sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

REST API: Require the reassign parameter when deleting users.

Browse Source 
When deleting a user through the WordPress admin, a specific decision is presented - whether to assign all of the user's posts to another user, or to delete all of the posts.

This change requires `reassign` as a parameter in the corresponding REST API endpoint, so that content isn't accidentally lost.

Props jeremyfelt.
Fixes #39000.



git-svn-id: https://develop.svn.wordpress.org/trunk@39426 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Gary Pendergast 2016-12-02 06:53:59 +00:00
parent 5eddda525b
commit d5bfeae9d8
2 changed files with 128 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
View File

@ -92,6 +92,8 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
'reassign' => array(
'type' => 'integer',
'description' => __( 'Reassign the deleted user\'s posts and links to this user ID.' ),
'required' => true,
'sanitize_callback' => array( $this, 'check_reassign' ),
),
),
),
@ -125,6 +127,8 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
'reassign' => array(
'type' => 'integer',
'description' => __( 'Reassign the deleted user\'s posts and links to this user ID.' ),
'required' => true,
'sanitize_callback' => array( $this, 'check_reassign' ),
),
),
),
@ -132,6 +136,31 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
));
}
/**
* Checks for a valid value for the reassign parameter when deleting users.
*
* The value can be an integer, 'false', false, or ''.
*
* @since 4.7.0
*
* @param int|bool $value The value passed to the reassign parameter.
* @param WP_REST_Request $request Full details about the request.
* @param string $param The parameter that is being sanitized.
*
* @return int|bool|WP_Error
*/
public function check_reassign( $value, $request, $param ) {
if ( is_numeric( $value ) ) {
return $value;
}
if ( empty( $value ) || false === $value || 'false' === $value ) {
return false;
}
return new WP_Error( 'rest_invalid_param', __( 'Invalid user parameter(s).' ), array( 'status' => 400 ) );
}
/**
* Permissions check for getting all users.
*
@ -673,7 +702,7 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
*/
public function delete_item( $request ) {
$id = (int) $request['id'];
$reassign = isset( $request['reassign'] ) ? absint( $request['reassign'] ) : null;
$reassign = false === $request['reassign'] ? null : absint( $request['reassign'] );
$force = isset( $request['force'] ) ? (bool) $request['force'] : false;
// We don't support trashing for users.

99
tests/phpunit/tests/rest-api/rest-users-controller.php
View File

@ -1639,7 +1639,8 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$userdata = get_userdata( $user_id ); // cache for later
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'force', true );
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
$this->assertEquals( 200, $response->get_status() );
@ -1657,6 +1658,7 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$userdata = get_userdata( $user_id ); // cache for later
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 );
@ -1678,6 +1680,7 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' );
$request['force'] = true;
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
$this->assertEquals( 200, $response->get_status() );
@ -1694,6 +1697,7 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
update_site_option( 'site_admins', array( $user->user_login ) );
$request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' );
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 );
@ -1714,12 +1718,14 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_user_cannot_delete', $response, 403 );
$request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' );
$request['force'] = true;
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_user_cannot_delete', $response, 403 );
@ -1731,6 +1737,7 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request = new WP_REST_Request( 'DELETE', '/wp/v2/users/100' );
$request['force'] = true;
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 );
@ -1778,6 +1785,96 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$this->assertErrorResponse( 'rest_user_invalid_reassign', $response, 400 );
}
public function test_delete_user_invalid_reassign_passed_as_string() {
$user_id = $this->factory->user->create();
$this->allow_user_to_manage_multisite();
wp_set_current_user( self::$user );
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'reassign', 'null' );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
}
public function test_delete_user_reassign_passed_as_boolean_false_trashes_post() {
$user_id = $this->factory->user->create();
$this->allow_user_to_manage_multisite();
wp_set_current_user( self::$user );
$test_post = $this->factory->post->create(array(
'post_author' => $user_id,
));
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'reassign', false );
$this->server->dispatch( $request );
$test_post = get_post( $test_post );
$this->assertEquals( 'trash', $test_post->post_status );
}
public function test_delete_user_reassign_passed_as_string_false_trashes_post() {
$user_id = $this->factory->user->create();
$this->allow_user_to_manage_multisite();
wp_set_current_user( self::$user );
$test_post = $this->factory->post->create(array(
'post_author' => $user_id,
));
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'reassign', 'false' );
$this->server->dispatch( $request );
$test_post = get_post( $test_post );
$this->assertEquals( 'trash', $test_post->post_status );
}
public function test_delete_user_reassign_passed_as_empty_string_trashes_post() {
$user_id = $this->factory->user->create();
$this->allow_user_to_manage_multisite();
wp_set_current_user( self::$user );
$test_post = $this->factory->post->create(array(
'post_author' => $user_id,
));
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'reassign', '' );
$this->server->dispatch( $request );
$test_post = get_post( $test_post );
$this->assertEquals( 'trash', $test_post->post_status );
}
public function test_delete_user_reassign_passed_as_0_reassigns_author() {
$user_id = $this->factory->user->create();
$this->allow_user_to_manage_multisite();
wp_set_current_user( self::$user );
$test_post = $this->factory->post->create(array(
'post_author' => $user_id,
));
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'reassign', 0 );
$this->server->dispatch( $request );
$test_post = get_post( $test_post );
$this->assertEquals( 0, $test_post->post_author );
}
public function test_get_item_schema() {
$request = new WP_REST_Request( 'OPTIONS', '/wp/v2/users' );
$response = $this->server->dispatch( $request );