sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

XML-RPC: wp.getComments should be allowed to return approved comments to those without the 'moderate_comments' cap.

Browse Source 
Adds (rewrites) unit tests from 4 years ago that we never committed because....

Props wonderboymusic, koke, ericmann, nprasath002.
Fixes #17981.


git-svn-id: https://develop.svn.wordpress.org/trunk@34570 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Scott Taylor 2015-09-26 02:48:47 +00:00
parent e09edc2d7f
commit 0d3da57a9a
3 changed files with 233 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
src/wp-includes/class-wp-xmlrpc-server.php
View File

@ -3155,17 +3155,20 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$comment_id = (int) $args[3]; $comment_id = (int) $args[3];
if ( !$user = $this->login($username, $password) ) if ( ! $user = $this->login( $username, $password ) ) {
return $this->error; return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getComment' ); do_action( 'xmlrpc_call', 'wp.getComment' );
if ( ! $comment = get_comment($comment_id) ) if ( ! $comment = get_comment( $comment_id ) ) {
return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
}
if ( ! current_user_can( 'edit_comment', $comment_id ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
}
return $this->_prepare_comment( $comment ); return $this->_prepare_comment( $comment );
} }
@ -3203,20 +3206,21 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$struct = isset( $args[3] ) ? $args[3] : array(); $struct = isset( $args[3] ) ? $args[3] : array();
if ( !$user = $this->login($username, $password) ) if ( ! $user = $this->login($username, $password ) )
return $this->error; return $this->error;
if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 401, __( 'Sorry, you cannot edit comments.' ) );
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getComments' ); do_action( 'xmlrpc_call', 'wp.getComments' );
if ( isset($struct['status']) ) if ( isset( $struct['status'] ) )
$status = $struct['status']; $status = $struct['status'];
else else
$status = ''; $status = '';
if ( ! current_user_can( 'moderate_comments' ) && 'approve' !== $status ) {
return new IXR_Error( 401, __( 'Invalid comment status.' ) );
}
$post_id = ''; $post_id = '';
if ( isset($struct['post_id']) ) if ( isset($struct['post_id']) )
$post_id = absint($struct['post_id']); $post_id = absint($struct['post_id']);
@ -3260,24 +3264,24 @@ class wp_xmlrpc_server extends IXR_Server {
* } * }
* @return bool|IXR_Error {@link wp_delete_comment()} * @return bool|IXR_Error {@link wp_delete_comment()}
*/ */
public function wp_deleteComment($args) { public function wp_deleteComment( $args ) {
$this->escape($args); $this->escape($args);
$username = $args[1]; $username = $args[1];
$password = $args[2]; $password = $args[2];
$comment_ID = (int) $args[3]; $comment_ID = (int) $args[3];
if ( !$user = $this->login($username, $password) ) if ( ! $user = $this->login( $username, $password ) ) {
return $this->error; return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) ) if ( ! get_comment( $comment_ID ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
if ( ! get_comment($comment_ID) )
return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
}
if ( !current_user_can( 'edit_comment', $comment_ID ) ) if ( !current_user_can( 'edit_comment', $comment_ID ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) ); return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.deleteComment' ); do_action( 'xmlrpc_call', 'wp.deleteComment' );
@ -3334,17 +3338,17 @@ class wp_xmlrpc_server extends IXR_Server {
$comment_ID = (int) $args[3]; $comment_ID = (int) $args[3];
$content_struct = $args[4]; $content_struct = $args[4];
if ( !$user = $this->login($username, $password) ) if ( !$user = $this->login( $username, $password ) ) {
return $this->error; return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) ) if ( ! get_comment( $comment_ID ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
if ( ! get_comment($comment_ID) )
return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
}
if ( !current_user_can( 'edit_comment', $comment_ID ) ) if ( ! current_user_can( 'edit_comment', $comment_ID ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) ); return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.editComment' ); do_action( 'xmlrpc_call', 'wp.editComment' );
@ -3536,17 +3540,19 @@ class wp_xmlrpc_server extends IXR_Server {
* } * }
* @return array|IXR_Error * @return array|IXR_Error
*/ */
public function wp_getCommentStatusList($args) { public function wp_getCommentStatusList( $args ) {
$this->escape( $args ); $this->escape( $args );
$username = $args[1]; $username = $args[1];
$password = $args[2]; $password = $args[2];
if ( !$user = $this->login($username, $password) ) if ( ! $user = $this->login( $username, $password ) ) {
return $this->error; return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) ) if ( ! current_user_can( 'publish_posts' ) ) {
return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) ); return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getCommentStatusList' ); do_action( 'xmlrpc_call', 'wp.getCommentStatusList' );
@ -3576,16 +3582,24 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$post_id = (int) $args[3]; $post_id = (int) $args[3];
if ( !$user = $this->login($username, $password) ) if ( ! $user = $this->login( $username, $password ) ) {
return $this->error; return $this->error;
}
if ( !current_user_can( 'edit_posts' ) ) $post = get_post( $post_id, ARRAY_A );
return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) ); if ( empty( $post['ID'] ) ) {
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
}
if ( ! current_user_can( 'edit_post', $post_id ) ) {
return new IXR_Error( 403, __( 'You are not allowed access to details of this post.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getCommentCount' ); do_action( 'xmlrpc_call', 'wp.getCommentCount' );
$count = wp_count_comments( $post_id ); $count = wp_count_comments( $post_id );
return array( return array(
'approved' => $count->approved, 'approved' => $count->approved,
'awaiting_moderation' => $count->moderated, 'awaiting_moderation' => $count->moderated,

43
tests/phpunit/tests/xmlrpc/wp/editComment.php
View File

@ -4,6 +4,49 @@
* @group xmlrpc * @group xmlrpc
*/ */
class Tests_XMLRPC_wp_editComment extends WP_XMLRPC_UnitTestCase { class Tests_XMLRPC_wp_editComment extends WP_XMLRPC_UnitTestCase {
function test_author_can_edit_own_comment() {
$author_id = $this->make_user_by_role( 'author' );
$post_id = $this->factory->post->create( array(
'post_title' => 'Post test by author',
'post_author' => $author_id
) );
$comment_id = wp_insert_comment(array(
'comment_post_ID' => $post_id,
'comment_author' => 'Commenter 1',
'comment_author_url' => "http://example.com/1/",
'comment_approved' => 1,
));
$result = $this->myxmlrpcserver->wp_editComment( array( 1, 'author', 'author', $comment_id, array(
'status' => 'hold'
) ) );
$this->assertNotInstanceOf( 'IXR_Error', $result );
$this->assertTrue( $result );
}
function test_author_cannot_edit_others_comment() {
$this->make_user_by_role( 'author' );
$editor_id = $this->make_user_by_role( 'editor' );
$post_id = $this->factory->post->create( array(
'post_title' => 'Post test by editor',
'post_author' => $editor_id
) );
$comment_id = wp_insert_comment( array(
'comment_post_ID' => $post_id,
'comment_author' => 'Commenter 2',
'comment_author_url' => 'http://example.com/2/',
'comment_approved' => 0,
) );
$result = $this->myxmlrpcserver->wp_editComment( array( 1, 'author', 'author', $comment_id, array( 'status' => 'hold' ) ) );
$this->assertInstanceOf( 'IXR_Error', $result );
$this->assertEquals( 403, $result->code );
$this->assertEquals( __( 'You are not allowed to moderate or edit this comment.' ), $result->message );
}
function test_trash_comment() { function test_trash_comment() {
$this->make_user_by_role( 'administrator' ); $this->make_user_by_role( 'administrator' );
$post_id = $this->factory->post->create(); $post_id = $this->factory->post->create();

156
tests/phpunit/tests/xmlrpc/wp/getComments.php
View File

@ -42,10 +42,9 @@ class Tests_XMLRPC_wp_getComments extends WP_XMLRPC_UnitTestCase {
function test_post_filter() { function test_post_filter() {
$this->make_user_by_role( 'editor' ); $this->make_user_by_role( 'editor' );
$filter = array( $results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
'post_id' => $this->post_id 'post_id' => $this->post_id
); ) ) );
$results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) );
$this->assertNotInstanceOf( 'IXR_Error', $results ); $this->assertNotInstanceOf( 'IXR_Error', $results );
foreach( $results as $result ) { foreach( $results as $result ) {
@ -56,19 +55,154 @@ class Tests_XMLRPC_wp_getComments extends WP_XMLRPC_UnitTestCase {
function test_number_filter() { function test_number_filter() {
$this->make_user_by_role( 'editor' ); $this->make_user_by_role( 'editor' );
$filter = array( $results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
'post_id' => $this->post_id, 'post_id' => $this->post_id,
); ) ) );
$results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) );
$this->assertNotInstanceOf( 'IXR_Error', $results ); $this->assertNotInstanceOf( 'IXR_Error', $results );
// if no 'number' filter is specified, default should be 10 // if no 'number' filter is specified, default should be 10
$this->assertEquals( 10, count( $results ) ); $this->assertCount( 10, $results );
// explicitly set a 'number' filter and verify that only that many are returned $results2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
$filter['number'] = 5; 'post_id' => $this->post_id,
$results2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) ); 'number' => 5
) ) );
$this->assertNotInstanceOf( 'IXR_Error', $results2 ); $this->assertNotInstanceOf( 'IXR_Error', $results2 );
$this->assertEquals( 5, count( $results2 ) ); $this->assertCount( 5, $results2 );
}
function test_contributor_capabilities() {
$this->make_user_by_role( 'contributor' );
$author_id = $this->make_user_by_role( 'author' );
$author_post_id = $this->factory->post->create( array(
'post_title' => 'Author',
'post_author' => $author_id,
'post_status' => 'publish'
) );
$this->factory->comment->create( array(
'comment_post_ID' => $author_post_id,
'comment_author' => "Commenter 1",
'comment_author_url' => "http://example.com/1/",
'comment_approved' => 0,
) );
$editor_id = $this->make_user_by_role( 'editor' );
$editor_post_id = $this->factory->post->create( array(
'post_title' => 'Editor',
'post_author' => $editor_id,
'post_status' => 'publish'
) );
$this->factory->comment->create( array(
'comment_post_ID' => $editor_post_id,
'comment_author' => 'Commenter 2',
'comment_author_url' => 'http://example.com/2/',
'comment_approved' => 0,
) );
$result = $this->myxmlrpcserver->wp_getComments( array( 1, 'contributor', 'contributor' ) );
$this->assertInstanceOf( 'IXR_Error', $result );
$this->assertEquals( 401, $result->code );
}
function test_author_capabilities() {
$author_id = $this->make_user_by_role( 'author' );
$author_post_id = $this->factory->post->create( array(
'post_title' => 'Author',
'post_author' => $author_id,
'post_status' => 'publish'
) );
$this->factory->comment->create( array(
'comment_post_ID' => $author_post_id,
'comment_author' => 'Commenter 1',
'comment_author_url' => 'http://example.com/1/',
'comment_approved' => 1,
) );
$editor_id = $this->make_user_by_role( 'editor' );
$editor_post_id = $this->factory->post->create( array(
'post_title' => 'Editor',
'post_author' => $editor_id,
'post_status' => 'publish'
) );
$this->factory->comment->create( array(
'comment_post_ID' => $editor_post_id,
'comment_author' => 'Commenter 2',
'comment_author_url' => 'http://example.com/2/',
'comment_approved' => 0,
) );
$result1 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
'post_id' => $author_post_id
) ) );
$this->assertInstanceOf( 'IXR_Error', $result1 );
$result2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
'status' => 'approve',
'post_id' => $author_post_id
) ) );
$this->assertInternalType( 'array', $result2 );
$this->assertCount( 1, $result2 );
$result3 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
'post_id' => $editor_post_id
) ) );
$this->assertInstanceOf( 'IXR_Error', $result3 );
$result4 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
'status' => 'approve',
'post_id' => $author_post_id
) ) );
$this->assertInternalType( 'array', $result4 );
$this->assertCount( 1, $result4 );
}
function test_editor_capabilities() {
$author_id = $this->make_user_by_role( 'author' );
$author_post_id = $this->factory->post->create( array(
'post_title' => 'Author',
'post_author' => $author_id,
'post_status' => 'publish'
) );
$this->factory->comment->create( array(
'comment_post_ID' => $author_post_id,
'comment_author' => 'Commenter 1',
'comment_author_url' => 'http://example.com/1/',
'comment_approved' => 1,
));
$editor_id = $this->make_user_by_role( 'editor' );
$editor_post_id = $this->factory->post->create( array(
'post_title' => 'Editor',
'post_author' => $editor_id,
'post_status' => 'publish'
) );
$this->factory->comment->create(array(
'comment_post_ID' => $editor_post_id,
'comment_author' => 'Commenter 2',
'comment_author_url' => 'http://example.com/2/',
'comment_approved' => 0,
));
$result = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
'post_id' => $author_post_id
) ) );
$this->assertInternalType( 'array', $result );
$this->assertCount( 1, $result );
$result2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
'status' => 'approve',
'post_id' => $author_post_id
) ) );
$this->assertInternalType( 'array', $result2 );
$this->assertCount( 1, $result2 );
} }
} }