From adb9ba18417822890962c41ef4479853a6f691e0 Mon Sep 17 00:00:00 2001
From: Erick Hitter <git-contrib@ethitter.com>
Date: Fri, 15 Sep 2017 17:29:09 -0700
Subject: [PATCH] For custom properties, provide original `$_REQUEST` in case
 they accessed it directly.

---
 includes/class-custom-action.php | 16 ++++++++++++++--
 includes/class-main.php          | 21 +++++++++++++++------
 2 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/includes/class-custom-action.php b/includes/class-custom-action.php
index 7f37d6d..1e06158 100644
--- a/includes/class-custom-action.php
+++ b/includes/class-custom-action.php
@@ -36,17 +36,29 @@ class Custom_Action {
 		// Provide for capabilities checks.
 		wp_set_current_user( $vars->user_id );
 
-		// TODO: capture and repopulate $_REQUEST?
-		// Rebuild something akin to the URL this would normally be filtering.
+		// Rebuild something akin to the URL the custom action would normally be filtering.
 		$return_url = sprintf( '/wp-admin/%1$s.php', $vars->current_screen->base );
 		$return_url = add_query_arg( array(
 			'post_type'   => $vars->post_type,
 			'post_status' => $vars->post_status,
 		), $return_url );
 
+		// Because custom actions could be accessing $_REQUEST directly.
+		if ( ! is_null( $vars->raw_request ) ) {
+			global $real_request;
+			$real_request = $_REQUEST;
+
+			$_REQUEST = $vars->raw_request;
+		}
+
 		// Run the custom action as Core does. See note above.
 		$return_url = apply_filters( 'handle_bulk_actions-' . $vars->current_screen->id, $return_url, $vars->action, $vars->posts ); // Core violates its own standard by using a hyphen in the hook name. @codingStandardsIgnoreLine
 
+		// If $_REQUEST was overwritten, restore the original.
+		if ( isset( $real_request ) ) {
+			$_REQUEST = $real_request;
+		}
+
 		// Can't get much more than this in terms of success or failure.
 		$results = compact( 'return_url', 'vars' );
 		do_action( 'bulk_actions_cron_offload_custom_request_completed', $results, $vars );
diff --git a/includes/class-main.php b/includes/class-main.php
index e0c6a2f..1eb93b1 100644
--- a/includes/class-main.php
+++ b/includes/class-main.php
@@ -99,7 +99,15 @@ class Main {
 	 * Capture relevant variables
 	 */
 	private static function capture_vars() {
-		$vars = array( 'action', 'custom_action', 'user_id', 'current_screen' ); // Extra data that normally would be available from the context.
+		// Extra data that normally would be available from the request.
+		$vars = array(
+			'action',         // Bulk action, or "custom" when not from Core.
+			'custom_action',  // Name of custom action.
+			'user_id',        // For permissions checks.
+			'current_screen', // Public properties from \WP_Screen.
+			'raw_request',    // When using a custom action, $_REQUEST.
+		);
+
 		$vars = array_merge( $vars, self::get_supported_vars() );
 		$vars = (object) array_fill_keys( $vars, null );
 
@@ -187,10 +195,11 @@ class Main {
 			$vars->keep_private = true;
 		}
 
-		// Standardize custom actions.
+		// Standardize custom actions and capture extra data.
 		if ( ! self::is_core_action( $vars->action ) ) {
 			$vars->custom_action = $vars->action;
 			$vars->action        = 'custom';
+			$vars->raw_request   = $_REQUEST;
 		}
 
 		return $vars;
@@ -228,11 +237,11 @@ class Main {
 	 */
 	public static function is_core_action( $action ) {
 		$core_actions = array(
-			'delete', // class Delete_Permanently.
+			'delete',     // class Delete_Permanently.
 			'delete_all', // class Delete_All.
-			'edit', // class Edit.
-			'trash', // class Move_To_Trash.
-			'untrash', // class Restore_From_Trash.
+			'edit',       // class Edit.
+			'trash',      // class Move_To_Trash.
+			'untrash',    // class Restore_From_Trash.
 		);
 
 		return in_array( $action, $core_actions, true );
-- 
GitLab