diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php index 34e1c591f6..697a7cc64b 100644 --- a/src/wp-includes/rest-api.php +++ b/src/wp-includes/rest-api.php @@ -165,6 +165,7 @@ function rest_api_default_filters() { // Default serving. add_filter( 'rest_pre_serve_request', 'rest_send_cors_headers' ); add_filter( 'rest_post_dispatch', 'rest_send_allow_header', 10, 3 ); + add_filter( 'rest_post_dispatch', 'rest_filter_response_fields', 10, 3 ); add_filter( 'rest_pre_dispatch', 'rest_handle_options_request', 10, 3 ); } @@ -632,6 +633,49 @@ function rest_send_allow_header( $response, $server, $request ) { return $response; } +/** + * Filter the API response to include only a white-listed set of response object fields. + * + * @since 4.8.0 + * + * @param WP_REST_Response $response Current response being served. + * @param WP_REST_Server $server ResponseHandler instance (usually WP_REST_Server). + * @param WP_REST_Request $request The request that was used to make current response. + * + * @return WP_REST_Response Response to be served, trimmed down to contain a subset of fields. + */ +function rest_filter_response_fields( $response, $server, $request ) { + if ( ! isset( $request['_fields'] ) || $response->is_error() ) { + return $response; + } + + $data = $response->get_data(); + + $fields = is_array( $request['_fields'] ) ? $request['_fields'] : preg_split( '/[\s,]+/', $request['_fields'] ); + + if ( 0 === count( $fields ) ) { + return $response; + } + + // Trim off outside whitespace from the comma delimited list. + $fields = array_map( 'trim', $fields ); + + $fields_as_keyed = array_combine( $fields, array_fill( 0, count( $fields ), true ) ); + + if ( wp_is_numeric_array( $data ) ) { + $new_data = array(); + foreach ( $data as $item ) { + $new_data[] = array_intersect_key( $item, $fields_as_keyed ); + } + } else { + $new_data = array_intersect_key( $data, $fields_as_keyed ); + } + + $response->set_data( $new_data ); + + return $response; +} + /** * Adds the REST API URL to the WP RSD endpoint. * diff --git a/tests/phpunit/tests/rest-api.php b/tests/phpunit/tests/rest-api.php index 90a480d641..45c1ccef71 100644 --- a/tests/phpunit/tests/rest-api.php +++ b/tests/phpunit/tests/rest-api.php @@ -304,6 +304,131 @@ class Tests_REST_API extends WP_UnitTestCase { $this->assertNull( $response ); } + /** + * Ensure that result fields are not whitelisted if no request['_fields'] is present. + */ + public function test_rest_filter_response_fields_no_request_filter() { + $response = new WP_REST_Response(); + $response->set_data( array( 'a' => true ) ); + $request = array(); + + $response = rest_filter_response_fields( $response, null, $request ); + $this->assertEquals( array( 'a' => true ), $response->get_data() ); + } + + /** + * Ensure that result fields are whitelisted if request['_fields'] is present. + */ + public function test_rest_filter_response_fields_single_field_filter() { + $response = new WP_REST_Response(); + $response->set_data( array( + 'a' => 0, + 'b' => 1, + 'c' => 2, + ) ); + $request = array( + '_fields' => 'b' + ); + + $response = rest_filter_response_fields( $response, null, $request ); + $this->assertEquals( array( 'b' => 1 ), $response->get_data() ); + } + + /** + * Ensure that multiple comma-separated fields may be whitelisted with request['_fields']. + */ + public function test_rest_filter_response_fields_multi_field_filter() { + $response = new WP_REST_Response(); + $response->set_data( array( + 'a' => 0, + 'b' => 1, + 'c' => 2, + 'd' => 3, + 'e' => 4, + 'f' => 5, + ) ); + $request = array( + '_fields' => 'b,c,e' + ); + + $response = rest_filter_response_fields( $response, null, $request ); + $this->assertEquals( array( + 'b' => 1, + 'c' => 2, + 'e' => 4, + ), $response->get_data() ); + } + + /** + * Ensure that multiple comma-separated fields may be whitelisted + * with request['_fields'] using query parameter array syntax. + */ + public function test_rest_filter_response_fields_multi_field_filter_array() { + $response = new WP_REST_Response(); + + $response->set_data( array( + 'a' => 0, + 'b' => 1, + 'c' => 2, + 'd' => 3, + 'e' => 4, + 'f' => 5, + ) ); + $request = array( + '_fields' => array( 'b', 'c', 'e' ) + ); + + $response = rest_filter_response_fields( $response, null, $request ); + $this->assertEquals( array( + 'b' => 1, + 'c' => 2, + 'e' => 4, + ), $response->get_data() ); + } + + /** + * Ensure that request['_fields'] whitelists apply to items in response collections. + */ + public function test_rest_filter_response_fields_numeric_array() { + $response = new WP_REST_Response(); + $response->set_data( array( + array( + 'a' => 0, + 'b' => 1, + 'c' => 2, + ), + array( + 'a' => 3, + 'b' => 4, + 'c' => 5, + ), + array( + 'a' => 6, + 'b' => 7, + 'c' => 8, + ), + ) ); + $request = array( + '_fields' => 'b,c' + ); + + $response = rest_filter_response_fields( $response, null, $request ); + $this->assertEquals( array( + array( + 'b' => 1, + 'c' => 2, + ), + array( + 'b' => 4, + 'c' => 5, + ), + array( + 'b' => 7, + 'c' => 8, + ), + ), $response->get_data() ); + } + /** * The get_rest_url function should return a URL consistently terminated with a "/", * whether the blog is configured with pretty permalink support or not.