sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

XML-RPC: wp.getComments should be allowed to return approved comments to those without the 'moderate_comments' cap.

Browse Source 
Adds (rewrites) unit tests from 4 years ago that we never committed because....

Props wonderboymusic, koke, ericmann, nprasath002.
Fixes #17981.


git-svn-id: https://develop.svn.wordpress.org/trunk@34570 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Scott Taylor 2015-09-26 02:48:47 +00:00
parent e09edc2d7f
commit 0d3da57a9a
3 changed files with 233 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
src/wp-includes/class-wp-xmlrpc-server.php
View File

@ -3155,17 +3155,20 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2];
$comment_id = (int) $args[3];
if ( !$user = $this->login($username, $password) )
if ( ! $user = $this->login( $username, $password ) ) {
return $this->error;
if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getComment' );
if ( ! $comment = get_comment($comment_id) )
if ( ! $comment = get_comment( $comment_id ) ) {
return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
}
if ( ! current_user_can( 'edit_comment', $comment_id ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
}
return $this->_prepare_comment( $comment );
}
@ -3203,20 +3206,21 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2];
$struct = isset( $args[3] ) ? $args[3] : array();
if ( !$user = $this->login($username, $password) )
if ( ! $user = $this->login($username, $password ) )
return $this->error;
if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 401, __( 'Sorry, you cannot edit comments.' ) );
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getComments' );
if ( isset($struct['status']) )
if ( isset( $struct['status'] ) )
$status = $struct['status'];
else
$status = '';
if ( ! current_user_can( 'moderate_comments' ) && 'approve' !== $status ) {
return new IXR_Error( 401, __( 'Invalid comment status.' ) );
}
$post_id = '';
if ( isset($struct['post_id']) )
$post_id = absint($struct['post_id']);
@ -3260,24 +3264,24 @@ class wp_xmlrpc_server extends IXR_Server {
* }
* @return bool|IXR_Error {@link wp_delete_comment()}
*/
public function wp_deleteComment($args) {
public function wp_deleteComment( $args ) {
$this->escape($args);
$username = $args[1];
$password = $args[2];
$comment_ID = (int) $args[3];
if ( !$user = $this->login($username, $password) )
if ( ! $user = $this->login( $username, $password ) ) {
return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
if ( ! get_comment($comment_ID) )
if ( ! get_comment( $comment_ID ) ) {
return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
}
if ( !current_user_can( 'edit_comment', $comment_ID ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
if ( !current_user_can( 'edit_comment', $comment_ID ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.deleteComment' );
@ -3334,17 +3338,17 @@ class wp_xmlrpc_server extends IXR_Server {
$comment_ID = (int) $args[3];
$content_struct = $args[4];
if ( !$user = $this->login($username, $password) )
if ( !$user = $this->login( $username, $password ) ) {
return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
if ( ! get_comment($comment_ID) )
if ( ! get_comment( $comment_ID ) ) {
return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
}
if ( !current_user_can( 'edit_comment', $comment_ID ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
if ( ! current_user_can( 'edit_comment', $comment_ID ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.editComment' );
@ -3536,17 +3540,19 @@ class wp_xmlrpc_server extends IXR_Server {
* }
* @return array|IXR_Error
*/
public function wp_getCommentStatusList($args) {
public function wp_getCommentStatusList( $args ) {
$this->escape( $args );
$username = $args[1];
$password = $args[2];
if ( !$user = $this->login($username, $password) )
if ( ! $user = $this->login( $username, $password ) ) {
return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) )
if ( ! current_user_can( 'publish_posts' ) ) {
return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getCommentStatusList' );
@ -3576,16 +3582,24 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2];
$post_id = (int) $args[3];
if ( !$user = $this->login($username, $password) )
if ( ! $user = $this->login( $username, $password ) ) {
return $this->error;
}
if ( !current_user_can( 'edit_posts' ) )
return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) );
$post = get_post( $post_id, ARRAY_A );
if ( empty( $post['ID'] ) ) {
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
}
if ( ! current_user_can( 'edit_post', $post_id ) ) {
return new IXR_Error( 403, __( 'You are not allowed access to details of this post.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getCommentCount' );
$count = wp_count_comments( $post_id );
return array(
'approved' => $count->approved,
'awaiting_moderation' => $count->moderated,

43
tests/phpunit/tests/xmlrpc/wp/editComment.php
View File

@ -4,6 +4,49 @@
* @group xmlrpc
*/
class Tests_XMLRPC_wp_editComment extends WP_XMLRPC_UnitTestCase {
function test_author_can_edit_own_comment() {
$author_id = $this->make_user_by_role( 'author' );
$post_id = $this->factory->post->create( array(
'post_title' => 'Post test by author',
'post_author' => $author_id
) );
$comment_id = wp_insert_comment(array(
'comment_post_ID' => $post_id,
'comment_author' => 'Commenter 1',
'comment_author_url' => "http://example.com/1/",
'comment_approved' => 1,
));
$result = $this->myxmlrpcserver->wp_editComment( array( 1, 'author', 'author', $comment_id, array(
'status' => 'hold'
) ) );
$this->assertNotInstanceOf( 'IXR_Error', $result );
$this->assertTrue( $result );
}
function test_author_cannot_edit_others_comment() {
$this->make_user_by_role( 'author' );
$editor_id = $this->make_user_by_role( 'editor' );
$post_id = $this->factory->post->create( array(
'post_title' => 'Post test by editor',
'post_author' => $editor_id
) );
$comment_id = wp_insert_comment( array(
'comment_post_ID' => $post_id,
'comment_author' => 'Commenter 2',
'comment_author_url' => 'http://example.com/2/',
'comment_approved' => 0,
) );
$result = $this->myxmlrpcserver->wp_editComment( array( 1, 'author', 'author', $comment_id, array( 'status' => 'hold' ) ) );
$this->assertInstanceOf( 'IXR_Error', $result );
$this->assertEquals( 403, $result->code );
$this->assertEquals( __( 'You are not allowed to moderate or edit this comment.' ), $result->message );
}
function test_trash_comment() {
$this->make_user_by_role( 'administrator' );
$post_id = $this->factory->post->create();

156
tests/phpunit/tests/xmlrpc/wp/getComments.php
View File

@ -42,10 +42,9 @@ class Tests_XMLRPC_wp_getComments extends WP_XMLRPC_UnitTestCase {
function test_post_filter() {
$this->make_user_by_role( 'editor' );
$filter = array(
$results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
'post_id' => $this->post_id
);
$results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) );
) ) );
$this->assertNotInstanceOf( 'IXR_Error', $results );
foreach( $results as $result ) {
@ -56,19 +55,154 @@ class Tests_XMLRPC_wp_getComments extends WP_XMLRPC_UnitTestCase {
function test_number_filter() {
$this->make_user_by_role( 'editor' );
$filter = array(
$results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
'post_id' => $this->post_id,
);
$results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) );
) ) );
$this->assertNotInstanceOf( 'IXR_Error', $results );
// if no 'number' filter is specified, default should be 10
$this->assertEquals( 10, count( $results ) );
$this->assertCount( 10, $results );
// explicitly set a 'number' filter and verify that only that many are returned
$filter['number'] = 5;
$results2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) );
$results2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
'post_id' => $this->post_id,
'number' => 5
) ) );
$this->assertNotInstanceOf( 'IXR_Error', $results2 );
$this->assertEquals( 5, count( $results2 ) );
$this->assertCount( 5, $results2 );
}
function test_contributor_capabilities() {
$this->make_user_by_role( 'contributor' );
$author_id = $this->make_user_by_role( 'author' );
$author_post_id = $this->factory->post->create( array(
'post_title' => 'Author',
'post_author' => $author_id,
'post_status' => 'publish'
) );
$this->factory->comment->create( array(
'comment_post_ID' => $author_post_id,
'comment_author' => "Commenter 1",
'comment_author_url' => "http://example.com/1/",
'comment_approved' => 0,
) );
$editor_id = $this->make_user_by_role( 'editor' );
$editor_post_id = $this->factory->post->create( array(
'post_title' => 'Editor',
'post_author' => $editor_id,
'post_status' => 'publish'
) );
$this->factory->comment->create( array(
'comment_post_ID' => $editor_post_id,
'comment_author' => 'Commenter 2',
'comment_author_url' => 'http://example.com/2/',
'comment_approved' => 0,
) );
$result = $this->myxmlrpcserver->wp_getComments( array( 1, 'contributor', 'contributor' ) );
$this->assertInstanceOf( 'IXR_Error', $result );
$this->assertEquals( 401, $result->code );
}
function test_author_capabilities() {
$author_id = $this->make_user_by_role( 'author' );
$author_post_id = $this->factory->post->create( array(
'post_title' => 'Author',
'post_author' => $author_id,
'post_status' => 'publish'
) );
$this->factory->comment->create( array(
'comment_post_ID' => $author_post_id,
'comment_author' => 'Commenter 1',
'comment_author_url' => 'http://example.com/1/',
'comment_approved' => 1,
) );
$editor_id = $this->make_user_by_role( 'editor' );
$editor_post_id = $this->factory->post->create( array(
'post_title' => 'Editor',
'post_author' => $editor_id,
'post_status' => 'publish'
) );
$this->factory->comment->create( array(
'comment_post_ID' => $editor_post_id,
'comment_author' => 'Commenter 2',
'comment_author_url' => 'http://example.com/2/',
'comment_approved' => 0,
) );
$result1 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
'post_id' => $author_post_id
) ) );
$this->assertInstanceOf( 'IXR_Error', $result1 );
$result2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
'status' => 'approve',
'post_id' => $author_post_id
) ) );
$this->assertInternalType( 'array', $result2 );
$this->assertCount( 1, $result2 );
$result3 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
'post_id' => $editor_post_id
) ) );
$this->assertInstanceOf( 'IXR_Error', $result3 );
$result4 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
'status' => 'approve',
'post_id' => $author_post_id
) ) );
$this->assertInternalType( 'array', $result4 );
$this->assertCount( 1, $result4 );
}
function test_editor_capabilities() {
$author_id = $this->make_user_by_role( 'author' );
$author_post_id = $this->factory->post->create( array(
'post_title' => 'Author',
'post_author' => $author_id,
'post_status' => 'publish'
) );
$this->factory->comment->create( array(
'comment_post_ID' => $author_post_id,
'comment_author' => 'Commenter 1',
'comment_author_url' => 'http://example.com/1/',
'comment_approved' => 1,
));
$editor_id = $this->make_user_by_role( 'editor' );
$editor_post_id = $this->factory->post->create( array(
'post_title' => 'Editor',
'post_author' => $editor_id,
'post_status' => 'publish'
) );
$this->factory->comment->create(array(
'comment_post_ID' => $editor_post_id,
'comment_author' => 'Commenter 2',
'comment_author_url' => 'http://example.com/2/',
'comment_approved' => 0,
));
$result = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
'post_id' => $author_post_id
) ) );
$this->assertInternalType( 'array', $result );
$this->assertCount( 1, $result );
$result2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
'status' => 'approve',
'post_id' => $author_post_id
) ) );
$this->assertInternalType( 'array', $result2 );
$this->assertCount( 1, $result2 );
}
}