_offset );
370	}
371
372	if ( ! empty( $author_id ) && get_current_user_id() !== $author_id ) {
373	if ( ! current_user_can( $post_type->cap->edit_others_posts ) ) {
374	return new WP_Error( 'unauthorized', "User is not allowed to publish others' posts.", 403 );
375	} elseif ( ! user_can( $author_id, $post_type->cap->edit_posts ) ) {
376	return new WP_Error( 'unauthorized', 'Assigned author cannot publish post.', 403 );
377	}
378	}
379
380	if ( ! is_post_type_hierarchical( $post_type->name ) && 'revision' !== $post_type->name ) {
381	unset( $input['parent'] );
382	}
383
384	$tax_input = array();
385
386	foreach ( array(
387	'categories' => 'category',
388	'tags' => 'post_tag',
389	) as $key => $taxonomy ) {
390	if ( ! isset( $input[ $key ] ) ) {
391	continue;
392	}
393
394	$tax_input[ $taxonomy ] = array();
395
396	$is_hierarchical = is_taxonomy_hierarchical( $taxonomy );
397
398	if ( is_array( $input[ $key ] ) ) {
399	$terms = $input[ $key ];
400	} else {
401	$terms = explode( ',', $input[ $key ] );
402	}
403
404	foreach ( $terms as $term ) {
405	/**
406	* `curl --data 'category[]=123'` should be interpreted as a category ID,
407	* not a category whose name is '123'.
408	*
409	* Consequence: To add a category/tag whose name is '123', the client must
410	* first look up its ID.
411	*/
412	$term = (string) $term; // ctype_digit compat.
413	if ( ctype_digit( $term ) ) {
414	$term = (int) $term;
415	}
416
417	$term_info = term_exists( $term, $taxonomy );
418
419	if ( ! $term_info ) {
420	// A term ID that doesn't already exist. Ignore it: we don't know what name to give it.
421	if ( is_int( $term ) ) {
422	continue;
423	}
424	// only add a new tag/cat if the user has access to.
425	$tax = get_taxonomy( $taxonomy );
426
427	// see https://core.trac.wordpress.org/ticket/26409 .
428	if ( 'category' === $taxonomy && ! current_user_can( $tax->cap->edit_terms ) ) {
429	continue;
430	} elseif ( ! current_user_can( $tax->cap->assign_terms ) ) {
431	continue;
432	}
433
434	$term_info = wp_insert_term( $term, $taxonomy );
435	}
436
437	if ( ! is_wp_error( $term_info ) ) {
438	if ( $is_hierarchical ) {
439	// Categories must be added by ID.
440	$tax_input[ $taxonomy ][] = (int) $term_info['term_id'];
441	} elseif ( is_int( $term ) ) { // Tags must be added by name.
442	$term = get_term( $term, $taxonomy );
443	$tax_input[ $taxonomy ][] = $term->name;
444	} else {
445	$tax_input[ $taxonomy ][] = $term;
446	}
447	}
448	}
449	}
450
451	if ( isset( $input['categories'] ) && empty( $tax_input['category'] ) && 'revision' !== $post_type->name ) {
452	$tax_input['category'][] = get_option( 'default_category' );
453	}
454
455	unset( $input['tags'], $input['categories'] );
456
457	$insert = array();
458
459	if ( ! empty( $input['slug'] ) ) {
460	$insert['post_name'] = $input['slug'];
461	unset( $input['slug'] );
462	}
463
464	if ( isset( $input['comments_open'] ) ) {
465	$insert['comment_status'] = ( true === $input['comments_open'] ) ? 'open' : 'closed';
466	}
467
468	if ( isset( $input['pings_open'] ) ) {
469	$insert['ping_status'] = ( true === $input['pings_open'] ) ? 'open' : 'closed';
470	}
471
472	unset( $input['comments_open'], $input['pings_open'] );
473
474	if ( isset( $input['menu_order'] ) ) {
475	$insert['menu_order'] = $input['menu_order'];
476	unset( $input['menu_order'] );
477	}
478
479	$publicize = isset( $input['publicize'] ) ? $input['publicize'] : null;
480	unset( $input['publicize'] );
481
482	$publicize_custom_message = isset( $input['publicize_message'] ) ? $input['publicize_message'] : null;
483	unset( $input['publicize_message'] );
484
485	if ( isset( $input['featured_image'] ) ) {
486	$featured_image = trim( $input['featured_image'] );
487	$delete_featured_image = empty( $featured_image );
488	unset( $input['featured_image'] );
489	}
490
491	$metadata = isset( $input['metadata'] ) ? $input['metadata'] : null;
492	unset( $input['metadata'] );
493
494	$likes = isset( $input['likes_enabled'] ) ? $input['likes_enabled'] : null;
495	unset( $input['likes_enabled'] );
496
497	$sharing = isset( $input['sharing_enabled'] ) ? $input['sharing_enabled'] : null;
498	unset( $input['sharing_enabled'] );
499
500	$sticky = isset( $input['sticky'] ) ? $input['sticky'] : null;
501	unset( $input['sticky'] );
502
503	foreach ( $input as $key => $value ) {
504	$insert[ "post_$key" ] = $value;
505	}
506
507	if ( ! empty( $author_id ) ) {
508	$insert['post_author'] = absint( $author_id );
509	}
510
511	if ( ! empty( $tax_input ) ) {
512	$insert['tax_input'] = $tax_input;
513	}
514
515	$has_media = isset( $input['media'] ) && $input['media'] ? count( $input['media'] ) : false;
516	$has_media_by_url = isset( $input['media_urls'] ) && $input['media_urls'] ? count( $input['media_urls'] ) : false;
517
518	if ( $new ) {
519
520	if ( isset( $input['content'] ) && ! has_shortcode( $input['content'], 'gallery' ) && ( $has_media \|\| $has_media_by_url ) ) {
521	switch ( ( $has_media + $has_media_by_url ) ) {
522	case 0:
523	// No images - do nothing.
524	break;
525	case 1:
526	// 1 image - make it big.
527	$input['content'] = "[gallery size=full columns=1]\n\n" . $input['content'];
528	$insert['post_content'] = $input['content'];
529	break;
530	default:
531	// Several images - 3 column gallery.
532	$input['content'] = "[gallery]\n\n" . $input['content'];
533	$insert['post_content'] = $input['content'];
534	break;
535	}
536	}
537
538	$post_id = wp_insert_post( add_magic_quotes( $insert ), true );
539	} else {
540	$insert['ID'] = $post->ID;
541
542	// wp_update_post ignores date unless edit_date is set
543	// See: https://codex.wordpress.org/Function_Reference/wp_update_post#Scheduling_posts
544	// See: https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/post.php#L3302 .
545	if ( isset( $input['date_gmt'] ) \|\| isset( $input['date'] ) ) {
546	$insert['edit_date'] = true;
547	}
548
549	// this two-step process ensures any changes submitted along with status=trash get saved before trashing.
550	if ( isset( $input['status'] ) && 'trash' === $input['status'] ) {
551	// if we insert it with status='trash', it will get double-trashed, so insert it as a draft first.
552	unset( $insert['status'] );
553	$post_id = wp_update_post( (object) $insert );
554	// now call wp_trash_post so post_meta gets set and any filters get called.
555	wp_trash_post( $post_id );
556	} else {
557	$post_id = wp_update_post( (object) $insert );
558	}
559	}
560
561	if ( ! $post_id \|\| is_wp_error( $post_id ) ) {
562	return $post_id;
563	}
564
565	// make sure this post actually exists and is not an error of some kind (ie, trying to load media in the posts endpoint).
566	$post_check = $this->get_post_by( 'ID', $post_id, $args['context'] );
567	if ( is_wp_error( $post_check ) ) {
568	return $post_check;
569	}
570
571	if ( $has_media ) {
572	$this->api->trap_wp_die( 'upload_error' );
573	foreach ( $input['media'] as $media_item ) {
574	$_FILES['.api.media.item.'] = $media_item;
575	// check for WP_Error if we ever actually need $media_id .
576	$media_id = media_handle_upload( '.api.media.item.', $post_id ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
577	}
578	$this->api->trap_wp_die( null );
579
580	unset( $_FILES['.api.media.item.'] );
581	}
582
583	if ( $has_media_by_url ) {
584	foreach ( $input['media_urls'] as $url ) {
585	$this->handle_media_sideload( $url, $post_id );
586	}
587	}
588
589	// Set like status for the post.
590	/** This filter is documented in modules/likes.php */
591	$sitewide_likes_enabled = (bool) apply_filters( 'wpl_is_enabled_sitewide', ! get_option( 'disabled_likes' ) );
592	if ( $new ) {
593	if ( $sitewide_likes_enabled ) {
594	if ( false === $likes ) {
595	update_post_meta( $post_id, 'switch_like_status', 0 );
596	} else {
597	delete_post_meta( $post_id, 'switch_like_status' );
598	}
599	} elseif ( $likes ) {
600	update_post_meta( $post_id, 'switch_like_status', 1 );
601	} else {
602	delete_post_meta( $post_id, 'switch_like_status' );
603	}
604	} elseif ( isset( $likes ) ) {
605	if ( $sitewide_likes_enabled ) {
606	if ( false === $likes ) {
607	update_post_meta( $post_id, 'switch_like_status', 0 );
608	} else {
609	delete_post_meta( $post_id, 'switch_like_status' );
610	}
611	} elseif ( true === $likes ) {
612	update_post_meta( $post_id, 'switch_like_status', 1 );
613	} else {
614	delete_post_meta( $post_id, 'switch_like_status' );
615	}
616	}
617
618	// Set sharing status of the post.
619	if ( $new ) {
620	$sharing_enabled = isset( $sharing ) ? (bool) $sharing : true;
621	if ( false === $sharing_enabled ) {
622	update_post_meta( $post_id, 'sharing_disabled', 1 );
623	}
624	} elseif ( isset( $sharing ) && true === $sharing ) {
625	delete_post_meta( $post_id, 'sharing_disabled' );
626	} elseif ( isset( $sharing ) && false == $sharing ) { // phpcs:ignore Universal.Operators.StrictComparisons.LooseEqual
627	update_post_meta( $post_id, 'sharing_disabled', 1 );
628	}
629
630	if ( isset( $sticky ) ) {
631	if ( true === $sticky ) {
632	stick_post( $post_id );
633	} else {
634	unstick_post( $post_id );
635	}
636	}
637
638	// WPCOM Specific (Jetpack's will get bumped elsewhere
639	// Tracks how many posts are published and sets meta
640	// so we can track some other cool stats (like likes & comments on posts published).
641	if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
642	if (
643	( $new && 'publish' === $input['status'] )
644	\|\| (
645	! $new && isset( $last_status )
646	&& 'publish' !== $last_status
647	&& isset( $new_status )
648	&& 'publish' === $new_status
649	)
650	) {
651	/** This action is documented in modules/widgets/social-media-icons.php */
652	do_action( 'jetpack_bump_stats_extras', 'api-insights-posts', $this->api->token_details['client_id'] );
653	update_post_meta( $post_id, '_rest_api_published', 1 );
654	update_post_meta( $post_id, '_rest_api_client_id', $this->api->token_details['client_id'] );
655	}
656	}
657
658	// We ask the user/dev to pass Publicize services he/she wants activated for the post, but Publicize expects us
659	// to instead flag the ones we don't want to be skipped. proceed with said logic.
660	// any posts coming from Path (client ID 25952) should also not publicize.
661	if ( false === $publicize \|\| ( isset( $this->api->token_details['client_id'] ) && 25952 === (int) $this->api->token_details['client_id'] ) ) {
662	// No publicize at all, skip all by ID.
663	foreach ( $GLOBALS['publicize_ui']->publicize->get_services( 'all' ) as $name => $service ) {
664	delete_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $name );
665	$service_connections = $GLOBALS['publicize_ui']->publicize->get_connections( $name );
666	if ( ! $service_connections ) {
667	continue;
668	}
669	foreach ( $service_connections as $service_connection ) {
670	update_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $service_connection->unique_id, 1 );
671	}
672	}
673	} elseif ( is_array( $publicize ) && ( $publicize !== array() ) ) {
674	foreach ( $GLOBALS['publicize_ui']->publicize->get_services( 'all' ) as $name => $service ) {
675	/*
676	* We support both indexed and associative arrays:
677	* * indexed are to pass entire services
678	* * associative are to pass specific connections per service
679	*
680	* We do support mixed arrays: mixed integer and string keys (see 3rd example below).
681	*
682	* EG: array( 'linkedin', 'facebook') will only publicize to those, ignoring the other available services
683	* Form data: publicize[]=linkedin&publicize[]=facebook
684	* EG: array( 'linkedin' => '(int) $pub_conn_id_0, (int) $pub_conn_id_3', 'facebook' => (int) $pub_conn_id_7 ) will publicize to two LinkedIn accounts, and one Facebook connection, of potentially many.
685	* Form data: publicize[linkedin]=$pub_conn_id_0,$pub_conn_id_3&publicize[facebook]=$pub_conn_id_7
686	* EG: array( 'linkedin', 'facebook' => '(int) $pub_conn_id_0, (int) $pub_conn_id_3' ) will publicize to all available LinkedIn accounts, but only 2 of potentially many Facebook connections
687	* Form data: publicize[]=linkedin&publicize[facebook]=$pub_conn_id_0,$pub_conn_id_3
688	*/
689
690	// Delete any stale SKIP value for the service by name. We'll add it back by ID.
691	delete_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $name );
692
693	// Get the user's connections.
694	$service_connections = $GLOBALS['publicize_ui']->publicize->get_connections( $name );
695
696	// if the user doesn't have any connections for this service, move on.
697	if ( ! $service_connections ) {
698	continue;
699	}
700
701	if ( ! in_array( $name, $publicize, true ) && ! array_key_exists( $name, $publicize ) ) {
702	// Skip the whole service by adding each connection ID.
703	foreach ( $service_connections as $service_connection ) {
704	update_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $service_connection->unique_id, 1 );
705	}
706	} elseif ( ! empty( $publicize[ $name ] ) ) {
707	// Seems we're being asked to only push to [a] specific connection[s].
708	// Explode the list on commas, which will also support a single passed ID.
709	$requested_connections = explode( ',', ( preg_replace( '/[\s]*/', '', $publicize[ $name ] ) ) );
710	// Flag the connections we can't match with the requested list to be skipped.
711	foreach ( $service_connections as $service_connection ) {
712	if ( ! in_array( $service_connection->meta['connection_data']->id, $requested_connections, true ) ) {
713	update_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $service_connection->unique_id, 1 );
714	} else {
715	delete_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $service_connection->unique_id );
716	}
717	}
718	} else {
719	// delete all SKIP values; it's okay to publish to all connected IDs for this service.
720	foreach ( $service_connections as $service_connection ) {
721	delete_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_SKIP . $service_connection->unique_id );
722	}
723	}
724	}
725	}
726
727	if ( $publicize_custom_message !== null ) {
728	if ( empty( $publicize_custom_message ) ) {
729	delete_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_MESS );
730	} else {
731	update_post_meta( $post_id, $GLOBALS['publicize_ui']->publicize->POST_MESS, trim( $publicize_custom_message ) );
732	}
733	}
734
735	if ( ! empty( $insert['post_format'] ) ) {
736	if ( 'default' !== strtolower( $insert['post_format'] ) ) {
737	set_post_format( $post_id, $insert['post_format'] );
738	} else {
739	set_post_format( $post_id, get_option( 'default_post_format' ) );
740	}
741	}
742
743	if ( isset( $featured_image ) ) {
744	$this->parse_and_set_featured_image( $post_id, $delete_featured_image, $featured_image );
745	}
746
747	if ( ! empty( $metadata ) ) {
748	foreach ( (array) $metadata as $meta ) {
749
750	$meta = (object) $meta;
751
752	if (
753	in_array( $meta->key, Jetpack_SEO_Posts::POST_META_KEYS_ARRAY, true ) &&
754	! Jetpack_SEO_Utils::is_enabled_jetpack_seo()
755	) {
756	return new WP_Error( 'unauthorized', __( 'SEO tools are not enabled for this site.', 'jetpack' ), 403 );
757	}
758
759	$existing_meta_item = new stdClass();
760
761	if ( empty( $meta->operation ) ) {
762	$meta->operation = 'update';
763	}
764
765	if ( ! empty( $meta->value ) ) {
766	if ( 'true' == $meta->value ) { // phpcs:ignore Universal.Operators.StrictComparisons.LooseEqual
767	$meta->value = true;
768	}
769	if ( 'false' == $meta->value ) { // phpcs:ignore Universal.Operators.StrictComparisons.LooseEqual
770	$meta->value = false;
771	}
772	}
773
774	if ( ! empty( $meta->id ) ) {
775	$meta->id = absint( $meta->id );
776	$existing_meta_item = get_metadata_by_mid( 'post', $meta->id );
777	if ( $post_id !== (int) $existing_meta_item->post_id ) {
778	// Only allow updates for metadata on this post.
779	continue;
780	}
781	}
782
783	$unslashed_meta_key = wp_unslash( $meta->key ); // should match what the final key will be.
784	$meta->key = wp_slash( $meta->key );
785	$unslashed_existing_meta_key = wp_unslash( $existing_meta_item->meta_key );
786	$existing_meta_item->meta_key = wp_slash( $existing_meta_item->meta_key );
787
788	// make sure that the meta id passed matches the existing meta key.
789	if ( ! empty( $meta->id ) && ! empty( $meta->key ) ) {
790	$meta_by_id = get_metadata_by_mid( 'post', $meta->id );
791	if ( $meta_by_id->meta_key !== $meta->key ) {
792	continue; // skip this meta.
793	}
794	}
795
796	switch ( $meta->operation ) {
797	case 'delete':
798	if ( ! empty( $meta->id ) && ! empty( $existing_meta_item->meta_key ) && current_user_can( 'delete_post_meta', $post_id, $unslashed_existing_meta_key ) ) {
799	delete_metadata_by_mid( 'post', $meta->id );
800	} elseif ( ! empty( $meta->key ) && ! empty( $meta->previous_value ) && current_user_can( 'delete_post_meta', $post_id, $unslashed_meta_key ) ) {
801	delete_post_meta( $post_id, $meta->key, $meta->previous_value );
802	} elseif ( ! empty( $meta->key ) && current_user_can( 'delete_post_meta', $post_id, $unslashed_meta_key ) ) {
803	delete_post_meta( $post_id, $meta->key );
804	}
805
806	break;
807	case 'add':
808	if ( ! empty( $meta->id ) \|\| ! empty( $meta->previous_value ) ) {
809	break;
810	} elseif ( ! empty( $meta->key ) && ! empty( $meta->value ) && ( current_user_can( 'add_post_meta', $post_id, $unslashed_meta_key ) ) \|\| WPCOM_JSON_API_Metadata::is_public( $meta->key ) ) {
811	add_post_meta( $post_id, $meta->key, $meta->value );
812	}
813
814	break;
815	case 'update':
816	if ( ! isset( $meta->value ) ) {
817	break;
818	} elseif ( ! empty( $meta->id ) && ! empty( $existing_meta_item->meta_key ) && ( current_user_can( 'edit_post_meta', $post_id, $unslashed_existing_meta_key ) \|\| WPCOM_JSON_API_Metadata::is_public( $meta->key ) ) ) {
819	update_metadata_by_mid( 'post', $meta->id, $meta->value );
820	} elseif ( ! empty( $meta->key ) && ! empty( $meta->previous_value ) && ( current_user_can( 'edit_post_meta', $post_id, $unslashed_meta_key ) \|\| WPCOM_JSON_API_Metadata::is_public( $meta->key ) ) ) {
821	update_post_meta( $post_id, $meta->key, $meta->value, $meta->previous_value );
822	} elseif ( ! empty( $meta->key ) && ( current_user_can( 'edit_post_meta', $post_id, $unslashed_meta_key ) \|\| WPCOM_JSON_API_Metadata::is_public( $meta->key ) ) ) {
823	update_post_meta( $post_id, $meta->key, $meta->value );
824	}
825
826	break;
827	}
828	}
829	}
830
831	/**
832	* Fires when a post is created via the REST API.
833	*
834	* @module json-api
835	*
836	* @since 2.3.0
837	*
838	* @param int $post_id Post ID.
839	* @param array $insert Data used to build the post.
840	* @param string $new New post URL suffix.
841	*/
842	do_action( 'rest_api_inserted_post', $post_id, $insert, $new );
843
844	$return = $this->get_post_by( 'ID', $post_id, $args['context'] );
845	if ( ! $return \|\| is_wp_error( $return ) ) {
846	return $return;
847	}
848
849	if ( isset( $input['type'] ) && 'revision' === $input['type'] ) {
850	$return['preview_nonce'] = wp_create_nonce( 'post_preview_' . $input['parent'] );
851	}
852
853	if ( isset( $sticky ) ) {
854	// workaround for sticky test occasionally failing, maybe a race condition with stick_post() above.
855	$return['sticky'] = ( true === $sticky );
856	}
857
858	/** This action is documented in json-endpoints/class.wpcom-json-api-site-settings-endpoint.php */
859	do_action( 'wpcom_json_api_objects', 'posts' );
860
861	return $return;
862	}
863
864	/**
865	* Delete a post.
866	*
867	* /sites/%s/posts/%d/delete -> $blog_id, $post_id
868	*
869	* @param string $path API path.
870	* @param array $blog_id Blog ID.
871	* @param array $post_id Post ID.
872	*
873	* @return array\|WP_Error
874	*/
875	public function delete_post( $path, $blog_id, $post_id ) {
876	$post = get_post( $post_id );
877	if ( ! $post \|\| is_wp_error( $post ) ) {
878	return new WP_Error( 'unknown_post', 'Unknown post', 404 );
879	}
880
881	if ( ! $this->is_post_type_allowed( $post->post_type ) ) {
882	return new WP_Error( 'unknown_post_type', 'Unknown post type', 404 );
883	}
884
885	if ( ! current_user_can( 'delete_post', $post->ID ) ) {
886	return new WP_Error( 'unauthorized', 'User cannot delete posts', 403 );
887	}
888
889	$args = $this->query_args();
890	$return = $this->get_post_by( 'ID', $post->ID, $args['context'] );
891	if ( ! $return \|\| is_wp_error( $return ) ) {
892	return $return;
893	}
894
895	/** This action is documented in json-endpoints/class.wpcom-json-api-site-settings-endpoint.php */
896	do_action( 'wpcom_json_api_objects', 'posts' );
897
898	// we need to call wp_trash_post so that untrash will work correctly for all post types.
899	if ( 'trash' === $post->post_status ) {
900	wp_delete_post( $post->ID );
901	} else {
902	wp_trash_post( $post->ID );
903	}
904
905	$status = get_post_status( $post->ID );
906	if ( false === $status ) {
907	$return['status'] = 'deleted';
908	return $return;
909	}
910
911	return $this->get_post_by( 'ID', $post->ID, $args['context'] );
912	}
913
914	/**
915	* Restore a post.
916	*
917	* /sites/%s/posts/%d/restore -> $blog_id, $post_id
918	*
919	* @param string $path API path.
920	* @param int $blog_id Blog ID.
921	* @param int $post_id Post ID.
922	*
923	* @return array\|WP_Error
924	*/
925	public function restore_post( $path, $blog_id, $post_id ) {
926	$args = $this->query_args();
927	$post = get_post( $post_id );
928
929	if ( ! $post \|\| is_wp_error( $post ) ) {
930	return new WP_Error( 'unknown_post', 'Unknown post', 404 );
931	}
932
933	if ( ! current_user_can( 'delete_post', $post->ID ) ) {
934	return new WP_Error( 'unauthorized', 'User cannot restore trashed posts', 403 );
935	}
936
937	/** This action is documented in json-endpoints/class.wpcom-json-api-site-settings-endpoint.php */
938	do_action( 'wpcom_json_api_objects', 'posts' );
939
940	wp_untrash_post( $post->ID );
941
942	return $this->get_post_by( 'ID', $post->ID, $args['context'] );
943	}
944
945	/**
946	* Set or delete a post's featured image.
947	*
948	* @param int $post_id Post ID.
949	* @param bool $delete_featured_image Whether to delete the featured image.
950	* @param int $featured_image Thumbnail ID to attach.
951	*
952	* @return null\|int\|bool
953	*/
954	private function parse_and_set_featured_image( $post_id, $delete_featured_image, $featured_image ) {
955	if ( $delete_featured_image ) {
956	delete_post_thumbnail( $post_id );
957	return;
958	}
959
960	$featured_image = (string) $featured_image;
961
962	// if we got a post ID, we can just set it as the thumbnail.
963	if ( ctype_digit( $featured_image ) && 'attachment' === get_post_type( $featured_image ) ) {
964	set_post_thumbnail( $post_id, $featured_image );
965	return $featured_image;
966	}
967
968	$featured_image_id = $this->handle_media_sideload( $featured_image, $post_id, 'image' );
969
970	if ( empty( $featured_image_id ) \|\| ! is_int( $featured_image_id ) ) {
971	return false;
972	}
973
974	set_post_thumbnail( $post_id, $featured_image_id );
975	return $featured_image_id;
976	}
977
978	/**
979	* Get the Author ID for a post.
980	*
981	* @param int\|string $author Author ID.
982	* @param string $post_type Post type.
983	*
984	* @return int\|WP_Error
985	*/
986	private function parse_and_set_author( $author = null, $post_type = 'post' ) {
987	if ( empty( $author ) \|\| ! post_type_supports( $post_type, 'author' ) ) {
988	return get_current_user_id();
989	}
990
991	$author = (string) $author;
992	if ( ctype_digit( $author ) ) {
993	$_user = get_user_by( 'id', $author );
994	if ( ! $_user \|\| is_wp_error( $_user ) ) {
995	return new WP_Error( 'invalid_author', 'Invalid author provided' );
996	}
997
998	return $_user->ID;
999	}
1000
1001	$_user = get_user_by( 'login', $author );
1002	if ( ! $_user \|\| is_wp_error( $_user ) ) {
1003	return new WP_Error( 'invalid_author', 'Invalid author provided' );
1004	}
1005
1006	return $_user->ID;
1007	}
1008	}
1009