Similar to the existing `role`/`role__in`/`role__not_in` query arguments, this adds support for three new query arguments in `WP_User_Query`:
* `capability`
* `capability__in`
* `capability__not_in`
These can be used to fetch users with (or without) a specific set of capabilities, for example to get all users
with the capability to edit a certain post type.
Under the hood, this will check all existing roles on the site and perform a `LIKE` query against the `capabilities` user meta field to find:
* all users with a role that has this capability
* all users with the capability being assigned directly
Note: In WordPress, not all capabilities are stored in the database. Capabilities can also be modified using filters like `map_meta_cap`. These new query arguments do NOT work for such capabilities.
The prime use case for capability queries is to get all "authors", i.e. users with the capability to edit a certain post type.
Until now, `'who' => 'authors'` was used for this, which relies on user levels. However, user levels were deprecated a long time ago and thus never added to custom roles. This led to constant frustration due to users with custom roles missing from places like author dropdowns.
This updates any usage of `'who' => 'authors'` in core to use capability queries instead.
Subsequently, `'who' => 'authors'` queries are being **deprecated** in favor of these new query arguments.
Also adds a new `capabilities` parameter (mapping to `capability__in` in `WP_User_Query`) to the REST API users controller.
Also updates `twentyfourteen_list_authors()` in Twenty Fourteen to make use of this new functionality, adding a new `twentyfourteen_list_authors_query_args` filter to make it easier to override this behavior.
Props scribu, lgladdly, boonebgorges, spacedmonkey, peterwilsoncc, SergeyBiryukov, swissspidy.
Fixes#16841.
git-svn-id: https://develop.svn.wordpress.org/trunk@51943 602fd350-edb4-49c9-b593-d223f7449a82
This allows custom user meta values to be provided when creating or updating a user in the same way custom post meta can be provided to `wp_insert_post()` when creating or updating a post.
Also introduces the `insert_custom_user_meta` to filter these values.
Props desrosj, donmhico
Fixes#41950
git-svn-id: https://develop.svn.wordpress.org/trunk@51738 602fd350-edb4-49c9-b593-d223f7449a82
When a closure does not use `$this`, it can be made `static` for improved performance.
Static closures are supported in PHP since PHP 5.4.
Props jrf, hellofromTonya, swissspidy, SergeyBiryukov.
See #53359.
git-svn-id: https://develop.svn.wordpress.org/trunk@51657 602fd350-edb4-49c9-b593-d223f7449a82
- Typo corrections in filter descriptions.
- DocBlocks are now now wrapped to the next line after 80 characters, and not extending beyond 120 total characters wide.
- Remove unnecessary repeated references to the suggested replacement hooks.
- Adjustments to the indentation for consistency with other emails in Core, allowing the `phpcs:ignore` comment to be removed.
Props SergeyBiryukov.
Fixes#44314.
git-svn-id: https://develop.svn.wordpress.org/trunk@51410 602fd350-edb4-49c9-b593-d223f7449a82
This fixes a "Variable `$ID` is not in valid snake_case format" WPCS warning.
Follow-up to [2872].
See #53359.
git-svn-id: https://develop.svn.wordpress.org/trunk@51399 602fd350-edb4-49c9-b593-d223f7449a82
This ensures that if the `wp_insert_user()` call resulted in a `WP_Error` object, it is returned right away without any further actions.
Follow-up to [32820].
Fixes#53627.
git-svn-id: https://develop.svn.wordpress.org/trunk@51398 602fd350-edb4-49c9-b593-d223f7449a82
The filters `user_confirmed_action_email_content`, `user_erasure_complete_email_subject`, and `user_erasure_complete_email_headers` have been deprecated.
They have been replaced with `user_erasure_fulfillment_email_content`, `user_erasure_fulfillment_email_subject`, and `user_erasure_fulfillment_email_headers`.
Props desrosj, garrett-eclipse, birgire, DrewAPicture, lifeforceinst, ocean90, pbiron, pento, coffee2code, TZ-Media, SergeyBiryukov, johnbillion, audrasjb, davidbaumwald, hellofromTonya, helen, xkon, antpb, peterwilsoncc, lukecarbis.
Fixes#44314.
git-svn-id: https://develop.svn.wordpress.org/trunk@51129 602fd350-edb4-49c9-b593-d223f7449a82
The new message is more clear and makes the next step more clear to the user.
Props dd32, SergeyBiryukov, audrasjb, desrosj, dlh, marybaum, chanthaboune, jeffpaul.
Fixes#52915.
git-svn-id: https://develop.svn.wordpress.org/trunk@51126 602fd350-edb4-49c9-b593-d223f7449a82
This adds a new parameter to the action and filter hooks found in `wp_insert_user()` to pass the raw user data received through `$userdata` to hooked functions.
This will allow hooked functions to perform more contextual adjustments to new users, and makes supplying custom user meta fields possible.
Props johnbillion, audrasjb.
Fixes#53110.
git-svn-id: https://develop.svn.wordpress.org/trunk@51005 602fd350-edb4-49c9-b593-d223f7449a82
The `update_user_option()` function is a way to update a user meta value after adding a blog’s prefix to the beginning of the meta key. But when the fourth parameter is `true`, the behavior is exactly the same as calling `update_user_meta()` directly.
This replaces all instances of `update_user_option()` when the fourth parameter is `true` in Core with a direct call to `update_user_meta()` to prevent an unnecessary call to `update_user_option()`.
Props johnjamesjacoby, zkancs, obenland, desrosj.
Fixes#43339.
git-svn-id: https://develop.svn.wordpress.org/trunk@50981 602fd350-edb4-49c9-b593-d223f7449a82
Previously, these properties could be unexpectedly converted to strings in some contexts.
This applies to the following functions:
* `sanitize_post_field()`
* `sanitize_term_field()`
* `sanitize_user_field()`
and the following properties:
* `WP_Post::ID`
* `WP_Post::post_parent`
* `WP_Post::menu_order`
* `WP_Term::term_id`
* `WP_Term::term_taxonomy_id`
* `WP_Term::parent`
* `WP_Term::count`
* `WP_Term::term_group`
* `WP_User::ID`
Props grantmkin, SergeyBiryukov.
Fixes#53235. See #52995.
git-svn-id: https://develop.svn.wordpress.org/trunk@50935 602fd350-edb4-49c9-b593-d223f7449a82
Share the `WP_User` instance for the current user between the functions `get_userdata()` and `wp_get_current_user()`. Both functions return the `$current_user` global for the current user.
Force refresh the `$current_user` global within `clean_user_cache()` by immediately re-calling `wp_set_current_user()` with the current user's ID. This ensures any changes to the current user's permissions or other settings are reflected in the global. As a side-effect this immediately rewarms the current user's cache.
Props chaion07, chriscct7, donmhico, hellofromtonya, lukecarbis, peterwilsoncc, rmccue, TimothyBlynJacobs.
Fixes#28020.
git-svn-id: https://develop.svn.wordpress.org/trunk@50790 602fd350-edb4-49c9-b593-d223f7449a82
[48658] documented that various metadata functions return false for an invalid ID. However, that does not clarify what an invalid ID is: a non-numeric, zero, or negative value. This change adds the clarification in all relevant metadata function docblocks.
Props icopydoc, SergeyBiryukov, davidkryzaniak, audrasjb.
Fixes#51797.
git-svn-id: https://develop.svn.wordpress.org/trunk@50641 602fd350-edb4-49c9-b593-d223f7449a82
This makes the message more consistent with other error messages related to authentication and registration.
Follow-up to [46417].
Props dd32.
See #52914, #52915.
git-svn-id: https://develop.svn.wordpress.org/trunk@50589 602fd350-edb4-49c9-b593-d223f7449a82
When sending password reset emails, switch to the user's locale prior to obtaining the site title to allow for plugins filtering based on locale.
Follow up to [50129,50139-50141,50152,50415].
Props chouby.
Fixes#52605. See #34281.
git-svn-id: https://develop.svn.wordpress.org/trunk@50439 602fd350-edb4-49c9-b593-d223f7449a82
This avoids unnecessarily disclosing the IP address when sending a password reset link to another user from the admin.
Follow-up to [49255], [50129].
Props carike, audrasjb, gmariani405, Ipstenu.
See #34281.
git-svn-id: https://develop.svn.wordpress.org/trunk@50422 602fd350-edb4-49c9-b593-d223f7449a82
This ensures that reset password emails initiated by an administrator are sent to the user in their preferred locale.
Follow up to [50129,50139-50141,50152].
Props chouby, davidbaumwald, audrasjb, johnbillion.
Fixes#52605. See #34281.
git-svn-id: https://develop.svn.wordpress.org/trunk@50415 602fd350-edb4-49c9-b593-d223f7449a82
This adds a form option to skip the admin email alert when exporting personal data.
Props xkon, azaozz, TZ-Media, iandunn, desrosj, iprg, allendav, wesselvandenberg, karmatosed, birgire, davidbaumwald, estelaris, paaljoachim, hellofromTonya.
Fixes#43890.
git-svn-id: https://develop.svn.wordpress.org/trunk@50159 602fd350-edb4-49c9-b593-d223f7449a82
This replaces "user privacy" in various error messages with "personal data", for consistency with other existing strings.
Follow-up to [49090].
Props xkon, transl8or.
Fixes#51849.
git-svn-id: https://develop.svn.wordpress.org/trunk@49970 602fd350-edb4-49c9-b593-d223f7449a82
Previously, only the username was checked which caused a PHP warning in some server setups, for instance Shibboleth SSO, where the server only populates the `PHP_AUTH_USER` field.
Props MadtownLems, johnbillion, richard.tape, engahmeds3ed.
Fixes#52003.
git-svn-id: https://develop.svn.wordpress.org/trunk@49919 602fd350-edb4-49c9-b593-d223f7449a82
Application Passwords uses Basic Authentication to transfer authentication details. If the site is already using Basic Auth, for instance to implement a private staging environment, then the REST API will treat this as an authentication attempt and would end up generating an error for any REST API request.
Now, Application Password authentication will only be attempted if Application Passwords is in use by a site. This is flagged by setting an option whenever an Application Password is created. An upgrade routine is added to set this option if any App Passwords already exist.
Lastly, creating an Application Password will be prevented if the site appears to already be using Basic Authentication.
Props chexwarrior, georgestephanis, adamsilverstein, helen, Clorith, marybaum, TimothyBlynJacobs.
Fixes#51939.
git-svn-id: https://develop.svn.wordpress.org/trunk@49752 602fd350-edb4-49c9-b593-d223f7449a82
While many of these parameters also technically accept an array of numerical strings, they are all ultimately cast to an array of integers. Documenting them as such assists developers in understanding the expected types.
See #51800, #41756
git-svn-id: https://develop.svn.wordpress.org/trunk@49672 602fd350-edb4-49c9-b593-d223f7449a82
Previously App Passwords used a mix of "enabled" and "available". We've now standardized on using "available".
Additionally, we now use a 501 status code when indicating that App Passwords is not available.
Props SergeyBiryukov, ocean90, TimothyBlynJacobs.
Fixes#51513.
git-svn-id: https://develop.svn.wordpress.org/trunk@49617 602fd350-edb4-49c9-b593-d223f7449a82
This will make testing the new feature easier since the local development environment is only accessible via HTTP by default.
Also update docs to link to the relevant filters.
See #42790.
Fixes#51503.
git-svn-id: https://develop.svn.wordpress.org/trunk@49139 602fd350-edb4-49c9-b593-d223f7449a82
In WordPress 4.4 the REST API was first introduced. A few releases later in WordPress 4.7, the Content API endpoints were added, paving the way for Gutenberg and countless in-site experiences. In the intervening years, numerous plugins have built on top of the REST API. Many developers shared a common frustration, the lack of external authentication to the REST API.
This commit introduces Application Passwords to allow users to connect to external applications to their WordPress website. Users can generate individual passwords for each application, allowing for easy revocation and activity monitoring. An authorization flow is introduced to make the connection flow simple for users and application developers.
Application Passwords uses Basic Authentication, and by default is only available over an SSL connection.
Props georgestephanis, kasparsd, timothyblynjacobs, afercia, akkspro, andraganescu, arippberger, aristath, austyfrosty, ayesh, batmoo, bradyvercher, brianhenryie, helen, ipstenu, jeffmatson, jeffpaul, joostdevalk, joshlevinson, kadamwhite, kjbenk, koke, michael-arestad, Otto42, pekz0r, salzano, spacedmonkey, valendesigns.
Fixes#42790.
git-svn-id: https://develop.svn.wordpress.org/trunk@49109 602fd350-edb4-49c9-b593-d223f7449a82
Primarily this adds "user privacy" to the strings for privacy requests, so they are more easily distinguished from other system actions within logs.
Props garrett-eclipse, carike, birgire.
Fixes#51351.
git-svn-id: https://develop.svn.wordpress.org/trunk@49090 602fd350-edb4-49c9-b593-d223f7449a82
This avoids a few PHP notices if the `include_selected` parameter was specified and a non-existing user ID was passed.
Props campusboy1987.
Fixes#51370.
git-svn-id: https://develop.svn.wordpress.org/trunk@49036 602fd350-edb4-49c9-b593-d223f7449a82
