Code Coverage for projects/plugins/jetpack/json-endpoints/class.wpcom-json-api-upload-media-v1-1-endpoint.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	0.00% covered (danger)	0.00%	0 / 140	0.00% covered (danger)	0.00%	0 / 4	CRAP	0.00% covered (danger)	0.00%	0 / 1
WPCOM_JSON_API_Upload_Media_v1_1_Endpoint	0.00% covered (danger)	0.00%	0 / 102	0.00% covered (danger)	0.00%	0 / 4	3422	0.00% covered (danger)	0.00%	0 / 1
callback	0.00% covered (danger)	0.00%	0 / 67	0.00% covered (danger)	0.00%	0 / 1	1260
rewrite_generic_upload_error	0.00% covered (danger)	0.00%	0 / 4	0.00% covered (danger)	0.00%	0 / 1	20
check_upload_size	0.00% covered (danger)	0.00%	0 / 21	0.00% covered (danger)	0.00%	0 / 1	156
force_wpcom_request	0.00% covered (danger)	0.00%	0 / 10	0.00% covered (danger)	0.00%	0 / 1	56

1	<?php // phpcs:ignore WordPress.Files.FileName.InvalidClassFileName
2	/**
3	* Upload media item API endpoint v1.1
4	*
5	* Endpoint: /sites/%s/media/new
6	*/
7
8	if ( ! defined( 'ABSPATH' ) ) {
9	exit( 0 );
10	}
11
12	new WPCOM_JSON_API_Upload_Media_v1_1_Endpoint(
13	array(
14	'description' => 'Upload a new piece of media.',
15	'allow_cross_origin_request' => true,
16	'allow_upload_token_auth' => true,
17	'group' => 'media',
18	'stat' => 'media:new',
19	'min_version' => '1.1',
20	'max_version' => '1.1',
21	'method' => 'POST',
22	'path' => '/sites/%s/media/new',
23	'path_labels' => array(
24	'$site' => '(int\|string) Site ID or domain',
25	),
26
27	'request_format' => array(
28	'media' => '(media) An array of media to attach to the post. To upload media, the entire request should be multipart/form-data encoded. Accepts jpg, jpeg, png, gif, pdf, doc, ppt, odt, pptx, docx, pps, ppsx, xls, xlsx, key. Audio and Video may also be available. See <code>allowed_file_types</code> in the options response of the site endpoint.<br /><br /><strong>Example</strong>:<br />' .
29	"<code>curl \<br />--form 'media[]=@/path/to/file.jpg' \<br />-H 'Authorization: BEARER your-token' \<br />'https://public-api.wordpress.com/rest/v1/sites/123/media/new'</code>",
30	'media_urls' => '(array) An array of URLs to upload to the post. Errors produced by media uploads, if any, will be in `media_errors` in the response.',
31	'attrs' => '(array) An array of attributes (`title`, `description`, `caption` `alt` for images, `artist` for audio, `album` for audio, and `parent_id`) are supported to assign to the media uploaded via the `media` or `media_urls` properties. You must use a numeric index for the keys of `attrs` which follows the same sequence as `media` and `media_urls`. <br /><br /><strong>Example</strong>:<br />' .
32	"<code>curl \<br />--form 'media[]=@/path/to/file1.jpg' \<br />--form 'media_urls[]=http://example.com/file2.jpg' \<br /> \<br />--form 'attrs[0][caption]=This will be the caption for file1.jpg' \<br />--form 'attrs[1][title]=This will be the title for file2.jpg' \<br />-H 'Authorization: BEARER your-token' \<br />'https://public-api.wordpress.com/rest/v1/sites/123/media/new'</code>",
33	),
34
35	'response_format' => array(
36	'media' => '(array) Array of uploaded media objects',
37	'errors' => '(array) Array of error messages of uploading media failures',
38	),
39
40	'example_request' => 'https://public-api.wordpress.com/rest/v1.1/sites/82974409/media/new',
41	'example_request_data' => array(
42	'headers' => array(
43	'authorization' => 'Bearer YOUR_API_TOKEN',
44	),
45	'body' => array(
46	'media_urls' => 'https://s.w.org/about/images/logos/codeispoetry-rgb.png',
47	),
48	),
49	)
50	);
51
52	// phpcs:disable PEAR.NamingConventions.ValidClassName.Invalid
53	/**
54	* Upload media item API class v1.1
55	*
56	* @phan-constructor-used-for-side-effects
57	*/
58	class WPCOM_JSON_API_Upload_Media_v1_1_Endpoint extends WPCOM_JSON_API_Endpoint {
59	/**
60	* Upload media item API endpoint callback v1.1
61	*
62	* @param string $path API path.
63	* @param int $blog_id Blog ID.
64	*
65	* @return array\|int\|WP_Error\|void
66	*/
67	public function callback( $path = '', $blog_id = 0 ) {
68	$blog_id = $this->api->switch_to_blog_and_validate_user( $this->api->get_blog_id( $blog_id ) );
69	if ( is_wp_error( $blog_id ) ) {
70	return $blog_id;
71	}
72
73	if ( ! current_user_can( 'upload_files' ) && ! $this->api->is_authorized_with_upload_token() ) {
74	return new WP_Error( 'unauthorized', 'User cannot upload media.', 403 );
75	}
76
77	$input = $this->input( true );
78
79	$media_files = ! empty( $input['media'] ) ? $input['media'] : array();
80	$media_urls = ! empty( $input['media_urls'] ) ? $input['media_urls'] : array();
81	$media_attrs = ! empty( $input['attrs'] ) ? $input['attrs'] : array();
82
83	if ( empty( $media_files ) && empty( $media_urls ) ) {
84	return new WP_Error( 'invalid_input', 'No media provided in input.' );
85	}
86
87	$jetpack_sync = null;
88	$is_jetpack_site = false;
89	if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
90	// For jetpack sites, we send the media via a different method, because the sync is very different.
91	$jetpack_sync = Jetpack_Media_Sync::summon( $blog_id );
92	$is_jetpack_site = $jetpack_sync->is_jetpack_site();
93	}
94
95	$jetpack_media_files = array();
96	$other_media_files = array();
97	$media_items = array();
98	$errors = array();
99
100	// We're splitting out videos for Jetpack sites.
101	foreach ( $media_files as $media_item ) {
102	if ( isset( $media_item['type'] ) && preg_match( '@^video/@', $media_item['type'] ) && $is_jetpack_site ) {
103	if ( defined( 'IS_WPCOM' ) && IS_WPCOM &&
104	defined( 'VIDEOPRESS_JETPACK_VIDEO_ENABLED' ) && VIDEOPRESS_JETPACK_VIDEO_ENABLED
105	) {
106	// Check that video upload space is available for a Jetpack site (skipped if site is Atomic).
107	$result = videopress_check_space_available_for_jetpack( $blog_id, $media_item['name'], $media_item['size'] );
108
109	if ( true !== $result ) {
110	$this->api->output_early( 400, array( 'errors' => $this->rewrite_generic_upload_error( array( $result ) ) ) );
111	continue;
112	}
113	}
114	$jetpack_media_files[] = $media_item;
115	} else {
116	$other_media_files[] = $media_item;
117	}
118	}
119
120	// New Jetpack / VideoPress media upload processing.
121	if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
122	if ( count( $jetpack_media_files ) > 0 ) {
123	add_filter( 'upload_mimes', array( $this, 'allow_video_uploads' ) );
124
125	// get_space_used() checks blog upload directory storage,
126	// so filter it temporarily to return only video storage used.
127	add_filter( 'pre_get_space_used', 'videopress_filter_jetpack_get_space_used' );
128
129	$media_items = $jetpack_sync->upload_media( $jetpack_media_files, $this->api );
130
131	$errors = $jetpack_sync->get_errors();
132
133	foreach ( $media_items as & $media_item ) {
134	// More than likely a post has not been created yet, so we pass in the media item we
135	// got back from the Jetpack site.
136	$post = (object) $media_item['post'];
137	$media_item = $this->get_media_item_v1_1( $post->ID, $post, $media_item['file'] );
138	}
139	// Remove get_space_used filter after upload.
140	remove_filter( 'pre_get_space_used', 'videopress_filter_jetpack_get_space_used' );
141	}
142	}
143
144	// Normal WPCOM upload processing.
145	if ( count( $other_media_files ) > 0 \|\| count( $media_urls ) > 0 ) {
146	if ( is_multisite() ) { // Do not check for available space in non multisites.
147	add_filter( 'wp_handle_upload_prefilter', array( $this, 'check_upload_size' ), 9 ); // used for direct media uploads.
148	add_filter( 'wp_handle_sideload_prefilter', array( $this, 'check_upload_size' ), 9 ); // used for uploading media via url.
149	}
150
151	if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
152	require_lib( 'tos-acceptance-tracking' );
153	add_filter( 'wp_handle_upload_prefilter', '\\A8C\\TOS_Acceptance_Tracking\\handle_uploads_wpcomtos_blog' );
154	}
155
156	$create_media = $this->handle_media_creation_v1_1( $other_media_files, $media_urls, $media_attrs );
157	$media_ids = $create_media['media_ids'];
158	$errors = $create_media['errors'];
159
160	$media_items = array();
161	foreach ( $media_ids as $media_id ) {
162	$media_items[] = $this->get_media_item_v1_1( $media_id );
163	}
164	}
165
166	if ( array() === $media_items ) {
167	return $this->api->output_early( 400, array( 'errors' => $this->rewrite_generic_upload_error( $errors ) ) );
168	}
169
170	$results = array();
171	foreach ( $media_items as $media_item ) {
172	if ( is_wp_error( $media_item ) ) {
173	$errors[] = array(
174	'error' => $media_item->get_error_code(),
175	'message' => $media_item->get_error_message(),
176	);
177
178	} else {
179	$results[] = $media_item;
180	}
181	}
182
183	$response = array( 'media' => $results );
184
185	if ( is_countable( $errors ) && count( $errors ) > 0 ) {
186	$response['errors'] = $this->rewrite_generic_upload_error( $errors );
187	}
188
189	return $response;
190	}
191
192	/**
193	* This changes the generic "upload_error" code to something more meaningful if possible
194	*
195	* @param array $errors Errors for the uploaded file.
196	* @return array The same array with an improved error message.
197	*/
198	public function rewrite_generic_upload_error( $errors ) {
199	foreach ( $errors as $k => $error ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
200	if ( 'upload_error' === $error['error'] && str_contains( $error['message'], '\|' ) ) {
201	list( $errors[ $k ]['error'], $errors[ $k ]['message'] ) = explode( '\|', $error['message'], 2 ); // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
202	}
203	}
204	return $errors;
205	}
206
207	/**
208	* Determine if uploaded file exceeds space quota on multisite.
209	*
210	* This is a copy of the core function with added functionality, synced
211	* with this with WP_REST_Attachments_Controller::check_upload_size()
212	* to allow for specifying a better error message.
213	*
214	* @param array $file $_FILES array for a given file.
215	* @return array Maybe extended with an error message.
216	*/
217	public function check_upload_size( $file ) {
218	if ( get_site_option( 'upload_space_check_disabled' ) ) {
219	return $file;
220	}
221
222	if ( isset( $file['error'] ) && $file['error'] > 0 ) { // There's already an error. Error Codes Reference: https://www.php.net/manual/en/features.file-upload.errors.php .
223	return $file;
224	}
225
226	// We don't know if this is an upload or a sideload, but in either case the tmp_name should be a path, not a URL.
227	if ( wp_parse_url( $file['tmp_name'], PHP_URL_SCHEME ) !== null ) {
228	$file['error'] = 'rest_upload_invalid\|' . __( 'Specified file failed upload test.', 'default' ); // phpcs:ignore WordPress.WP.I18n.TextDomainMismatch
229	return $file;
230	}
231
232	if ( defined( 'WP_IMPORTING' ) ) {
233	return $file;
234	}
235
236	$space_left = get_upload_space_available();
237
238	$file_size = filesize( $file['tmp_name'] );
239	if ( $space_left < $file_size ) {
240	/* translators: %s: Required disk space in kilobytes. */
241	$file['error'] = 'rest_upload_limited_space\|' . sprintf( __( 'Not enough space to upload. %s KB needed.', 'default' ), number_format( ( $file_size - $space_left ) / KB_IN_BYTES ) ); // phpcs:ignore WordPress.WP.I18n.TextDomainMismatch
242	}
243
244	$max_upload_size = KB_IN_BYTES * get_site_option( 'fileupload_maxk', 1500 );
245	if ( defined( 'IS_WPCOM' ) && IS_WPCOM && defined( 'WPCOM_MAX_UPLOAD_FILE_SIZE' ) ) {
246	$max_upload_size = WPCOM_MAX_UPLOAD_FILE_SIZE;
247	}
248
249	if ( $file_size > $max_upload_size ) {
250	/* translators: %s: Maximum allowed file size in kilobytes. */
251	$file['error'] = 'rest_upload_file_too_big\|' . sprintf( __( 'This file is too big. Files must be less than %s KB in size.', 'jetpack' ), $max_upload_size / KB_IN_BYTES );
252	}
253
254	if ( upload_is_user_over_quota( false ) ) {
255	$file['error'] = 'rest_upload_user_quota_exceeded\|' . __( 'You have used your space quota. Please delete files before uploading.', 'default' ); // phpcs:ignore WordPress.WP.I18n.TextDomainMismatch
256	}
257
258	return $file;
259	}
260	/**
261	* Force to use the WPCOM API instead of proxy back to the Jetpack API if the blog is a paid Jetpack
262	* blog w/ the VideoPress module enabled AND the uploaded file is a video.
263	*
264	* @param int $blog_id Blog ID.
265	* @return bool
266	*/
267	public function force_wpcom_request( $blog_id ) {
268
269	// We don't need to do anything if VideoPress is not enabled for the blog.
270	if ( ! is_videopress_enabled_on_jetpack_blog( $blog_id ) ) {
271	return false;
272	}
273
274	// Check to see if the upload is not a video type, if not then return false.
275	$input = $this->input( true );
276	$media_files = ! empty( $input['media'] ) ? $input['media'] : array();
277
278	if ( empty( $media_files ) ) {
279	return false;
280	}
281
282	foreach ( $media_files as $media_item ) {
283	if ( ! isset( $media_item['type'] ) \|\| ! preg_match( '@^video/@', $media_item['type'] ) ) {
284	return false;
285	}
286	}
287
288	// The API request should be for a blog w/ Jetpack, A valid plan, has VideoPress enabled,
289	// and is a video file. Let's let it through.
290	return true;
291	}
292	}