REST API: Check read permissions on posts when viewing comments.
With a few tests for getting / creating comments to reflect core behaviour. Props timmyc. git-svn-id: https://develop.svn.wordpress.org/trunk@39295 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Joe Hoyle
parent
b34803f431
commit
db07183b6f
@ -1454,6 +1454,11 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
|
||||
*/
|
||||
protected function check_read_post_permission( $post ) {
|
||||
$posts_controller = new WP_REST_Posts_Controller( $post->post_type );
|
||||
$post_type = get_post_type_object( $post->post_type );
|
||||
|
||||
if ( post_password_required( $post ) ) {
|
||||
return current_user_can( $post_type->cap->edit_post, $post->ID );
|
||||
}
|
||||
|
||||
return $posts_controller->check_read_permission( $post );
|
||||
}
|
||||
|
||||
@ -17,6 +17,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
protected static $author_id;
|
||||
|
||||
protected static $post_id;
|
||||
protected static $password_id;
|
||||
protected static $private_id;
|
||||
protected static $draft_id;
|
||||
protected static $trash_id;
|
||||
@ -52,6 +53,9 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
self::$private_id = $factory->post->create( array(
|
||||
'post_status' => 'private',
|
||||
) );
|
||||
self::$password_id = $factory->post->create( array(
|
||||
'post_password' => 'toomanysecrets',
|
||||
) );
|
||||
self::$draft_id = $factory->post->create( array(
|
||||
'post_status' => 'draft',
|
||||
) );
|
||||
@ -78,6 +82,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
|
||||
wp_delete_post( self::$post_id, true );
|
||||
wp_delete_post( self::$private_id, true );
|
||||
wp_delete_post( self::$password_id, true );
|
||||
wp_delete_post( self::$draft_id, true );
|
||||
wp_delete_post( self::$trash_id, true );
|
||||
wp_delete_post( self::$approved_id, true );
|
||||
@ -162,6 +167,42 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
$this->assertCount( 7, $comments );
|
||||
}
|
||||
|
||||
public function test_get_password_items_without_edit_post_permission() {
|
||||
wp_set_current_user( 0 );
|
||||
|
||||
$args = array(
|
||||
'comment_approved' => 1,
|
||||
'comment_post_ID' => self::$password_id,
|
||||
);
|
||||
$password_comment = $this->factory->comment->create( $args );
|
||||
|
||||
$request = new WP_REST_Request( 'GET', '/wp/v2/comments' );
|
||||
|
||||
$response = $this->server->dispatch( $request );
|
||||
$this->assertEquals( 200, $response->get_status() );
|
||||
|
||||
$collection_data = $response->get_data();
|
||||
$this->assertFalse( in_array( $password_comment, wp_list_pluck( $collection_data, 'id' ), true ) );
|
||||
}
|
||||
|
||||
public function test_get_password_items_with_edit_post_permission() {
|
||||
wp_set_current_user( self::$admin_id );
|
||||
|
||||
$args = array(
|
||||
'comment_approved' => 1,
|
||||
'comment_post_ID' => self::$password_id,
|
||||
);
|
||||
$password_comment = $this->factory->comment->create( $args );
|
||||
|
||||
$request = new WP_REST_Request( 'GET', '/wp/v2/comments' );
|
||||
|
||||
$response = $this->server->dispatch( $request );
|
||||
$this->assertEquals( 200, $response->get_status() );
|
||||
|
||||
$collection_data = $response->get_data();
|
||||
$this->assertTrue( in_array( $password_comment, wp_list_pluck( $collection_data, 'id' ), true ) );
|
||||
}
|
||||
|
||||
public function test_get_items_without_private_post_permission() {
|
||||
wp_set_current_user( 0 );
|
||||
|
||||
@ -800,6 +841,18 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
$this->assertArrayNotHasKey( 'children', $response->get_links() );
|
||||
}
|
||||
|
||||
public function test_get_comment_with_password_without_edit_post_permission() {
|
||||
wp_set_current_user( 0 );
|
||||
$args = array(
|
||||
'comment_approved' => 1,
|
||||
'comment_post_ID' => self::$password_id,
|
||||
);
|
||||
$password_comment = $this->factory->comment->create( $args );
|
||||
$request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%s', $password_comment ) );
|
||||
$response = $this->server->dispatch( $request );
|
||||
$this->assertErrorResponse( 'rest_cannot_read', $response, 401 );
|
||||
}
|
||||
|
||||
public function test_create_item() {
|
||||
wp_set_current_user( 0 );
|
||||
|
||||
@ -1372,6 +1425,25 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
$this->assertErrorResponse( 'rest_cannot_read_post', $response, 403 );
|
||||
}
|
||||
|
||||
public function test_create_comment_password_post_invalid_permission() {
|
||||
wp_set_current_user( self::$subscriber_id );
|
||||
|
||||
$params = array(
|
||||
'post' => self::$password_id,
|
||||
'author_name' => 'Homer Jay Simpson',
|
||||
'author_email' => 'chunkylover53@aol.com',
|
||||
'author_url' => 'http://compuglobalhypermeganet.com',
|
||||
'content' => 'I\’d be a vegetarian if bacon grew on trees.',
|
||||
'author' => self::$subscriber_id,
|
||||
);
|
||||
$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
|
||||
$request->add_header( 'content-type', 'application/json' );
|
||||
$request->set_body( wp_json_encode( $params ) );
|
||||
|
||||
$response = $this->server->dispatch( $request );
|
||||
$this->assertErrorResponse( 'rest_cannot_read_post', $response, 403 );
|
||||
}
|
||||
|
||||
public function test_create_item_duplicate() {
|
||||
$this->factory->comment->create(
|
||||
array(
|
||||
|
||||
Loading…
Reference in New Issue
Block a user