sergiotarxz
/
Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

REST API: Check read permissions on posts when viewing comments. 

With a few tests for getting / creating comments to reflect core behaviour.

Props timmyc.

git-svn-id: https://develop.svn.wordpress.org/trunk@39295 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Joe Hoyle 2016-11-18 19:06:26 +00:00
parent b34803f431
commit db07183b6f
2 changed files with 77 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
View File

@ -1454,6 +1454,11 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
*/
protected function check_read_post_permission( $post ) {
$posts_controller = new WP_REST_Posts_Controller( $post->post_type );
$post_type = get_post_type_object( $post->post_type );
if ( post_password_required( $post ) ) {
return current_user_can( $post_type->cap->edit_post, $post->ID );
}
return $posts_controller->check_read_permission( $post );
}

72
tests/phpunit/tests/rest-api/rest-comments-controller.php
View File

@ -17,6 +17,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
protected static $author_id;
protected static $post_id;
protected static $password_id;
protected static $private_id;
protected static $draft_id;
protected static $trash_id;
@ -52,6 +53,9 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
self::$private_id = $factory->post->create( array(
'post_status' => 'private',
) );
self::$password_id = $factory->post->create( array(
'post_password' => 'toomanysecrets',
) );
self::$draft_id = $factory->post->create( array(
'post_status' => 'draft',
) );
@ -78,6 +82,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
wp_delete_post( self::$post_id, true );
wp_delete_post( self::$private_id, true );
wp_delete_post( self::$password_id, true );
wp_delete_post( self::$draft_id, true );
wp_delete_post( self::$trash_id, true );
wp_delete_post( self::$approved_id, true );
@ -162,6 +167,42 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
$this->assertCount( 7, $comments );
}
public function test_get_password_items_without_edit_post_permission() {
wp_set_current_user( 0 );
$args = array(
'comment_approved' => 1,
'comment_post_ID' => self::$password_id,
);
$password_comment = $this->factory->comment->create( $args );
$request = new WP_REST_Request( 'GET', '/wp/v2/comments' );
$response = $this->server->dispatch( $request );
$this->assertEquals( 200, $response->get_status() );
$collection_data = $response->get_data();
$this->assertFalse( in_array( $password_comment, wp_list_pluck( $collection_data, 'id' ), true ) );
}
public function test_get_password_items_with_edit_post_permission() {
wp_set_current_user( self::$admin_id );
$args = array(
'comment_approved' => 1,
'comment_post_ID' => self::$password_id,
);
$password_comment = $this->factory->comment->create( $args );
$request = new WP_REST_Request( 'GET', '/wp/v2/comments' );
$response = $this->server->dispatch( $request );
$this->assertEquals( 200, $response->get_status() );
$collection_data = $response->get_data();
$this->assertTrue( in_array( $password_comment, wp_list_pluck( $collection_data, 'id' ), true ) );
}
public function test_get_items_without_private_post_permission() {
wp_set_current_user( 0 );
@ -800,6 +841,18 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
$this->assertArrayNotHasKey( 'children', $response->get_links() );
}
public function test_get_comment_with_password_without_edit_post_permission() {
wp_set_current_user( 0 );
$args = array(
'comment_approved' => 1,
'comment_post_ID' => self::$password_id,
);
$password_comment = $this->factory->comment->create( $args );
$request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%s', $password_comment ) );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_cannot_read', $response, 401 );
}
public function test_create_item() {
wp_set_current_user( 0 );
@ -1372,6 +1425,25 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
$this->assertErrorResponse( 'rest_cannot_read_post', $response, 403 );
}
public function test_create_comment_password_post_invalid_permission() {
wp_set_current_user( self::$subscriber_id );
$params = array(
'post' => self::$password_id,
'author_name' => 'Homer Jay Simpson',
'author_email' => 'chunkylover53@aol.com',
'author_url' => 'http://compuglobalhypermeganet.com',
'content' => 'I\d be a vegetarian if bacon grew on trees.',
'author' => self::$subscriber_id,
);
$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
$request->add_header( 'content-type', 'application/json' );
$request->set_body( wp_json_encode( $params ) );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_cannot_read_post', $response, 403 );
}
public function test_create_item_duplicate() {
$this->factory->comment->create(
array(