3 * REST API: WP_REST_Posts_Controller class
11 * Core class to access posts via the REST API.
15 * @see WP_REST_Controller
17 class WP_REST_Posts_Controller extends WP_REST_Controller {
29 * Instance of a post meta fields object.
33 * @var WP_REST_Post_Meta_Fields
43 * @param string $post_type Post type.
45 public function __construct( $post_type ) {
46 $this->post_type = $post_type;
47 $this->namespace = 'wp/v2';
48 $obj = get_post_type_object( $post_type );
49 $this->rest_base = ! empty( $obj->rest_base ) ? $obj->rest_base : $obj->name;
51 $this->meta = new WP_REST_Post_Meta_Fields( $this->post_type );
55 * Registers the routes for the objects of the controller.
60 * @see register_rest_route()
62 public function register_routes() {
64 register_rest_route( $this->namespace, '/' . $this->rest_base, array(
66 'methods' => WP_REST_Server::READABLE,
67 'callback' => array( $this, 'get_items' ),
68 'permission_callback' => array( $this, 'get_items_permissions_check' ),
69 'args' => $this->get_collection_params(),
72 'methods' => WP_REST_Server::CREATABLE,
73 'callback' => array( $this, 'create_item' ),
74 'permission_callback' => array( $this, 'create_item_permissions_check' ),
75 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::CREATABLE ),
77 'schema' => array( $this, 'get_public_item_schema' ),
80 $schema = $this->get_item_schema();
81 $get_item_args = array(
82 'context' => $this->get_context_param( array( 'default' => 'view' ) ),
84 if ( isset( $schema['properties']['password'] ) ) {
85 $get_item_args['password'] = array(
86 'description' => __( 'The password for the post if it is password protected.' ),
90 register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<id>[\d]+)', array(
93 'description' => __( 'Unique identifier for the object.' ),
98 'methods' => WP_REST_Server::READABLE,
99 'callback' => array( $this, 'get_item' ),
100 'permission_callback' => array( $this, 'get_item_permissions_check' ),
101 'args' => $get_item_args,
104 'methods' => WP_REST_Server::EDITABLE,
105 'callback' => array( $this, 'update_item' ),
106 'permission_callback' => array( $this, 'update_item_permissions_check' ),
107 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ),
110 'methods' => WP_REST_Server::DELETABLE,
111 'callback' => array( $this, 'delete_item' ),
112 'permission_callback' => array( $this, 'delete_item_permissions_check' ),
117 'description' => __( 'Whether to bypass trash and force deletion.' ),
121 'schema' => array( $this, 'get_public_item_schema' ),
126 * Checks if a given request has access to read posts.
131 * @param WP_REST_Request $request Full details about the request.
132 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
134 public function get_items_permissions_check( $request ) {
136 $post_type = get_post_type_object( $this->post_type );
138 if ( 'edit' === $request['context'] && ! current_user_can( $post_type->cap->edit_posts ) ) {
139 return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit posts in this post type.' ), array( 'status' => rest_authorization_required_code() ) );
146 * Retrieves a collection of posts.
151 * @param WP_REST_Request $request Full details about the request.
152 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
154 public function get_items( $request ) {
156 // Ensure a search string is set in case the orderby is set to 'relevance'.
157 if ( ! empty( $request['orderby'] ) && 'relevance' === $request['orderby'] && empty( $request['search'] ) ) {
158 return new WP_Error( 'rest_no_search_term_defined', __( 'You need to define a search term to order by relevance.' ), array( 'status' => 400 ) );
161 // Ensure an include parameter is set in case the orderby is set to 'include'.
162 if ( ! empty( $request['orderby'] ) && 'include' === $request['orderby'] && empty( $request['include'] ) ) {
163 return new WP_Error( 'rest_orderby_include_missing_include', sprintf( __( 'Missing parameter(s): %s' ), 'include' ), array( 'status' => 400 ) );
166 // Retrieve the list of registered collection query parameters.
167 $registered = $this->get_collection_params();
171 * This array defines mappings between public API query parameters whose
172 * values are accepted as-passed, and their internal WP_Query parameter
173 * name equivalents (some are the same). Only values which are also
174 * present in $registered will be set.
176 $parameter_mappings = array(
177 'author' => 'author__in',
178 'author_exclude' => 'author__not_in',
179 'exclude' => 'post__not_in',
180 'include' => 'post__in',
181 'menu_order' => 'menu_order',
182 'offset' => 'offset',
184 'orderby' => 'orderby',
186 'parent' => 'post_parent__in',
187 'parent_exclude' => 'post_parent__not_in',
189 'slug' => 'post_name__in',
190 'status' => 'post_status',
194 * For each known parameter which is both registered and present in the request,
195 * set the parameter's value on the query $args.
197 foreach ( $parameter_mappings as $api_param => $wp_param ) {
198 if ( isset( $registered[ $api_param ], $request[ $api_param ] ) ) {
199 $args[ $wp_param ] = $request[ $api_param ];
203 // Check for & assign any parameters which require special handling or setting.
204 $args['date_query'] = array();
206 // Set before into date query. Date query must be specified as an array of an array.
207 if ( isset( $registered['before'], $request['before'] ) ) {
208 $args['date_query'][0]['before'] = $request['before'];
211 // Set after into date query. Date query must be specified as an array of an array.
212 if ( isset( $registered['after'], $request['after'] ) ) {
213 $args['date_query'][0]['after'] = $request['after'];
216 // Ensure our per_page parameter overrides any provided posts_per_page filter.
217 if ( isset( $registered['per_page'] ) ) {
218 $args['posts_per_page'] = $request['per_page'];
221 if ( isset( $registered['sticky'], $request['sticky'] ) ) {
222 $sticky_posts = get_option( 'sticky_posts', array() );
223 if ( $sticky_posts && $request['sticky'] ) {
225 * As post__in will be used to only get sticky posts,
226 * we have to support the case where post__in was already
229 $args['post__in'] = $args['post__in'] ? array_intersect( $sticky_posts, $args['post__in'] ) : $sticky_posts;
232 * If we intersected, but there are no post ids in common,
233 * WP_Query won't return "no posts" for post__in = array()
234 * so we have to fake it a bit.
236 if ( ! $args['post__in'] ) {
237 $args['post__in'] = array( -1 );
239 } elseif ( $sticky_posts ) {
241 * As post___not_in will be used to only get posts that
242 * are not sticky, we have to support the case where post__not_in
243 * was already specified.
245 $args['post__not_in'] = array_merge( $args['post__not_in'], $sticky_posts );
249 // Force the post_type argument, since it's not a user input variable.
250 $args['post_type'] = $this->post_type;
253 * Filters the query arguments for a request.
255 * Enables adding extra arguments or setting defaults for a post collection request.
259 * @link https://developer.wordpress.org/reference/classes/wp_query/
261 * @param array $args Key value array of query var to query value.
262 * @param WP_REST_Request $request The request used.
264 $args = apply_filters( "rest_{$this->post_type}_query", $args, $request );
265 $query_args = $this->prepare_items_query( $args, $request );
267 $taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
269 foreach ( $taxonomies as $taxonomy ) {
270 $base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name;
271 $tax_exclude = $base . '_exclude';
273 if ( ! empty( $request[ $base ] ) ) {
274 $query_args['tax_query'][] = array(
275 'taxonomy' => $taxonomy->name,
276 'field' => 'term_id',
277 'terms' => $request[ $base ],
278 'include_children' => false,
282 if ( ! empty( $request[ $tax_exclude ] ) ) {
283 $query_args['tax_query'][] = array(
284 'taxonomy' => $taxonomy->name,
285 'field' => 'term_id',
286 'terms' => $request[ $tax_exclude ],
287 'include_children' => false,
288 'operator' => 'NOT IN',
293 $posts_query = new WP_Query();
294 $query_result = $posts_query->query( $query_args );
296 // Allow access to all password protected posts if the context is edit.
297 if ( 'edit' === $request['context'] ) {
298 add_filter( 'post_password_required', '__return_false' );
303 foreach ( $query_result as $post ) {
304 if ( ! $this->check_read_permission( $post ) ) {
308 $data = $this->prepare_item_for_response( $post, $request );
309 $posts[] = $this->prepare_response_for_collection( $data );
313 if ( 'edit' === $request['context'] ) {
314 remove_filter( 'post_password_required', '__return_false' );
317 $page = (int) $query_args['paged'];
318 $total_posts = $posts_query->found_posts;
320 if ( $total_posts < 1 ) {
321 // Out-of-bounds, run the query again without LIMIT for total count.
322 unset( $query_args['paged'] );
324 $count_query = new WP_Query();
325 $count_query->query( $query_args );
326 $total_posts = $count_query->found_posts;
329 $max_pages = ceil( $total_posts / (int) $posts_query->query_vars['posts_per_page'] );
330 $response = rest_ensure_response( $posts );
332 $response->header( 'X-WP-Total', (int) $total_posts );
333 $response->header( 'X-WP-TotalPages', (int) $max_pages );
335 $request_params = $request->get_query_params();
336 $base = add_query_arg( $request_params, rest_url( sprintf( '%s/%s', $this->namespace, $this->rest_base ) ) );
339 $prev_page = $page - 1;
341 if ( $prev_page > $max_pages ) {
342 $prev_page = $max_pages;
345 $prev_link = add_query_arg( 'page', $prev_page, $base );
346 $response->link_header( 'prev', $prev_link );
348 if ( $max_pages > $page ) {
349 $next_page = $page + 1;
350 $next_link = add_query_arg( 'page', $next_page, $base );
352 $response->link_header( 'next', $next_link );
359 * Get the post, if the ID is valid.
363 * @param int $id Supplied ID.
364 * @return WP_Post|WP_Error Post object if ID is valid, WP_Error otherwise.
366 protected function get_post( $id ) {
367 $error = new WP_Error( 'rest_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) );
368 if ( (int) $id <= 0 ) {
372 $post = get_post( (int) $id );
373 if ( empty( $post ) || empty( $post->ID ) || $this->post_type !== $post->post_type ) {
381 * Checks if a given request has access to read a post.
386 * @param WP_REST_Request $request Full details about the request.
387 * @return bool|WP_Error True if the request has read access for the item, WP_Error object otherwise.
389 public function get_item_permissions_check( $request ) {
390 $post = $this->get_post( $request['id'] );
391 if ( is_wp_error( $post ) ) {
395 if ( 'edit' === $request['context'] && $post && ! $this->check_update_permission( $post ) ) {
396 return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this post.' ), array( 'status' => rest_authorization_required_code() ) );
399 if ( $post && ! empty( $request['password'] ) ) {
400 // Check post password, and return error if invalid.
401 if ( ! hash_equals( $post->post_password, $request['password'] ) ) {
402 return new WP_Error( 'rest_post_incorrect_password', __( 'Incorrect post password.' ), array( 'status' => 403 ) );
406 // Allow access to all password protected posts if the context is edit.
407 if ( 'edit' === $request['context'] ) {
408 add_filter( 'post_password_required', '__return_false' );
412 return $this->check_read_permission( $post );
419 * Checks if the user can access password-protected content.
421 * This method determines whether we need to override the regular password
422 * check in core with a filter.
427 * @param WP_Post $post Post to check against.
428 * @param WP_REST_Request $request Request data to check.
429 * @return bool True if the user can access password-protected content, otherwise false.
431 public function can_access_password_content( $post, $request ) {
432 if ( empty( $post->post_password ) ) {
433 // No filter required.
437 // Edit context always gets access to password-protected posts.
438 if ( 'edit' === $request['context'] ) {
442 // No password, no auth.
443 if ( empty( $request['password'] ) ) {
447 // Double-check the request password.
448 return hash_equals( $post->post_password, $request['password'] );
452 * Retrieves a single post.
457 * @param WP_REST_Request $request Full details about the request.
458 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
460 public function get_item( $request ) {
461 $post = $this->get_post( $request['id'] );
462 if ( is_wp_error( $post ) ) {
466 $data = $this->prepare_item_for_response( $post, $request );
467 $response = rest_ensure_response( $data );
469 if ( is_post_type_viewable( get_post_type_object( $post->post_type ) ) ) {
470 $response->link_header( 'alternate', get_permalink( $post->ID ), array( 'type' => 'text/html' ) );
477 * Checks if a given request has access to create a post.
482 * @param WP_REST_Request $request Full details about the request.
483 * @return true|WP_Error True if the request has access to create items, WP_Error object otherwise.
485 public function create_item_permissions_check( $request ) {
486 if ( ! empty( $request['id'] ) ) {
487 return new WP_Error( 'rest_post_exists', __( 'Cannot create existing post.' ), array( 'status' => 400 ) );
490 $post_type = get_post_type_object( $this->post_type );
492 if ( ! empty( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
493 return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
496 if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
497 return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
500 if ( ! current_user_can( $post_type->cap->create_posts ) ) {
501 return new WP_Error( 'rest_cannot_create', __( 'Sorry, you are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
504 if ( ! $this->check_assign_terms_permission( $request ) ) {
505 return new WP_Error( 'rest_cannot_assign_term', __( 'Sorry, you are not allowed to assign the provided terms.' ), array( 'status' => rest_authorization_required_code() ) );
512 * Creates a single post.
517 * @param WP_REST_Request $request Full details about the request.
518 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
520 public function create_item( $request ) {
521 if ( ! empty( $request['id'] ) ) {
522 return new WP_Error( 'rest_post_exists', __( 'Cannot create existing post.' ), array( 'status' => 400 ) );
525 $prepared_post = $this->prepare_item_for_database( $request );
527 if ( is_wp_error( $prepared_post ) ) {
528 return $prepared_post;
531 $prepared_post->post_type = $this->post_type;
533 $post_id = wp_insert_post( wp_slash( (array) $prepared_post ), true );
535 if ( is_wp_error( $post_id ) ) {
537 if ( 'db_insert_error' === $post_id->get_error_code() ) {
538 $post_id->add_data( array( 'status' => 500 ) );
540 $post_id->add_data( array( 'status' => 400 ) );
546 $post = get_post( $post_id );
549 * Fires after a single post is created or updated via the REST API.
551 * The dynamic portion of the hook name, `$this->post_type`, refers to the post type slug.
555 * @param WP_Post $post Inserted or updated post object.
556 * @param WP_REST_Request $request Request object.
557 * @param bool $creating True when creating a post, false when updating.
559 do_action( "rest_insert_{$this->post_type}", $post, $request, true );
561 $schema = $this->get_item_schema();
563 if ( ! empty( $schema['properties']['sticky'] ) ) {
564 if ( ! empty( $request['sticky'] ) ) {
565 stick_post( $post_id );
567 unstick_post( $post_id );
571 if ( ! empty( $schema['properties']['featured_media'] ) && isset( $request['featured_media'] ) ) {
572 $this->handle_featured_media( $request['featured_media'], $post_id );
575 if ( ! empty( $schema['properties']['format'] ) && ! empty( $request['format'] ) ) {
576 set_post_format( $post, $request['format'] );
579 if ( ! empty( $schema['properties']['template'] ) && isset( $request['template'] ) ) {
580 $this->handle_template( $request['template'], $post_id );
583 $terms_update = $this->handle_terms( $post_id, $request );
585 if ( is_wp_error( $terms_update ) ) {
586 return $terms_update;
589 if ( ! empty( $schema['properties']['meta'] ) && isset( $request['meta'] ) ) {
590 $meta_update = $this->meta->update_value( $request['meta'], $post_id );
592 if ( is_wp_error( $meta_update ) ) {
597 $post = get_post( $post_id );
598 $fields_update = $this->update_additional_fields_for_object( $post, $request );
600 if ( is_wp_error( $fields_update ) ) {
601 return $fields_update;
604 $request->set_param( 'context', 'edit' );
606 $response = $this->prepare_item_for_response( $post, $request );
607 $response = rest_ensure_response( $response );
609 $response->set_status( 201 );
610 $response->header( 'Location', rest_url( sprintf( '%s/%s/%d', $this->namespace, $this->rest_base, $post_id ) ) );
616 * Checks if a given request has access to update a post.
621 * @param WP_REST_Request $request Full details about the request.
622 * @return true|WP_Error True if the request has access to update the item, WP_Error object otherwise.
624 public function update_item_permissions_check( $request ) {
625 $post = $this->get_post( $request['id'] );
626 if ( is_wp_error( $post ) ) {
630 $post_type = get_post_type_object( $this->post_type );
632 if ( $post && ! $this->check_update_permission( $post ) ) {
633 return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this post.' ), array( 'status' => rest_authorization_required_code() ) );
636 if ( ! empty( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
637 return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to update posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
640 if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
641 return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
644 if ( ! $this->check_assign_terms_permission( $request ) ) {
645 return new WP_Error( 'rest_cannot_assign_term', __( 'Sorry, you are not allowed to assign the provided terms.' ), array( 'status' => rest_authorization_required_code() ) );
652 * Updates a single post.
657 * @param WP_REST_Request $request Full details about the request.
658 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
660 public function update_item( $request ) {
661 $valid_check = $this->get_post( $request['id'] );
662 if ( is_wp_error( $valid_check ) ) {
666 $post = $this->prepare_item_for_database( $request );
668 if ( is_wp_error( $post ) ) {
672 // convert the post object to an array, otherwise wp_update_post will expect non-escaped input.
673 $post_id = wp_update_post( wp_slash( (array) $post ), true );
675 if ( is_wp_error( $post_id ) ) {
676 if ( 'db_update_error' === $post_id->get_error_code() ) {
677 $post_id->add_data( array( 'status' => 500 ) );
679 $post_id->add_data( array( 'status' => 400 ) );
684 $post = get_post( $post_id );
686 /* This action is documented in lib/endpoints/class-wp-rest-controller.php */
687 do_action( "rest_insert_{$this->post_type}", $post, $request, false );
689 $schema = $this->get_item_schema();
691 if ( ! empty( $schema['properties']['format'] ) && ! empty( $request['format'] ) ) {
692 set_post_format( $post, $request['format'] );
695 if ( ! empty( $schema['properties']['featured_media'] ) && isset( $request['featured_media'] ) ) {
696 $this->handle_featured_media( $request['featured_media'], $post_id );
699 if ( ! empty( $schema['properties']['sticky'] ) && isset( $request['sticky'] ) ) {
700 if ( ! empty( $request['sticky'] ) ) {
701 stick_post( $post_id );
703 unstick_post( $post_id );
707 if ( ! empty( $schema['properties']['template'] ) && isset( $request['template'] ) ) {
708 $this->handle_template( $request['template'], $post->ID );
711 $terms_update = $this->handle_terms( $post->ID, $request );
713 if ( is_wp_error( $terms_update ) ) {
714 return $terms_update;
717 if ( ! empty( $schema['properties']['meta'] ) && isset( $request['meta'] ) ) {
718 $meta_update = $this->meta->update_value( $request['meta'], $post->ID );
720 if ( is_wp_error( $meta_update ) ) {
725 $post = get_post( $post_id );
726 $fields_update = $this->update_additional_fields_for_object( $post, $request );
728 if ( is_wp_error( $fields_update ) ) {
729 return $fields_update;
732 $request->set_param( 'context', 'edit' );
734 $response = $this->prepare_item_for_response( $post, $request );
736 return rest_ensure_response( $response );
740 * Checks if a given request has access to delete a post.
745 * @param WP_REST_Request $request Full details about the request.
746 * @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
748 public function delete_item_permissions_check( $request ) {
749 $post = $this->get_post( $request['id'] );
750 if ( is_wp_error( $post ) ) {
754 if ( $post && ! $this->check_delete_permission( $post ) ) {
755 return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete this post.' ), array( 'status' => rest_authorization_required_code() ) );
762 * Deletes a single post.
767 * @param WP_REST_Request $request Full details about the request.
768 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
770 public function delete_item( $request ) {
771 $post = $this->get_post( $request['id'] );
772 if ( is_wp_error( $post ) ) {
777 $force = (bool) $request['force'];
779 $supports_trash = ( EMPTY_TRASH_DAYS > 0 );
781 if ( 'attachment' === $post->post_type ) {
782 $supports_trash = $supports_trash && MEDIA_TRASH;
786 * Filters whether a post is trashable.
788 * The dynamic portion of the hook name, `$this->post_type`, refers to the post type slug.
790 * Pass false to disable trash support for the post.
794 * @param bool $supports_trash Whether the post type support trashing.
795 * @param WP_Post $post The Post object being considered for trashing support.
797 $supports_trash = apply_filters( "rest_{$this->post_type}_trashable", $supports_trash, $post );
799 if ( ! $this->check_delete_permission( $post ) ) {
800 return new WP_Error( 'rest_user_cannot_delete_post', __( 'Sorry, you are not allowed to delete this post.' ), array( 'status' => rest_authorization_required_code() ) );
803 $request->set_param( 'context', 'edit' );
806 // If we're forcing, then delete permanently.
808 $previous = $this->prepare_item_for_response( $post, $request );
809 $result = wp_delete_post( $id, true );
810 $response = new WP_REST_Response();
811 $response->set_data( array( 'deleted' => true, 'previous' => $previous->get_data() ) );
813 // If we don't support trashing for this type, error out.
814 if ( ! $supports_trash ) {
815 return new WP_Error( 'rest_trash_not_supported', __( 'The post does not support trashing. Set force=true to delete.' ), array( 'status' => 501 ) );
818 // Otherwise, only trash if we haven't already.
819 if ( 'trash' === $post->post_status ) {
820 return new WP_Error( 'rest_already_trashed', __( 'The post has already been deleted.' ), array( 'status' => 410 ) );
823 // (Note that internally this falls through to `wp_delete_post` if
824 // the trash is disabled.)
825 $result = wp_trash_post( $id );
826 $post = get_post( $id );
827 $response = $this->prepare_item_for_response( $post, $request );
831 return new WP_Error( 'rest_cannot_delete', __( 'The post cannot be deleted.' ), array( 'status' => 500 ) );
835 * Fires immediately after a single post is deleted or trashed via the REST API.
837 * They dynamic portion of the hook name, `$this->post_type`, refers to the post type slug.
841 * @param object $post The deleted or trashed post.
842 * @param WP_REST_Response $response The response data.
843 * @param WP_REST_Request $request The request sent to the API.
845 do_action( "rest_delete_{$this->post_type}", $post, $response, $request );
851 * Determines the allowed query_vars for a get_items() response and prepares
857 * @param array $prepared_args Optional. Prepared WP_Query arguments. Default empty array.
858 * @param WP_REST_Request $request Optional. Full details about the request.
859 * @return array Items query arguments.
861 protected function prepare_items_query( $prepared_args = array(), $request = null ) {
862 $query_args = array();
864 foreach ( $prepared_args as $key => $value ) {
866 * Filters the query_vars used in get_items() for the constructed query.
868 * The dynamic portion of the hook name, `$key`, refers to the query_var key.
872 * @param string $value The query_var value.
874 $query_args[ $key ] = apply_filters( "rest_query_var-{$key}", $value );
877 if ( 'post' !== $this->post_type || ! isset( $query_args['ignore_sticky_posts'] ) ) {
878 $query_args['ignore_sticky_posts'] = true;
881 // Map to proper WP_Query orderby param.
882 if ( isset( $query_args['orderby'] ) && isset( $request['orderby'] ) ) {
883 $orderby_mappings = array(
885 'include' => 'post__in',
886 'slug' => 'post_name',
889 if ( isset( $orderby_mappings[ $request['orderby'] ] ) ) {
890 $query_args['orderby'] = $orderby_mappings[ $request['orderby'] ];
898 * Checks the post_date_gmt or modified_gmt and prepare any post or
899 * modified date for single post output.
904 * @param string $date_gmt GMT publication time.
905 * @param string|null $date Optional. Local publication time. Default null.
906 * @return string|null ISO8601/RFC3339 formatted datetime.
908 protected function prepare_date_response( $date_gmt, $date = null ) {
909 // Use the date if passed.
910 if ( isset( $date ) ) {
911 return mysql_to_rfc3339( $date );
914 // Return null if $date_gmt is empty/zeros.
915 if ( '0000-00-00 00:00:00' === $date_gmt ) {
919 // Return the formatted datetime.
920 return mysql_to_rfc3339( $date_gmt );
924 * Prepares a single post for create or update.
929 * @param WP_REST_Request $request Request object.
930 * @return stdClass|WP_Error Post object or WP_Error.
932 protected function prepare_item_for_database( $request ) {
933 $prepared_post = new stdClass;
936 if ( isset( $request['id'] ) ) {
937 $existing_post = $this->get_post( $request['id'] );
938 if ( is_wp_error( $existing_post ) ) {
939 return $existing_post;
942 $prepared_post->ID = $existing_post->ID;
945 $schema = $this->get_item_schema();
948 if ( ! empty( $schema['properties']['title'] ) && isset( $request['title'] ) ) {
949 if ( is_string( $request['title'] ) ) {
950 $prepared_post->post_title = $request['title'];
951 } elseif ( ! empty( $request['title']['raw'] ) ) {
952 $prepared_post->post_title = $request['title']['raw'];
957 if ( ! empty( $schema['properties']['content'] ) && isset( $request['content'] ) ) {
958 if ( is_string( $request['content'] ) ) {
959 $prepared_post->post_content = $request['content'];
960 } elseif ( isset( $request['content']['raw'] ) ) {
961 $prepared_post->post_content = $request['content']['raw'];
966 if ( ! empty( $schema['properties']['excerpt'] ) && isset( $request['excerpt'] ) ) {
967 if ( is_string( $request['excerpt'] ) ) {
968 $prepared_post->post_excerpt = $request['excerpt'];
969 } elseif ( isset( $request['excerpt']['raw'] ) ) {
970 $prepared_post->post_excerpt = $request['excerpt']['raw'];
975 if ( empty( $request['id'] ) ) {
976 // Creating new post, use default type for the controller.
977 $prepared_post->post_type = $this->post_type;
979 // Updating a post, use previous type.
980 $prepared_post->post_type = get_post_type( $request['id'] );
983 $post_type = get_post_type_object( $prepared_post->post_type );
986 if ( ! empty( $schema['properties']['status'] ) && isset( $request['status'] ) ) {
987 $status = $this->handle_status_param( $request['status'], $post_type );
989 if ( is_wp_error( $status ) ) {
993 $prepared_post->post_status = $status;
997 if ( ! empty( $schema['properties']['date'] ) && ! empty( $request['date'] ) ) {
998 $date_data = rest_get_date_with_gmt( $request['date'] );
1000 if ( ! empty( $date_data ) ) {
1001 list( $prepared_post->post_date, $prepared_post->post_date_gmt ) = $date_data;
1003 } elseif ( ! empty( $schema['properties']['date_gmt'] ) && ! empty( $request['date_gmt'] ) ) {
1004 $date_data = rest_get_date_with_gmt( $request['date_gmt'], true );
1006 if ( ! empty( $date_data ) ) {
1007 list( $prepared_post->post_date, $prepared_post->post_date_gmt ) = $date_data;
1012 if ( ! empty( $schema['properties']['slug'] ) && isset( $request['slug'] ) ) {
1013 $prepared_post->post_name = $request['slug'];
1017 if ( ! empty( $schema['properties']['author'] ) && ! empty( $request['author'] ) ) {
1018 $post_author = (int) $request['author'];
1020 if ( get_current_user_id() !== $post_author ) {
1021 $user_obj = get_userdata( $post_author );
1023 if ( ! $user_obj ) {
1024 return new WP_Error( 'rest_invalid_author', __( 'Invalid author ID.' ), array( 'status' => 400 ) );
1028 $prepared_post->post_author = $post_author;
1032 if ( ! empty( $schema['properties']['password'] ) && isset( $request['password'] ) ) {
1033 $prepared_post->post_password = $request['password'];
1035 if ( '' !== $request['password'] ) {
1036 if ( ! empty( $schema['properties']['sticky'] ) && ! empty( $request['sticky'] ) ) {
1037 return new WP_Error( 'rest_invalid_field', __( 'A post can not be sticky and have a password.' ), array( 'status' => 400 ) );
1040 if ( ! empty( $prepared_post->ID ) && is_sticky( $prepared_post->ID ) ) {
1041 return new WP_Error( 'rest_invalid_field', __( 'A sticky post can not be password protected.' ), array( 'status' => 400 ) );
1046 if ( ! empty( $schema['properties']['sticky'] ) && ! empty( $request['sticky'] ) ) {
1047 if ( ! empty( $prepared_post->ID ) && post_password_required( $prepared_post->ID ) ) {
1048 return new WP_Error( 'rest_invalid_field', __( 'A password protected post can not be set to sticky.' ), array( 'status' => 400 ) );
1053 if ( ! empty( $schema['properties']['parent'] ) && isset( $request['parent'] ) ) {
1054 if ( 0 === (int) $request['parent'] ) {
1055 $prepared_post->post_parent = 0;
1057 $parent = get_post( (int) $request['parent'] );
1058 if ( empty( $parent ) ) {
1059 return new WP_Error( 'rest_post_invalid_id', __( 'Invalid post parent ID.' ), array( 'status' => 400 ) );
1061 $prepared_post->post_parent = (int) $parent->ID;
1066 if ( ! empty( $schema['properties']['menu_order'] ) && isset( $request['menu_order'] ) ) {
1067 $prepared_post->menu_order = (int) $request['menu_order'];
1071 if ( ! empty( $schema['properties']['comment_status'] ) && ! empty( $request['comment_status'] ) ) {
1072 $prepared_post->comment_status = $request['comment_status'];
1076 if ( ! empty( $schema['properties']['ping_status'] ) && ! empty( $request['ping_status'] ) ) {
1077 $prepared_post->ping_status = $request['ping_status'];
1081 * Filters a post before it is inserted via the REST API.
1083 * The dynamic portion of the hook name, `$this->post_type`, refers to the post type slug.
1087 * @param stdClass $prepared_post An object representing a single post prepared
1088 * for inserting or updating the database.
1089 * @param WP_REST_Request $request Request object.
1091 return apply_filters( "rest_pre_insert_{$this->post_type}", $prepared_post, $request );
1096 * Determines validity and normalizes the given status parameter.
1101 * @param string $post_status Post status.
1102 * @param object $post_type Post type.
1103 * @return string|WP_Error Post status or WP_Error if lacking the proper permission.
1105 protected function handle_status_param( $post_status, $post_type ) {
1107 switch ( $post_status ) {
1112 if ( ! current_user_can( $post_type->cap->publish_posts ) ) {
1113 return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to create private posts in this post type.' ), array( 'status' => rest_authorization_required_code() ) );
1118 if ( ! current_user_can( $post_type->cap->publish_posts ) ) {
1119 return new WP_Error( 'rest_cannot_publish', __( 'Sorry, you are not allowed to publish posts in this post type.' ), array( 'status' => rest_authorization_required_code() ) );
1123 if ( ! get_post_status_object( $post_status ) ) {
1124 $post_status = 'draft';
1129 return $post_status;
1133 * Determines the featured media based on a request param.
1138 * @param int $featured_media Featured Media ID.
1139 * @param int $post_id Post ID.
1140 * @return bool|WP_Error Whether the post thumbnail was successfully deleted, otherwise WP_Error.
1142 protected function handle_featured_media( $featured_media, $post_id ) {
1144 $featured_media = (int) $featured_media;
1145 if ( $featured_media ) {
1146 $result = set_post_thumbnail( $post_id, $featured_media );
1150 return new WP_Error( 'rest_invalid_featured_media', __( 'Invalid featured media ID.' ), array( 'status' => 400 ) );
1153 return delete_post_thumbnail( $post_id );
1159 * Sets the template for a post.
1164 * @param string $template Page template filename.
1165 * @param integer $post_id Post ID.
1167 public function handle_template( $template, $post_id ) {
1168 if ( in_array( $template, array_keys( wp_get_theme()->get_page_templates( get_post( $post_id ) ) ), true ) ) {
1169 update_post_meta( $post_id, '_wp_page_template', $template );
1171 update_post_meta( $post_id, '_wp_page_template', '' );
1176 * Updates the post's terms from a REST request.
1181 * @param int $post_id The post ID to update the terms form.
1182 * @param WP_REST_Request $request The request object with post and terms data.
1183 * @return null|WP_Error WP_Error on an error assigning any of the terms, otherwise null.
1185 protected function handle_terms( $post_id, $request ) {
1186 $taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
1188 foreach ( $taxonomies as $taxonomy ) {
1189 $base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name;
1191 if ( ! isset( $request[ $base ] ) ) {
1195 $result = wp_set_object_terms( $post_id, $request[ $base ], $taxonomy->name );
1197 if ( is_wp_error( $result ) ) {
1204 * Checks whether current user can assign all terms sent with the current request.
1208 * @param WP_REST_Request $request The request object with post and terms data.
1209 * @return bool Whether the current user can assign the provided terms.
1211 protected function check_assign_terms_permission( $request ) {
1212 $taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
1213 foreach ( $taxonomies as $taxonomy ) {
1214 $base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name;
1216 if ( ! isset( $request[ $base ] ) ) {
1220 foreach ( $request[ $base ] as $term_id ) {
1221 // Invalid terms will be rejected later.
1222 if ( ! get_term( $term_id, $taxonomy->name ) ) {
1226 if ( ! current_user_can( 'assign_term', (int) $term_id ) ) {
1236 * Checks if a given post type can be viewed or managed.
1241 * @param object|string $post_type Post type name or object.
1242 * @return bool Whether the post type is allowed in REST.
1244 protected function check_is_post_type_allowed( $post_type ) {
1245 if ( ! is_object( $post_type ) ) {
1246 $post_type = get_post_type_object( $post_type );
1249 if ( ! empty( $post_type ) && ! empty( $post_type->show_in_rest ) ) {
1257 * Checks if a post can be read.
1259 * Correctly handles posts with the inherit status.
1264 * @param object $post Post object.
1265 * @return bool Whether the post can be read.
1267 public function check_read_permission( $post ) {
1268 $post_type = get_post_type_object( $post->post_type );
1269 if ( ! $this->check_is_post_type_allowed( $post_type ) ) {
1273 // Is the post readable?
1274 if ( 'publish' === $post->post_status || current_user_can( $post_type->cap->read_post, $post->ID ) ) {
1278 $post_status_obj = get_post_status_object( $post->post_status );
1279 if ( $post_status_obj && $post_status_obj->public ) {
1283 // Can we read the parent if we're inheriting?
1284 if ( 'inherit' === $post->post_status && $post->post_parent > 0 ) {
1285 $parent = get_post( $post->post_parent );
1286 return $this->check_read_permission( $parent );
1290 * If there isn't a parent, but the status is set to inherit, assume
1291 * it's published (as per get_post_status()).
1293 if ( 'inherit' === $post->post_status ) {
1301 * Checks if a post can be edited.
1306 * @param object $post Post object.
1307 * @return bool Whether the post can be edited.
1309 protected function check_update_permission( $post ) {
1310 $post_type = get_post_type_object( $post->post_type );
1312 if ( ! $this->check_is_post_type_allowed( $post_type ) ) {
1316 return current_user_can( $post_type->cap->edit_post, $post->ID );
1320 * Checks if a post can be created.
1325 * @param object $post Post object.
1326 * @return bool Whether the post can be created.
1328 protected function check_create_permission( $post ) {
1329 $post_type = get_post_type_object( $post->post_type );
1331 if ( ! $this->check_is_post_type_allowed( $post_type ) ) {
1335 return current_user_can( $post_type->cap->create_posts );
1339 * Checks if a post can be deleted.
1344 * @param object $post Post object.
1345 * @return bool Whether the post can be deleted.
1347 protected function check_delete_permission( $post ) {
1348 $post_type = get_post_type_object( $post->post_type );
1350 if ( ! $this->check_is_post_type_allowed( $post_type ) ) {
1354 return current_user_can( $post_type->cap->delete_post, $post->ID );
1358 * Prepares a single post output for response.
1363 * @param WP_Post $post Post object.
1364 * @param WP_REST_Request $request Request object.
1365 * @return WP_REST_Response Response object.
1367 public function prepare_item_for_response( $post, $request ) {
1368 $GLOBALS['post'] = $post;
1370 setup_postdata( $post );
1372 $schema = $this->get_item_schema();
1374 // Base fields for every post.
1377 if ( ! empty( $schema['properties']['id'] ) ) {
1378 $data['id'] = $post->ID;
1381 if ( ! empty( $schema['properties']['date'] ) ) {
1382 $data['date'] = $this->prepare_date_response( $post->post_date_gmt, $post->post_date );
1385 if ( ! empty( $schema['properties']['date_gmt'] ) ) {
1386 $data['date_gmt'] = $this->prepare_date_response( $post->post_date_gmt );
1389 if ( ! empty( $schema['properties']['guid'] ) ) {
1390 $data['guid'] = array(
1391 /** This filter is documented in wp-includes/post-template.php */
1392 'rendered' => apply_filters( 'get_the_guid', $post->guid ),
1393 'raw' => $post->guid,
1397 if ( ! empty( $schema['properties']['modified'] ) ) {
1398 $data['modified'] = $this->prepare_date_response( $post->post_modified_gmt, $post->post_modified );
1401 if ( ! empty( $schema['properties']['modified_gmt'] ) ) {
1402 $data['modified_gmt'] = $this->prepare_date_response( $post->post_modified_gmt );
1405 if ( ! empty( $schema['properties']['password'] ) ) {
1406 $data['password'] = $post->post_password;
1409 if ( ! empty( $schema['properties']['slug'] ) ) {
1410 $data['slug'] = $post->post_name;
1413 if ( ! empty( $schema['properties']['status'] ) ) {
1414 $data['status'] = $post->post_status;
1417 if ( ! empty( $schema['properties']['type'] ) ) {
1418 $data['type'] = $post->post_type;
1421 if ( ! empty( $schema['properties']['link'] ) ) {
1422 $data['link'] = get_permalink( $post->ID );
1425 if ( ! empty( $schema['properties']['title'] ) ) {
1426 add_filter( 'protected_title_format', array( $this, 'protected_title_format' ) );
1428 $data['title'] = array(
1429 'raw' => $post->post_title,
1430 'rendered' => get_the_title( $post->ID ),
1433 remove_filter( 'protected_title_format', array( $this, 'protected_title_format' ) );
1436 $has_password_filter = false;
1438 if ( $this->can_access_password_content( $post, $request ) ) {
1439 // Allow access to the post, permissions already checked before.
1440 add_filter( 'post_password_required', '__return_false' );
1442 $has_password_filter = true;
1445 if ( ! empty( $schema['properties']['content'] ) ) {
1446 $data['content'] = array(
1447 'raw' => $post->post_content,
1448 /** This filter is documented in wp-includes/post-template.php */
1449 'rendered' => post_password_required( $post ) ? '' : apply_filters( 'the_content', $post->post_content ),
1450 'protected' => (bool) $post->post_password,
1454 if ( ! empty( $schema['properties']['excerpt'] ) ) {
1455 /** This filter is documented in wp-includes/post-template.php */
1456 $excerpt = apply_filters( 'the_excerpt', apply_filters( 'get_the_excerpt', $post->post_excerpt, $post ) );
1457 $data['excerpt'] = array(
1458 'raw' => $post->post_excerpt,
1459 'rendered' => post_password_required( $post ) ? '' : $excerpt,
1460 'protected' => (bool) $post->post_password,
1464 if ( $has_password_filter ) {
1466 remove_filter( 'post_password_required', '__return_false' );
1469 if ( ! empty( $schema['properties']['author'] ) ) {
1470 $data['author'] = (int) $post->post_author;
1473 if ( ! empty( $schema['properties']['featured_media'] ) ) {
1474 $data['featured_media'] = (int) get_post_thumbnail_id( $post->ID );
1477 if ( ! empty( $schema['properties']['parent'] ) ) {
1478 $data['parent'] = (int) $post->post_parent;
1481 if ( ! empty( $schema['properties']['menu_order'] ) ) {
1482 $data['menu_order'] = (int) $post->menu_order;
1485 if ( ! empty( $schema['properties']['comment_status'] ) ) {
1486 $data['comment_status'] = $post->comment_status;
1489 if ( ! empty( $schema['properties']['ping_status'] ) ) {
1490 $data['ping_status'] = $post->ping_status;
1493 if ( ! empty( $schema['properties']['sticky'] ) ) {
1494 $data['sticky'] = is_sticky( $post->ID );
1497 if ( ! empty( $schema['properties']['template'] ) ) {
1498 if ( $template = get_page_template_slug( $post->ID ) ) {
1499 $data['template'] = $template;
1501 $data['template'] = '';
1505 if ( ! empty( $schema['properties']['format'] ) ) {
1506 $data['format'] = get_post_format( $post->ID );
1508 // Fill in blank post format.
1509 if ( empty( $data['format'] ) ) {
1510 $data['format'] = 'standard';
1514 if ( ! empty( $schema['properties']['meta'] ) ) {
1515 $data['meta'] = $this->meta->get_value( $post->ID, $request );
1518 $taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
1520 foreach ( $taxonomies as $taxonomy ) {
1521 $base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name;
1523 if ( ! empty( $schema['properties'][ $base ] ) ) {
1524 $terms = get_the_terms( $post, $taxonomy->name );
1525 $data[ $base ] = $terms ? array_values( wp_list_pluck( $terms, 'term_id' ) ) : array();
1529 $context = ! empty( $request['context'] ) ? $request['context'] : 'view';
1530 $data = $this->add_additional_fields_to_object( $data, $request );
1531 $data = $this->filter_response_by_context( $data, $context );
1533 // Wrap the data in a response object.
1534 $response = rest_ensure_response( $data );
1536 $response->add_links( $this->prepare_links( $post ) );
1539 * Filters the post data for a response.
1541 * The dynamic portion of the hook name, `$this->post_type`, refers to the post type slug.
1545 * @param WP_REST_Response $response The response object.
1546 * @param WP_Post $post Post object.
1547 * @param WP_REST_Request $request Request object.
1549 return apply_filters( "rest_prepare_{$this->post_type}", $response, $post, $request );
1553 * Overwrites the default protected title format.
1555 * By default, WordPress will show password protected posts with a title of
1556 * "Protected: %s", as the REST API communicates the protected status of a post
1557 * in a machine readable format, we remove the "Protected: " prefix.
1559 * @return string Protected title format.
1561 public function protected_title_format() {
1566 * Prepares links for the request.
1571 * @param WP_Post $post Post object.
1572 * @return array Links for the given post.
1574 protected function prepare_links( $post ) {
1575 $base = sprintf( '%s/%s', $this->namespace, $this->rest_base );
1580 'href' => rest_url( trailingslashit( $base ) . $post->ID ),
1582 'collection' => array(
1583 'href' => rest_url( $base ),
1586 'href' => rest_url( 'wp/v2/types/' . $this->post_type ),
1590 if ( ( in_array( $post->post_type, array( 'post', 'page' ), true ) || post_type_supports( $post->post_type, 'author' ) )
1591 && ! empty( $post->post_author ) ) {
1592 $links['author'] = array(
1593 'href' => rest_url( 'wp/v2/users/' . $post->post_author ),
1594 'embeddable' => true,
1598 if ( in_array( $post->post_type, array( 'post', 'page' ), true ) || post_type_supports( $post->post_type, 'comments' ) ) {
1599 $replies_url = rest_url( 'wp/v2/comments' );
1600 $replies_url = add_query_arg( 'post', $post->ID, $replies_url );
1602 $links['replies'] = array(
1603 'href' => $replies_url,
1604 'embeddable' => true,
1608 if ( in_array( $post->post_type, array( 'post', 'page' ), true ) || post_type_supports( $post->post_type, 'revisions' ) ) {
1609 $links['version-history'] = array(
1610 'href' => rest_url( trailingslashit( $base ) . $post->ID . '/revisions' ),
1614 $post_type_obj = get_post_type_object( $post->post_type );
1616 if ( $post_type_obj->hierarchical && ! empty( $post->post_parent ) ) {
1617 $links['up'] = array(
1618 'href' => rest_url( trailingslashit( $base ) . (int) $post->post_parent ),
1619 'embeddable' => true,
1623 // If we have a featured media, add that.
1624 if ( $featured_media = get_post_thumbnail_id( $post->ID ) ) {
1625 $image_url = rest_url( 'wp/v2/media/' . $featured_media );
1627 $links['https://api.w.org/featuredmedia'] = array(
1628 'href' => $image_url,
1629 'embeddable' => true,
1633 if ( ! in_array( $post->post_type, array( 'attachment', 'nav_menu_item', 'revision' ), true ) ) {
1634 $attachments_url = rest_url( 'wp/v2/media' );
1635 $attachments_url = add_query_arg( 'parent', $post->ID, $attachments_url );
1637 $links['https://api.w.org/attachment'] = array(
1638 'href' => $attachments_url,
1642 $taxonomies = get_object_taxonomies( $post->post_type );
1644 if ( ! empty( $taxonomies ) ) {
1645 $links['https://api.w.org/term'] = array();
1647 foreach ( $taxonomies as $tax ) {
1648 $taxonomy_obj = get_taxonomy( $tax );
1650 // Skip taxonomies that are not public.
1651 if ( empty( $taxonomy_obj->show_in_rest ) ) {
1655 $tax_base = ! empty( $taxonomy_obj->rest_base ) ? $taxonomy_obj->rest_base : $tax;
1657 $terms_url = add_query_arg(
1660 rest_url( 'wp/v2/' . $tax_base )
1663 $links['https://api.w.org/term'][] = array(
1664 'href' => $terms_url,
1666 'embeddable' => true,
1675 * Retrieves the post's schema, conforming to JSON Schema.
1680 * @return array Item schema data.
1682 public function get_item_schema() {
1685 '$schema' => 'http://json-schema.org/schema#',
1686 'title' => $this->post_type,
1688 // Base properties for every Post.
1689 'properties' => array(
1691 'description' => __( "The date the object was published, in the site's timezone." ),
1693 'format' => 'date-time',
1694 'context' => array( 'view', 'edit', 'embed' ),
1696 'date_gmt' => array(
1697 'description' => __( 'The date the object was published, as GMT.' ),
1699 'format' => 'date-time',
1700 'context' => array( 'view', 'edit' ),
1703 'description' => __( 'The globally unique identifier for the object.' ),
1705 'context' => array( 'view', 'edit' ),
1707 'properties' => array(
1709 'description' => __( 'GUID for the object, as it exists in the database.' ),
1711 'context' => array( 'edit' ),
1714 'rendered' => array(
1715 'description' => __( 'GUID for the object, transformed for display.' ),
1717 'context' => array( 'view', 'edit' ),
1723 'description' => __( 'Unique identifier for the object.' ),
1724 'type' => 'integer',
1725 'context' => array( 'view', 'edit', 'embed' ),
1729 'description' => __( 'URL to the object.' ),
1732 'context' => array( 'view', 'edit', 'embed' ),
1735 'modified' => array(
1736 'description' => __( "The date the object was last modified, in the site's timezone." ),
1738 'format' => 'date-time',
1739 'context' => array( 'view', 'edit' ),
1742 'modified_gmt' => array(
1743 'description' => __( 'The date the object was last modified, as GMT.' ),
1745 'format' => 'date-time',
1746 'context' => array( 'view', 'edit' ),
1750 'description' => __( 'An alphanumeric identifier for the object unique to its type.' ),
1752 'context' => array( 'view', 'edit', 'embed' ),
1753 'arg_options' => array(
1754 'sanitize_callback' => array( $this, 'sanitize_slug' ),
1758 'description' => __( 'A named status for the object.' ),
1760 'enum' => array_keys( get_post_stati( array( 'internal' => false ) ) ),
1761 'context' => array( 'edit' ),
1764 'description' => __( 'Type of Post for the object.' ),
1766 'context' => array( 'view', 'edit', 'embed' ),
1769 'password' => array(
1770 'description' => __( 'A password to protect access to the content and excerpt.' ),
1772 'context' => array( 'edit' ),
1777 $post_type_obj = get_post_type_object( $this->post_type );
1779 if ( $post_type_obj->hierarchical ) {
1780 $schema['properties']['parent'] = array(
1781 'description' => __( 'The ID for the parent of the object.' ),
1782 'type' => 'integer',
1783 'context' => array( 'view', 'edit' ),
1787 $post_type_attributes = array(
1799 $fixed_schemas = array(
1822 'attachment' => array(
1830 foreach ( $post_type_attributes as $attribute ) {
1831 if ( isset( $fixed_schemas[ $this->post_type ] ) && ! in_array( $attribute, $fixed_schemas[ $this->post_type ], true ) ) {
1833 } elseif ( ! isset( $fixed_schemas[ $this->post_type ] ) && ! post_type_supports( $this->post_type, $attribute ) ) {
1837 switch ( $attribute ) {
1840 $schema['properties']['title'] = array(
1841 'description' => __( 'The title for the object.' ),
1843 'context' => array( 'view', 'edit', 'embed' ),
1844 'arg_options' => array(
1845 'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
1847 'properties' => array(
1849 'description' => __( 'Title for the object, as it exists in the database.' ),
1851 'context' => array( 'edit' ),
1853 'rendered' => array(
1854 'description' => __( 'HTML title for the object, transformed for display.' ),
1856 'context' => array( 'view', 'edit', 'embed' ),
1864 $schema['properties']['content'] = array(
1865 'description' => __( 'The content for the object.' ),
1867 'context' => array( 'view', 'edit' ),
1868 'arg_options' => array(
1869 'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
1871 'properties' => array(
1873 'description' => __( 'Content for the object, as it exists in the database.' ),
1875 'context' => array( 'edit' ),
1877 'rendered' => array(
1878 'description' => __( 'HTML content for the object, transformed for display.' ),
1880 'context' => array( 'view', 'edit' ),
1883 'protected' => array(
1884 'description' => __( 'Whether the content is protected with a password.' ),
1885 'type' => 'boolean',
1886 'context' => array( 'view', 'edit', 'embed' ),
1894 $schema['properties']['author'] = array(
1895 'description' => __( 'The ID for the author of the object.' ),
1896 'type' => 'integer',
1897 'context' => array( 'view', 'edit', 'embed' ),
1902 $schema['properties']['excerpt'] = array(
1903 'description' => __( 'The excerpt for the object.' ),
1905 'context' => array( 'view', 'edit', 'embed' ),
1906 'arg_options' => array(
1907 'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
1909 'properties' => array(
1911 'description' => __( 'Excerpt for the object, as it exists in the database.' ),
1913 'context' => array( 'edit' ),
1915 'rendered' => array(
1916 'description' => __( 'HTML excerpt for the object, transformed for display.' ),
1918 'context' => array( 'view', 'edit', 'embed' ),
1921 'protected' => array(
1922 'description' => __( 'Whether the excerpt is protected with a password.' ),
1923 'type' => 'boolean',
1924 'context' => array( 'view', 'edit', 'embed' ),
1932 $schema['properties']['featured_media'] = array(
1933 'description' => __( 'The ID of the featured media for the object.' ),
1934 'type' => 'integer',
1935 'context' => array( 'view', 'edit' ),
1940 $schema['properties']['comment_status'] = array(
1941 'description' => __( 'Whether or not comments are open on the object.' ),
1943 'enum' => array( 'open', 'closed' ),
1944 'context' => array( 'view', 'edit' ),
1946 $schema['properties']['ping_status'] = array(
1947 'description' => __( 'Whether or not the object can be pinged.' ),
1949 'enum' => array( 'open', 'closed' ),
1950 'context' => array( 'view', 'edit' ),
1954 case 'page-attributes':
1955 $schema['properties']['menu_order'] = array(
1956 'description' => __( 'The order of the object in relation to other object of its type.' ),
1957 'type' => 'integer',
1958 'context' => array( 'view', 'edit' ),
1962 case 'post-formats':
1963 $supports_formats = get_theme_support( 'post-formats' );
1965 // Force to an array. Supports formats can return true even if empty in some cases.
1966 $supports_formats = is_array( $supports_formats ) ? array_values( $supports_formats[0] ) : array();
1968 $supported_formats = array_merge( array( 'standard' ), $supports_formats );
1970 $schema['properties']['format'] = array(
1971 'description' => __( 'The format for the object.' ),
1973 'enum' => $supported_formats,
1974 'context' => array( 'view', 'edit' ),
1978 case 'custom-fields':
1979 $schema['properties']['meta'] = $this->meta->get_field_schema();
1985 if ( 'post' === $this->post_type ) {
1986 $schema['properties']['sticky'] = array(
1987 'description' => __( 'Whether or not the object should be treated as sticky.' ),
1988 'type' => 'boolean',
1989 'context' => array( 'view', 'edit' ),
1993 $schema['properties']['template'] = array(
1994 'description' => __( 'The theme file to use to display the object.' ),
1996 'enum' => array_merge( array_keys( wp_get_theme()->get_page_templates( null, $this->post_type ) ), array( '' ) ),
1997 'context' => array( 'view', 'edit' ),
2000 $taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
2001 foreach ( $taxonomies as $taxonomy ) {
2002 $base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name;
2003 $schema['properties'][ $base ] = array(
2004 /* translators: %s: taxonomy name */
2005 'description' => sprintf( __( 'The terms assigned to the object in the %s taxonomy.' ), $taxonomy->name ),
2008 'type' => 'integer',
2010 'context' => array( 'view', 'edit' ),
2014 return $this->add_additional_fields_schema( $schema );
2018 * Retrieves the query params for the posts collection.
2023 * @return array Collection parameters.
2025 public function get_collection_params() {
2026 $query_params = parent::get_collection_params();
2028 $query_params['context']['default'] = 'view';
2030 $query_params['after'] = array(
2031 'description' => __( 'Limit response to posts published after a given ISO8601 compliant date.' ),
2033 'format' => 'date-time',
2036 if ( post_type_supports( $this->post_type, 'author' ) ) {
2037 $query_params['author'] = array(
2038 'description' => __( 'Limit result set to posts assigned to specific authors.' ),
2041 'type' => 'integer',
2043 'default' => array(),
2045 $query_params['author_exclude'] = array(
2046 'description' => __( 'Ensure result set excludes posts assigned to specific authors.' ),
2049 'type' => 'integer',
2051 'default' => array(),
2055 $query_params['before'] = array(
2056 'description' => __( 'Limit response to posts published before a given ISO8601 compliant date.' ),
2058 'format' => 'date-time',
2061 $query_params['exclude'] = array(
2062 'description' => __( 'Ensure result set excludes specific IDs.' ),
2065 'type' => 'integer',
2067 'default' => array(),
2070 $query_params['include'] = array(
2071 'description' => __( 'Limit result set to specific IDs.' ),
2074 'type' => 'integer',
2076 'default' => array(),
2079 if ( 'page' === $this->post_type || post_type_supports( $this->post_type, 'page-attributes' ) ) {
2080 $query_params['menu_order'] = array(
2081 'description' => __( 'Limit result set to posts with a specific menu_order value.' ),
2082 'type' => 'integer',
2086 $query_params['offset'] = array(
2087 'description' => __( 'Offset the result set by a specific number of items.' ),
2088 'type' => 'integer',
2091 $query_params['order'] = array(
2092 'description' => __( 'Order sort attribute ascending or descending.' ),
2094 'default' => 'desc',
2095 'enum' => array( 'asc', 'desc' ),
2098 $query_params['orderby'] = array(
2099 'description' => __( 'Sort collection by object attribute.' ),
2101 'default' => 'date',
2112 if ( 'page' === $this->post_type || post_type_supports( $this->post_type, 'page-attributes' ) ) {
2113 $query_params['orderby']['enum'][] = 'menu_order';
2116 $post_type = get_post_type_object( $this->post_type );
2118 if ( $post_type->hierarchical || 'attachment' === $this->post_type ) {
2119 $query_params['parent'] = array(
2120 'description' => __( 'Limit result set to those of particular parent IDs.' ),
2123 'type' => 'integer',
2125 'default' => array(),
2127 $query_params['parent_exclude'] = array(
2128 'description' => __( 'Limit result set to all items except those of a particular parent ID.' ),
2131 'type' => 'integer',
2133 'default' => array(),
2137 $query_params['slug'] = array(
2138 'description' => __( 'Limit result set to posts with one or more specific slugs.' ),
2143 'sanitize_callback' => 'wp_parse_slug_list',
2146 $query_params['status'] = array(
2147 'default' => 'publish',
2148 'description' => __( 'Limit result set to posts assigned one or more statuses.' ),
2151 'enum' => array_merge( array_keys( get_post_stati() ), array( 'any' ) ),
2154 'sanitize_callback' => array( $this, 'sanitize_post_statuses' ),
2157 $taxonomies = wp_list_filter( get_object_taxonomies( $this->post_type, 'objects' ), array( 'show_in_rest' => true ) );
2159 foreach ( $taxonomies as $taxonomy ) {
2160 $base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name;
2162 $query_params[ $base ] = array(
2163 /* translators: %s: taxonomy name */
2164 'description' => sprintf( __( 'Limit result set to all items that have the specified term assigned in the %s taxonomy.' ), $base ),
2167 'type' => 'integer',
2169 'default' => array(),
2172 $query_params[ $base . '_exclude' ] = array(
2173 /* translators: %s: taxonomy name */
2174 'description' => sprintf( __( 'Limit result set to all items except those that have the specified term assigned in the %s taxonomy.' ), $base ),
2177 'type' => 'integer',
2179 'default' => array(),
2183 if ( 'post' === $this->post_type ) {
2184 $query_params['sticky'] = array(
2185 'description' => __( 'Limit result set to items that are sticky.' ),
2186 'type' => 'boolean',
2191 * Filter collection parameters for the posts controller.
2193 * The dynamic part of the filter `$this->post_type` refers to the post
2194 * type slug for the controller.
2196 * This filter registers the collection parameter, but does not map the
2197 * collection parameter to an internal WP_Query parameter. Use the
2198 * `rest_{$this->post_type}_query` filter to set WP_Query parameters.
2202 * @param array $query_params JSON Schema-formatted collection parameters.
2203 * @param WP_Post_Type $post_type Post type object.
2205 return apply_filters( "rest_{$this->post_type}_collection_params", $query_params, $post_type );
2209 * Sanitizes and validates the list of post statuses, including whether the
2210 * user can query private statuses.
2215 * @param string|array $statuses One or more post statuses.
2216 * @param WP_REST_Request $request Full details about the request.
2217 * @param string $parameter Additional parameter to pass to validation.
2218 * @return array|WP_Error A list of valid statuses, otherwise WP_Error object.
2220 public function sanitize_post_statuses( $statuses, $request, $parameter ) {
2221 $statuses = wp_parse_slug_list( $statuses );
2223 // The default status is different in WP_REST_Attachments_Controller
2224 $attributes = $request->get_attributes();
2225 $default_status = $attributes['args']['status']['default'];
2227 foreach ( $statuses as $status ) {
2228 if ( $status === $default_status ) {
2232 $post_type_obj = get_post_type_object( $this->post_type );
2234 if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
2235 $result = rest_validate_request_arg( $status, $request, $parameter );
2236 if ( is_wp_error( $result ) ) {
2240 return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden.' ), array( 'status' => rest_authorization_required_code() ) );