Ticket #38303: 38303.2.diff
File 38303.2.diff, 24.3 KB (added by , 8 years ago) |
---|
-
src/wp-admin/includes/schema.php
621 621 populate_roles_270(); 622 622 populate_roles_280(); 623 623 populate_roles_300(); 624 populate_roles_470(); 624 625 } 625 626 626 627 /** … … 861 862 } 862 863 } 863 864 865 864 866 /** 867 * Create and modify WordPress roles for WordPress 4.7. 868 * 869 * @since 4.7.0 870 */ 871 function populate_roles_470(){ 872 873 $administrator = get_role( 'administrator' ); 874 if ( !empty( $administrator ) ) { 875 $administrator->add_cap( 'edit_user_meta' ); 876 $administrator->add_cap( 'add_user_meta' ); 877 $administrator->add_cap( 'delete_user_meta' ); 878 $administrator->add_cap( 'edit_term_meta' ); 879 $administrator->add_cap( 'add_term_meta' ); 880 $administrator->add_cap( 'delete_term_meta' ); 881 $administrator->add_cap( 'edit_post_meta' ); 882 $administrator->add_cap( 'add_post_meta' ); 883 $administrator->add_cap( 'delete_post_meta' ); 884 $administrator->add_cap( 'edit_comment_meta' ); 885 $administrator->add_cap( 'add_comment_meta' ); 886 $administrator->add_cap( 'delete_comment_meta' ); 887 } 888 889 $editor = get_role( 'editor' ); 890 if ( !empty( $editor ) ) { 891 $editor->add_cap( 'edit_term_meta' ); 892 $editor->add_cap( 'add_term_meta' ); 893 $editor->add_cap( 'delete_term_meta' ); 894 $editor->add_cap( 'edit_post_meta' ); 895 $editor->add_cap( 'add_post_meta' ); 896 $editor->add_cap( 'delete_post_meta' ); 897 $editor->add_cap( 'edit_comment_meta' ); 898 $editor->add_cap( 'add_comment_meta' ); 899 $editor->add_cap( 'delete_comment_meta' ); 900 } 901 } 902 903 /** 865 904 * Install Network. 866 905 * 867 906 * @since 3.0.0 -
src/wp-includes/capabilities.php
29 29 function map_meta_cap( $cap, $user_id ) { 30 30 $args = array_slice( func_get_args(), 2 ); 31 31 $caps = array(); 32 33 32 switch ( $cap ) { 34 33 case 'remove_user': 35 34 $caps[] = 'remove_users'; … … 51 50 $caps[] = 'edit_users'; // edit_user maps to edit_users. 52 51 } 53 52 break; 53 case 'edit_user_meta': 54 case 'delete_user_meta': 55 case 'add_user_meta': 56 // There must be a user specified to edit their meta. 57 $user = ( ! empty( $args ) || ! empty( $args[0] ) ) ? get_user_by( 'id', $args[0] ) : false; 58 59 if( ! $user ){ 60 $caps[] = 'do_not_allow'; 61 break; 62 } 63 64 $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 65 66 if ( $meta_key && ( has_filter( "auth_user_meta_{$meta_key}" ) ) ) { 67 /** 68 * Filters whether the user is allowed to add user meta to a user. 69 * 70 * The dynamic portion of the hook name, `$meta_key`, refers to the 71 * meta key passed to map_meta_cap(). 72 * 73 * @since 4.7.0 74 * 75 * @param bool $allowed Whether the user can add the user meta. Default false. 76 * @param string $meta_key The meta key. 77 * @param int $user->ID The user being edited. 78 * @param int $user_id User ID. 79 * @param string $cap Capability name. 80 * @param array $caps User capabilities. 81 */ 82 $allowed = apply_filters( "auth_user_meta_{$meta_key}", false, $meta_key, $user->ID, $user_id, $cap, $caps ); 83 84 if ( ! $allowed ){ 85 $caps[] = 'do_not_allow'; 86 } 87 } elseif ( $user->ID === $user_id ) { 88 // If you can edit yourself, you can edit your meta. 89 $caps = map_meta_cap( 'edit_user', $user_id, $user->ID ); 90 } 91 else { 92 // The default is requiring the capability itself. 93 $caps[] = $cap; 94 } 95 break; 96 54 97 case 'delete_post': 55 98 case 'delete_page': 56 99 $post = get_post( $args[0] ); … … 242 285 case 'edit_post_meta': 243 286 case 'delete_post_meta': 244 287 case 'add_post_meta': 245 $post = get_post( $args[0] );288 $post = ( ! empty( $args ) && ! empty( $args[0] ) ) ? get_post( $args[0] ) : false; 246 289 if ( ! $post ) { 247 290 $caps[] = 'do_not_allow'; 248 291 break; 249 292 } 250 251 293 $post_type = get_post_type( $post ); 252 294 253 $caps = map_meta_cap( 'edit_post', $user_id, $post->ID );254 255 295 $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 256 296 257 297 if ( $meta_key && ( has_filter( "auth_post_meta_{$meta_key}" ) || has_filter( "auth_post_{$post_type}_meta_{$meta_key}" ) ) ) { … … 289 329 */ 290 330 $allowed = apply_filters( "auth_post_{$post_type}_meta_{$meta_key}", $allowed, $meta_key, $post->ID, $user_id, $cap, $caps ); 291 331 292 if ( ! $allowed ) 293 $caps[] = $cap; 332 if ( ! $allowed ){ 333 $caps[] = 'do_not_allow'; 334 } 294 335 } elseif ( $meta_key && is_protected_meta( $meta_key, 'post' ) ) { 336 $caps[] = 'do_not_allow'; 337 } elseif ( (int)$post->post_author === (int)$user_id ) { 338 // If you're the author, you can edit your own post if you're allowed 339 $caps = map_meta_cap( 'edit_post', $user_id, $post->ID ); 340 } else { 341 // The default is requiring the capability itself. 295 342 $caps[] = $cap; 296 343 } 297 344 break; 298 345 case 'edit_comment': 299 346 $comment = get_comment( $args[0] ); 347 300 348 if ( ! $comment ) { 301 349 $caps[] = 'do_not_allow'; 302 350 break; … … 314 362 $caps = map_meta_cap( 'edit_posts', $user_id ); 315 363 } 316 364 break; 365 case 'edit_comment_meta': 366 case 'delete_comment_meta': 367 case 'add_comment_meta': 368 $comment = ( ! empty( $args ) && ! empty( $args[0] ) ) ? get_comment( $args[0] ) : false; 369 if ( ! $comment ) { 370 $caps[] = 'do_not_allow'; 371 break; 372 } 373 374 $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 375 376 if ( $meta_key && ( has_filter( "auth_comment_meta_{$meta_key}" ) ) ) { 377 /** 378 * Filters whether the user is allowed to add comment meta to a comment. 379 * 380 * The dynamic portion of the hook name, `$meta_key`, refers to the 381 * meta key passed to map_meta_cap(). 382 * 383 * @since 4.7.0 384 * 385 * @param bool $allowed Whether the user can add the comment meta. Default false. 386 * @param string $meta_key The meta key. 387 * @param int $comment_id Comment ID. 388 * @param int $user_id User ID. 389 * @param string $cap Capability name. 390 * @param array $caps User capabilities. 391 */ 392 $allowed = apply_filters( "auth_comment_meta_{$meta_key}", false, $meta_key, $comment->comment_post_ID, $user_id, $cap, $caps ); 393 394 if ( ! $allowed ){ 395 $caps[] = 'do_not_allow'; 396 } 397 } elseif( !empty( $comment->user_id ) && ( $comment->user_id === $user_id ) ){ 398 // If there is no auth_callback, you can only edit the meta for comments you can edit. 399 $caps = map_meta_cap( 'edit_comment', $user_id, $comment->comment_ID ); 400 } 401 else { 402 // The default is requiring the capability itself. 403 $caps[] = $cap; 404 } 405 break; 317 406 case 'unfiltered_upload': 318 407 if ( defined('ALLOW_UNFILTERED_UPLOADS') && ALLOW_UNFILTERED_UPLOADS && ( !is_multisite() || is_super_admin( $user_id ) ) ) 319 408 $caps[] = $cap; … … 428 517 $caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id ); 429 518 430 519 break; 520 case 'edit_term_meta': 521 case 'delete_term_meta': 522 case 'add_term_meta': 523 $term_id = ( ! empty( $args ) && ! empty( $args[0] ) ) ? (int)$args[0] : false; 524 $term = ( ! empty( $term_id ) ) ? get_term( $term_id ) : false; 525 if ( ! $term || is_wp_error( $term ) ) { 526 $caps[] = 'do_not_allow'; 527 break; 528 } 529 530 $meta_key = isset( $args[ 1 ] ) ? $args[ 1 ] : false; 531 532 if ( $meta_key && ( has_filter( "auth_term_meta_{$meta_key}" ) ) ) { 533 /** 534 * Filters whether the user is allowed to add term meta to a term. 535 * 536 * The dynamic portion of the hook name, `$meta_key`, refers to the 537 * meta key passed to map_meta_cap(). 538 * 539 * @since 4.7.0 540 * 541 * @param bool $allowed Whether the user can add the term meta. Default false. 542 * @param string $meta_key The meta key. 543 * @param int $term_id Term ID. 544 * @param int $user_id User ID. 545 * @param string $cap Capability name. 546 * @param array $caps User capabilities. 547 */ 548 $allowed = apply_filters( "auth_term_meta_{$meta_key}", false, $meta_key, $term_id, $user_id, $cap, $caps ); 549 if ( ! $allowed ){ 550 $caps[] = 'do_not_allow'; 551 } 552 } else { 553 // The default is requiring the capability itself. 554 $caps[] = $cap; 555 } 556 break; 431 557 case 'manage_post_tags': 432 558 case 'edit_categories': 433 559 case 'edit_post_tags': -
src/wp-includes/meta.php
1038 1038 if ( empty( $args['auth_callback'] ) ) { 1039 1039 if ( is_protected_meta( $meta_key, $object_type ) ) { 1040 1040 $args['auth_callback'] = '__return_false'; 1041 } else { 1042 $args['auth_callback'] = '__return_true'; 1043 } 1041 } 1044 1042 } 1045 1043 1046 1044 // Back-compat: old sanitize and auth callbacks are applied to all of an object type. -
tests/phpunit/tests/comment/editCommentMeta.php
1 <?php 2 3 /** 4 * @group comment 5 * @group meta 6 */ 7 class Tests_Edit_Comment_Meta extends WP_UnitTestCase { 8 9 public function test_edit_comment_meta_cap(){ 10 11 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 12 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 13 $p = self::factory()->post->create( array( 'post_status' => 'publish' ) ); 14 $c_id = self::factory()->comment->create_post_comments( $p ); 15 16 register_meta( 'comment', 'flag', array() ); 17 18 wp_set_current_user( $u1 ); 19 $admin_update = false; 20 if( current_user_can( 'edit_comment_meta', $c_id[0], 'flag' ) ){ 21 $admin_update = update_comment_meta( $c_id[0], 'flag', 'yes' ); 22 } 23 $this->assertNotEmpty( $admin_update ); 24 25 wp_set_current_user( $u2 ); 26 $auth_update = false; 27 if( current_user_can( 'edit_comment_meta', $c_id[0], 'flag' ) ){ 28 $auth_update = update_comment_meta( $c_id[0], 'flag', 'no' ); 29 } 30 $this->assertFalse( $auth_update ); 31 32 unregister_meta_key( 'comment', 'flag' ); 33 34 } 35 36 public function test_edit_comment_meta_with_auth_callback(){ 37 38 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 39 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 40 $p = self::factory()->post->create( array( 'post_status' => 'publish' ) ); 41 $c_id = self::factory()->comment->create_post_comments( $p, 1 ); 42 43 $args1 = array( 44 'auth_callback' => array( $this, 'test_edit_comment_meta_auth_callback_false' ) 45 ); 46 47 $args2 = array( 48 'auth_callback' => array( $this, 'test_edit_comment_meta_auth_callback_true' ) 49 ); 50 51 register_meta( 'comment', 'worthy', $args1 ); 52 register_meta( 'comment', 'notworthy', $args2 ); 53 54 wp_set_current_user( $u1 ); 55 $admin_update = false; 56 if( current_user_can( 'edit_comment_meta', $c_id[0], 'worthy' ) ){ 57 $admin_update = update_comment_meta( $c_id[0], 'worthy', 'no' ); 58 } 59 $this->assertFalse( $admin_update ); 60 61 wp_set_current_user( $u2 ); 62 $auth_update = false; 63 if( current_user_can( 'edit_comment_meta', $c_id[0], 'notworthy' ) ){ 64 $auth_update = update_comment_meta( $c_id[0], 'notworthy', 'no' ); 65 } 66 $this->assertNotEmpty( $auth_update ); 67 68 unregister_meta_key( 'comment', 'worthy' ); 69 unregister_meta_key( 'comment', 'notworthy' ); 70 71 } 72 73 public function test_user_can_edit_own_comment_meta_as_default(){ 74 75 $u1 = self::factory()->user->create( array( 'role' => 'author' ) ); 76 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 77 $p = self::factory()->post->create( array( 'post_status' => 'publish', 'post_author' => $u2 ) ); 78 $c_id = self::factory()->comment->create_post_comments( $p, 1, array( 'user_id' => $u1 ) ); 79 80 register_meta( 'comment', 'reaction', array() ); 81 82 wp_set_current_user( $u1 ); 83 $update = false; 84 if( current_user_can( 'edit_comment_meta', $c_id[0], 'reaction' ) ){ 85 $update = update_comment_meta( $c_id[0], 'reaction', 'U+1F600' ); 86 } 87 $this->assertFalse( $update ); 88 89 unregister_meta_key( 'comment', 'reaction' ); 90 91 } 92 93 public function test_edit_comment_meta_auth_callback_false(){ 94 return false; 95 } 96 97 public function test_edit_comment_meta_auth_callback_true(){ 98 return true; 99 } 100 } -
tests/phpunit/tests/meta/registerMeta.php
74 74 'description' => '', 75 75 'single' => false, 76 76 'sanitize_callback' => null, 77 'auth_callback' => '__return_true',77 'auth_callback' => null, 78 78 'show_in_rest' => false, 79 79 ), 80 80 ), … … 96 96 'description' => '', 97 97 'single' => false, 98 98 'sanitize_callback' => null, 99 'auth_callback' => '__return_true',99 'auth_callback' => null, 100 100 'show_in_rest' => false, 101 101 ), 102 102 ), … … 148 148 'description' => '', 149 149 'single' => false, 150 150 'sanitize_callback' => array( $this, '_new_sanitize_meta_cb' ), 151 'auth_callback' => '__return_true',151 'auth_callback' => null, 152 152 'show_in_rest' => false, 153 153 ), 154 154 ), -
tests/phpunit/tests/post/meta.php
237 237 $this->assertEquals($funky_meta, get_post_meta($this->post_id, 'test_funky_post_meta', true)); 238 238 239 239 } 240 241 public function test_edit_term_meta_cap(){ 242 $p = self::factory()->post->create( array( 'post_status' => 'publish' ) ); 243 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 244 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 245 246 register_meta( 'post', 'foo', array() ); 247 248 wp_set_current_user( $u1 ); 249 $admin_update = false; 250 if( current_user_can( 'edit_post_meta', $p, 'foo' ) ){ 251 $admin_update = update_term_meta( $p, 'foo', 'bar1' ); 252 } 253 $this->assertNotEmpty( $admin_update ); 254 255 wp_set_current_user( $u2 ); 256 $auth_update = false; 257 if( current_user_can( 'edit_post_meta', $p, 'foo' ) ){ 258 $auth_update = update_term_meta( $p, 'foo', 'bar2' ); 259 } 260 $this->assertFalse( $auth_update ); 261 262 unregister_meta_key( 'post', 'foo' ); 263 264 } 265 266 public function test_edit_post_meta_with_auth_callback(){ 267 $p = self::factory()->post->create( array( 'post_status' => 'publish' ) ); 268 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 269 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 270 271 $args1 = array( 272 'auth_callback' => array( $this, 'test_edit_post_meta_auth_callback_false' ) 273 ); 274 275 $args2 = array( 276 'auth_callback' => array( $this, 'test_edit_post_meta_auth_callback_true' ) 277 ); 278 279 register_meta( 'post', 'foo1', $args1 ); 280 register_meta( 'post', 'foo2', $args2 ); 281 282 wp_set_current_user( $u1 ); 283 $admin_update = false; 284 if( current_user_can( 'edit_post_meta', $p, 'foo1' ) ){ 285 $admin_update = update_term_meta( $p, 'foo1', 'bar1' ); 286 } 287 $this->assertFalse( $admin_update ); 288 289 wp_set_current_user( $u2 ); 290 $auth_update = false; 291 if( current_user_can( 'edit_post_meta', $p, 'foo2' ) ){ 292 $auth_update = update_term_meta( $p, 'foo2', 'bar2' ); 293 } 294 $this->assertNotEmpty( $auth_update ); 295 296 unregister_meta_key( 'post', 'foo1' ); 297 unregister_meta_key( 'post', 'foo2' ); 298 299 } 300 301 public function test_user_can_edit_own_post_meta_as_default(){ 302 303 $u = self::factory()->user->create( array( 'role' => 'author' ) ); 304 $p = self::factory()->post->create( array( 'post_status' => 'publish', 'post_author' => $u ) ); 305 306 register_meta( 'post', 'foo', array() ); 307 308 wp_set_current_user( $u ); 309 $update = false; 310 if( current_user_can( 'edit_post_meta', $p, 'foo' ) ){ 311 $update = update_post_meta( $p, 'foo', 'bar' ); 312 } 313 $this->assertNotEmpty( $update ); 314 315 unregister_meta_key( 'post', 'foo' ); 316 317 } 318 319 public function test_edit_post_meta_auth_callback_false(){ 320 return false; 321 } 322 323 public function test_edit_post_meta_auth_callback_true(){ 324 return true; 325 } 240 326 } -
tests/phpunit/tests/term/meta.php
407 407 public static function set_cache_results( $q ) { 408 408 $q->set( 'cache_results', true ); 409 409 } 410 411 public function test_edit_term_meta_cap(){ 412 $t = self::factory()->term->create( array( 'taxonomy' => 'wptests_tax' ) ); 413 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 414 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 415 416 register_meta( 'term', 'foo', array() ); 417 418 wp_set_current_user( $u1 ); 419 $admin_update = false; 420 if( current_user_can( 'edit_term_meta', $t, 'foo' ) ){ 421 $admin_update = update_term_meta( $t, 'foo', 'bar1' ); 422 } 423 $this->assertNotEmpty( $admin_update ); 424 425 wp_set_current_user( $u2 ); 426 $auth_update = false; 427 if( current_user_can( 'edit_term_meta', $t, 'foo' ) ){ 428 $auth_update = update_term_meta( $t, 'foo', 'bar2' ); 429 } 430 $this->assertFalse( $auth_update ); 431 432 unregister_meta_key( 'term', 'foo' ); 433 434 } 435 436 public function test_edit_term_meta_with_auth_callback(){ 437 $t = self::factory()->term->create( array( 'taxonomy' => 'wptests_tax' ) ); 438 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 439 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 440 441 $args1 = array( 442 'auth_callback' => array( $this, 'test_edit_term_meta_auth_callback_false' ) 443 ); 444 445 $args2 = array( 446 'auth_callback' => array( $this, 'test_edit_term_meta_auth_callback_true' ) 447 ); 448 449 register_meta( 'term', 'foo1', $args1 ); 450 register_meta( 'term', 'foo2', $args2 ); 451 452 wp_set_current_user( $u1 ); 453 $admin_update = false; 454 if( current_user_can( 'edit_term_meta', $t, 'foo1' ) ){ 455 $admin_update = update_term_meta( $t, 'foo1', 'bar1' ); 456 } 457 $this->assertFalse( $admin_update ); 458 459 wp_set_current_user( $u2 ); 460 $auth_update = false; 461 if( current_user_can( 'edit_term_meta', $t, 'foo2' ) ){ 462 $auth_update = update_term_meta( $t, 'foo2', 'bar2' ); 463 } 464 $this->assertNotEmpty( $auth_update ); 465 466 unregister_meta_key( 'term', 'foo1' ); 467 unregister_meta_key( 'term', 'foo2' ); 468 469 } 470 471 public function test_edit_term_meta_auth_callback_false(){ 472 return false; 473 } 474 475 public function test_edit_term_meta_auth_callback_true(){ 476 return true; 477 } 410 478 } -
tests/phpunit/tests/user/capabilities.php
314 314 // `manage_links` is a special case 315 315 $user_caps['manage_links'], 316 316 // `unfiltered_upload` is a special case 317 $user_caps['unfiltered_upload'] 317 $user_caps['unfiltered_upload'], 318 // All of the object type meta capabilities are special cases. They are primitive capabilities but depend on a particular object. 319 $user_caps['edit_term_meta'], 320 $user_caps['add_term_meta'], 321 $user_caps['delete_term_meta'], 322 $user_caps['edit_post_meta'], 323 $user_caps['add_post_meta'], 324 $user_caps['delete_post_meta'], 325 $user_caps['edit_user_meta'], 326 $user_caps['add_user_meta'], 327 $user_caps['delete_user_meta'], 328 $user_caps['edit_comment_meta'], 329 $user_caps['add_comment_meta'], 330 $user_caps['delete_comment_meta'] 318 331 ); 319 332 320 333 $diff = array_diff( array_keys( $user_caps ), array_keys( $caps ) ); … … 350 363 // `manage_links` is a special case in the caps tests: 351 364 $expected['manage_links'], 352 365 // `unfiltered_upload` is a special case in the caps tests: 353 $expected['unfiltered_upload'] 366 $expected['unfiltered_upload'], 367 // All of the object type meta capabilities are special cases. They are primitive capabilities but depend on a particular object. 368 $expected['edit_term_meta'], 369 $expected['add_term_meta'], 370 $expected['delete_term_meta'], 371 $expected['edit_post_meta'], 372 $expected['add_post_meta'], 373 $expected['delete_post_meta'], 374 $expected['edit_user_meta'], 375 $expected['add_user_meta'], 376 $expected['delete_user_meta'], 377 $expected['edit_comment_meta'], 378 $expected['add_comment_meta'], 379 $expected['delete_comment_meta'] 354 380 ); 355 381 356 382 $expected = array_keys( $expected ); … … 405 431 // Singular object meta capabilities (where an object ID is passed) are not tested: 406 432 $expected['remove_user'], 407 433 $expected['promote_user'], 408 $expected['edit_user'], 434 $expected['edit_user'], 409 435 $expected['delete_post'], 410 436 $expected['delete_page'], 411 437 $expected['edit_post'], … … 413 439 $expected['read_post'], 414 440 $expected['read_page'], 415 441 $expected['publish_post'], 416 $expected['edit_post_meta'],417 $expected['delete_post_meta'],418 $expected['add_post_meta'],419 442 $expected['edit_comment'], 420 443 $expected['edit_term'], 421 444 $expected['delete_term'], 422 $expected['assign_term'], 423 $expected['delete_user'] 445 $expected['assign_term'], 446 $expected['delete_user'], 447 $expected['edit_term_meta'], 448 $expected['add_term_meta'], 449 $expected['delete_term_meta'], 450 $expected['edit_comment_meta'], 451 $expected['add_comment_meta'], 452 $expected['delete_comment_meta'], 453 $expected['edit_post_meta'], 454 $expected['add_post_meta'], 455 $expected['delete_post_meta'], 456 $expected['edit_user_meta'], 457 $expected['add_user_meta'], 458 $expected['delete_user_meta'] 424 459 ); 425 460 426 461 $expected = array_keys( $expected ); -
tests/phpunit/tests/user/editUserMeta.php
1 <?php 2 3 /** 4 * @group user 5 * @group meta 6 */ 7 class Tests_Edit_User_Meta extends WP_UnitTestCase { 8 9 public function test_edit_user_meta_cap(){ 10 11 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 12 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 13 $u_edit = self::factory()->user->create( array( 'role' => 'author' ) ); 14 15 register_meta( 'user', 'spammer', array() ); 16 17 wp_set_current_user( $u1 ); 18 $admin_update = false; 19 if( current_user_can( 'edit_user_meta', $u_edit, 'spammer' ) ){ 20 $admin_update = update_user_meta( $u_edit, 'spammer', 'yes' ); 21 } 22 $this->assertNotEmpty( $admin_update ); 23 24 wp_set_current_user( $u2 ); 25 $auth_update = false; 26 if( current_user_can( 'edit_user_meta', $u_edit, 'spammer' ) ){ 27 $auth_update = update_user_meta( $u_edit, 'spammer', 'no' ); 28 } 29 $this->assertFalse( $auth_update ); 30 31 unregister_meta_key( 'user', 'spammer' ); 32 33 } 34 35 public function test_edit_user_meta_with_auth_callback(){ 36 37 $u1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 38 $u2 = self::factory()->user->create( array( 'role' => 'author' ) ); 39 $u_edit = self::factory()->user->create( array( 'role' => 'author' ) ); 40 41 $args1 = array( 42 'auth_callback' => array( $this, 'test_edit_user_meta_auth_callback_false' ) 43 ); 44 45 $args2 = array( 46 'auth_callback' => array( $this, 'test_edit_user_meta_auth_callback_true' ) 47 ); 48 49 register_meta( 'user', 'flagged', $args1 ); 50 register_meta( 'user', 'alright', $args2 ); 51 52 wp_set_current_user( $u1 ); 53 $admin_update = false; 54 if( current_user_can( 'edit_user_meta', $u_edit, 'flagged' ) ){ 55 $admin_update = update_user_meta( $u_edit, 'flagged', 'no' ); 56 } 57 $this->assertFalse( $admin_update ); 58 59 wp_set_current_user( $u2 ); 60 $auth_update = false; 61 if( current_user_can( 'edit_user_meta', $u_edit, 'alright' ) ){ 62 $auth_update = update_user_meta( $u_edit, 'alright', 'no' ); 63 } 64 $this->assertNotEmpty( $auth_update ); 65 66 unregister_meta_key( 'user', 'flagged' ); 67 unregister_meta_key( 'user', 'alright' ); 68 69 } 70 71 public function test_user_can_edit_own_user_meta_as_default(){ 72 73 $u = self::factory()->user->create( array( 'role' => 'author' ) ); 74 75 register_meta( 'user', 'address', array() ); 76 77 wp_set_current_user( $u ); 78 $self_update = false; 79 if( current_user_can( 'edit_user_meta', $u, 'address' ) ){ 80 $self_update = update_user_meta( $u, 'address', 'home' ); 81 } 82 $this->assertNotEmpty( $self_update ); 83 84 unregister_meta_key( 'user', 'address' ); 85 86 } 87 88 public function test_edit_user_meta_auth_callback_false(){ 89 return false; 90 } 91 92 public function test_edit_user_meta_auth_callback_true(){ 93 return true; 94 } 95 }