Ticket #38521: 38521.3.diff
| File 38521.3.diff, 10.0 KB (added by , 9 years ago) |
|---|
-
src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
95 95 ) ); 96 96 97 97 register_rest_route( $this->namespace, '/' . $this->rest_base . '/me', array( 98 'methods' => WP_REST_Server::READABLE, 99 'callback' => array( $this, 'get_current_item' ), 100 'args' => array( 101 'context' => array(), 98 array( 99 'methods' => WP_REST_Server::READABLE, 100 'callback' => array( $this, 'get_current_item' ), 101 'args' => array( 102 'context' => array(), 103 ), 104 ), 105 array( 106 'methods' => WP_REST_Server::EDITABLE, 107 'callback' => array( $this, 'update_current_item' ), 108 'permission_callback' => array( $this, 'update_current_item_permissions_check' ), 109 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ), 110 ), 111 array( 112 'methods' => WP_REST_Server::DELETABLE, 113 'callback' => array( $this, 'delete_current_item' ), 114 'permission_callback' => array( $this, 'delete_current_item_permissions_check' ), 115 'args' => array( 116 'force' => array( 117 'default' => false, 118 'description' => __( 'Required to be true, as resource does not support trashing.' ), 119 ), 120 'reassign' => array(), 121 ), 102 122 ), 103 123 'schema' => array( $this, 'get_public_item_schema' ), 104 124 )); … … 343 363 $response = $this->prepare_item_for_response( $user, $request ); 344 364 $response = rest_ensure_response( $response ); 345 365 346 $response->header( 'Location', rest_url( sprintf( '%s/%s/%d', $this->namespace, $this->rest_base, $current_user_id ) ) );347 $response->set_status( 302 );348 349 366 return $response; 350 367 } 351 368 … … 570 587 } 571 588 572 589 /** 590 * Checks if a given request has access to update the current user. 591 * 592 * @since 4.7.0 593 * @access public 594 * 595 * @param WP_REST_Request $request Full details about the request. 596 * @return true|WP_Error True if the request has access to update the item, WP_Error object otherwise. 597 */ 598 public function update_current_item_permissions_check( $request ) { 599 $request['id'] = get_current_user_id(); 600 601 return $this->update_item_permissions_check( $request ); 602 } 603 604 /** 605 * Updates the current user. 606 * 607 * @since 4.7.0 608 * @access public 609 * 610 * @param WP_REST_Request $request Full details about the request. 611 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. 612 */ 613 function update_current_item( $request ) { 614 $request['id'] = get_current_user_id(); 615 616 return $this->update_item( $request ); 617 } 618 619 /** 573 620 * Checks if a given request has access delete a user. 574 621 * 575 622 * @since 4.7.0 … … 648 695 } 649 696 650 697 /** 698 * Checks if a given request has access to delete the current user. 699 * 700 * @since 4.7.0 701 * @access public 702 * 703 * @param WP_REST_Request $request Full details about the request. 704 * @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise. 705 */ 706 public function delete_current_item_permissions_check( $request ) { 707 $request['id'] = get_current_user_id(); 708 709 return $this->delete_item_permissions_check( $request ); 710 } 711 712 /** 713 * Deletes the current user. 714 * 715 * @since 4.7.0 716 * @access public 717 * 718 * @param WP_REST_Request $request Full details about the request. 719 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. 720 */ 721 function delete_current_item( $request ) { 722 $request['id'] = get_current_user_id(); 723 724 return $this->delete_item( $request ); 725 } 726 727 /** 651 728 * Prepares a single user output for response. 652 729 * 653 730 * @since 4.7.0 -
tests/phpunit/tests/rest-api/rest-users-controller.php
635 635 $request = new WP_REST_Request( 'GET', '/wp/v2/users/me' ); 636 636 637 637 $response = $this->server->dispatch( $request ); 638 $this->assertEquals( 302, $response->get_status() );638 $this->assertEquals( 200, $response->get_status() ); 639 639 640 640 $headers = $response->get_headers(); 641 $this->assertArrayHasKey( 'Location', $headers ); 642 $this->assertEquals( rest_url( 'wp/v2/users/' . self::$user ), $headers['Location'] ); 641 $this->assertArrayNotHasKey( 'Location', $headers ); 642 643 $links = $response->get_links(); 644 $this->assertEquals( rest_url( 'wp/v2/users/' . self::$user ), $links['self'][0]['href'] ); 643 645 } 644 646 645 647 public function test_get_current_user_without_permission() { … … 918 920 $user = get_userdata( self::$editor ); 919 921 $this->assertArrayHasKey( 'editor', $user->caps ); 920 922 $this->assertArrayNotHasKey( 'administrator', $user->caps ); 923 924 $request = new WP_REST_Request( 'PUT', '/wp/v2/users/me' ); 925 $request->set_param( 'roles', array( 'administrator' ) ); 926 $response = $this->server->dispatch( $request ); 927 928 $this->assertErrorResponse( 'rest_cannot_edit_roles', $response, 403 ); 929 $user = get_userdata( self::$editor ); 930 $this->assertArrayHasKey( 'editor', $user->caps ); 931 $this->assertArrayNotHasKey( 'administrator', $user->caps ); 921 932 } 922 933 923 934 public function test_update_user_role_invalid_privilege_deescalation() { … … 938 949 $user = get_userdata( $user_id ); 939 950 $this->assertArrayHasKey( 'administrator', $user->caps ); 940 951 $this->assertArrayNotHasKey( 'editor', $user->caps ); 952 953 $request = new WP_REST_Request( 'PUT', '/wp/v2/users/me' ); 954 $request->set_param( 'roles', array( 'editor' ) ); 955 $response = $this->server->dispatch( $request ); 956 957 $this->assertErrorResponse( 'rest_user_invalid_role', $response, 403 ); 958 959 $user = get_userdata( $user_id ); 960 $this->assertArrayHasKey( 'administrator', $user->caps ); 961 $this->assertArrayNotHasKey( 'editor', $user->caps ); 941 962 } 942 963 943 964 public function test_update_user_role_privilege_deescalation_multisite() { … … 958 979 $new_data = $response->get_data(); 959 980 $this->assertEquals( 'editor', $new_data['roles'][0] ); 960 981 $this->assertNotEquals( 'administrator', $new_data['roles'][0] ); 982 983 $user_id = $this->factory->user->create( array( 'role' => 'administrator' ) ); 984 985 wp_set_current_user( $user_id ); 986 $user = wp_get_current_user(); 987 update_site_option( 'site_admins', array( $user->user_login ) ); 988 989 $request = new WP_REST_Request( 'PUT', '/wp/v2/users/me' ); 990 $request->set_param( 'roles', array( 'editor' ) ); 991 $response = $this->server->dispatch( $request ); 992 993 $new_data = $response->get_data(); 994 $this->assertEquals( 'editor', $new_data['roles'][0] ); 995 $this->assertNotEquals( 'administrator', $new_data['roles'][0] ); 961 996 } 962 997 963 998 … … 974 1009 $user = get_userdata( self::$editor ); 975 1010 $this->assertArrayHasKey( 'editor', $user->caps ); 976 1011 $this->assertArrayNotHasKey( 'BeSharp', $user->caps ); 1012 1013 $request = new WP_REST_Request( 'PUT', '/wp/v2/users/me' ); 1014 $request->set_param( 'roles', array( 'BeSharp' ) ); 1015 $response = $this->server->dispatch( $request ); 1016 1017 $this->assertErrorResponse( 'rest_user_invalid_role', $response, 400 ); 1018 1019 $user = get_userdata( self::$editor ); 1020 $this->assertArrayHasKey( 'editor', $user->caps ); 1021 $this->assertArrayNotHasKey( 'BeSharp', $user->caps ); 977 1022 } 978 1023 979 1024 public function test_update_user_without_permission() { … … 991 1036 $response = $this->server->dispatch( $request ); 992 1037 993 1038 $this->assertErrorResponse( 'rest_cannot_edit', $response, 403 ); 1039 1040 $request = new WP_REST_Request( 'PUT', '/wp/v2/users/me' ); 1041 $request->add_header( 'content-type', 'application/x-www-form-urlencoded' ); 1042 $request->set_body_params( $params ); 1043 $response = $this->server->dispatch( $request ); 1044 1045 $this->assertErrorResponse( 'rest_user_invalid_argument', $response, 400 ); 994 1046 } 995 1047 996 1048 public function test_update_user_invalid_id() { … … 1028 1080 $this->assertEquals( 'Deleted User', $data['name'] ); 1029 1081 } 1030 1082 1083 public function test_delete_current_item() { 1084 $user_id = $this->factory->user->create( array( 'role' => 'administrator', 'display_name' => 'Deleted User' ) ); 1085 1086 wp_set_current_user( $user_id ); 1087 $user = wp_get_current_user(); 1088 update_site_option( 'site_admins', array( $user->user_login ) ); 1089 1090 $request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' ); 1091 $request['force'] = true; 1092 $response = $this->server->dispatch( $request ); 1093 1094 $this->assertEquals( 200, $response->get_status() ); 1095 $data = $response->get_data(); 1096 $this->assertEquals( 'Deleted User', $data['name'] ); 1097 } 1098 1031 1099 public function test_delete_item_no_trash() { 1032 1100 $user_id = $this->factory->user->create( array( 'display_name' => 'Deleted User' ) ); 1033 1101 … … 1044 1112 $this->assertNotEmpty( $user ); 1045 1113 } 1046 1114 1115 public function test_delete_current_item_no_trash() { 1116 $user_id = $this->factory->user->create( array( 'role' => 'administrator' ) ); 1117 1118 wp_set_current_user( $user_id ); 1119 $user = wp_get_current_user(); 1120 update_site_option( 'site_admins', array( $user->user_login ) ); 1121 1122 $userdata = get_userdata( $user_id ); // cache for later 1123 $request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' ); 1124 $response = $this->server->dispatch( $request ); 1125 $this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 ); 1126 1127 // Ensure the user still exists 1128 $user = get_user_by( 'id', $user_id ); 1129 $this->assertNotEmpty( $user ); 1130 } 1131 1047 1132 public function test_delete_user_without_permission() { 1048 1133 $user_id = $this->factory->user->create(); 1049 1134 … … 1054 1139 $request['force'] = true; 1055 1140 $response = $this->server->dispatch( $request ); 1056 1141 1142 $this->assertErrorResponse( 'rest_user_cannot_delete', $response, 403 ); 1143 1144 $request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' ); 1145 $request['force'] = true; 1146 $response = $this->server->dispatch( $request ); 1147 1057 1148 $this->assertErrorResponse( 'rest_user_cannot_delete', $response, 403 ); 1058 1149 } 1059 1150