| 724 | public function test_create_item_invalid_username() { |
| 725 | $this->allow_user_to_manage_multisite(); |
| 726 | wp_set_current_user( self::$user ); |
| 727 | |
| 728 | $params = array( |
| 729 | 'username' => '¯\_(ツ)_/¯', |
| 730 | 'password' => 'testpassword', |
| 731 | 'email' => 'test@example.com', |
| 732 | 'name' => 'Test User', |
| 733 | 'nickname' => 'testuser', |
| 734 | 'slug' => 'test-user', |
| 735 | 'roles' => array( 'editor' ), |
| 736 | 'description' => 'New API User', |
| 737 | 'url' => 'http://example.com', |
| 738 | ); |
| 739 | |
| 740 | // Username rules are different (more strict) for multisite; see `wpmu_validate_user_signup` |
| 741 | if ( is_multisite() ) { |
| 742 | $params['username'] = 'no-dashes-allowed'; |
| 743 | } |
| 744 | |
| 745 | $request = new WP_REST_Request( 'POST', '/wp/v2/users' ); |
| 746 | $request->add_header( 'content-type', 'application/x-www-form-urlencoded' ); |
| 747 | $request->set_body_params( $params ); |
| 748 | |
| 749 | $response = $this->server->dispatch( $request ); |
| 750 | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| 751 | |
| 752 | $data = $response->get_data(); |
| 753 | if ( is_multisite() ) { |
| 754 | $this->assertInternalType( 'array', $data['data']['errors'] ); |
| 755 | $errors = $data['data']['errors']; |
| 756 | $this->assertInternalType( 'array', $errors['user_name'] ); |
| 757 | $this->assertEquals( array( 'Usernames can only contain lowercase letters (a-z) and numbers.' ), $errors['user_name'] ); |
| 758 | } else { |
| 759 | $this->assertInternalType( 'array', $data['data']['params'] ); |
| 760 | $errors = $data['data']['params']; |
| 761 | $this->assertInternalType( 'string', $errors['username'] ); |
| 762 | $this->assertEquals( 'Username contains invalid characters.', $errors['username'] ); |
| 763 | } |
| 764 | } |
| 765 | |
| 766 | function get_illegal_user_logins() { |
| 767 | return array( 'nope' ); |
| 768 | } |
| 769 | |
| 770 | public function test_create_item_illegal_username() { |
| 771 | $this->allow_user_to_manage_multisite(); |
| 772 | wp_set_current_user( self::$user ); |
| 773 | |
| 774 | add_filter( 'illegal_user_logins', array( $this, 'get_illegal_user_logins' ) ); |
| 775 | |
| 776 | $params = array( |
| 777 | 'username' => 'nope', |
| 778 | 'password' => 'testpassword', |
| 779 | 'email' => 'test@example.com', |
| 780 | 'name' => 'Test User', |
| 781 | 'nickname' => 'testuser', |
| 782 | 'slug' => 'test-user', |
| 783 | 'roles' => array( 'editor' ), |
| 784 | 'description' => 'New API User', |
| 785 | 'url' => 'http://example.com', |
| 786 | ); |
| 787 | |
| 788 | $request = new WP_REST_Request( 'POST', '/wp/v2/users' ); |
| 789 | $request->add_header( 'content-type', 'application/x-www-form-urlencoded' ); |
| 790 | $request->set_body_params( $params ); |
| 791 | |
| 792 | $response = $this->server->dispatch( $request ); |
| 793 | |
| 794 | remove_filter( 'illegal_user_logins', array( $this, 'get_illegal_user_logins' ) ); |
| 795 | |
| 796 | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| 797 | |
| 798 | $data = $response->get_data(); |
| 799 | $this->assertInternalType( 'array', $data['data']['params'] ); |
| 800 | $errors = $data['data']['params']; |
| 801 | $this->assertInternalType( 'string', $errors['username'] ); |
| 802 | $this->assertEquals( 'Sorry, that username is not allowed.', $errors['username'] ); |
| 803 | } |
| 804 | |
| 1402 | public function test_update_item_invalid_password() { |
| 1403 | $this->allow_user_to_manage_multisite(); |
| 1404 | wp_set_current_user( self::$user ); |
| 1405 | |
| 1406 | $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', self::$editor ) ); |
| 1407 | |
| 1408 | $request->set_param( 'password', 'no\\backslashes\\allowed' ); |
| 1409 | $response = $this->server->dispatch( $request ); |
| 1410 | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| 1411 | |
| 1412 | $request->set_param( 'password', '' ); |
| 1413 | $response = $this->server->dispatch( $request ); |
| 1414 | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| 1415 | } |
| 1416 | |
| 1417 | public function verify_user_roundtrip( $input = array(), $expected_output = array() ) { |
| 1418 | if ( isset( $input['id'] ) ) { |
| 1419 | // Existing user; don't try to create one |
| 1420 | $user_id = $input['id']; |
| 1421 | } else { |
| 1422 | // Create a new user |
| 1423 | $request = new WP_REST_Request( 'POST', '/wp/v2/users' ); |
| 1424 | foreach ( $input as $name => $value ) { |
| 1425 | $request->set_param( $name, $value ); |
| 1426 | } |
| 1427 | $request->set_param( 'email', 'cbg@androidsdungeon.com' ); |
| 1428 | $response = $this->server->dispatch( $request ); |
| 1429 | $this->assertEquals( 201, $response->get_status() ); |
| 1430 | $actual_output = $response->get_data(); |
| 1431 | |
| 1432 | // Compare expected API output to actual API output |
| 1433 | $this->assertEquals( $expected_output['username'] , $actual_output['username'] ); |
| 1434 | $this->assertEquals( $expected_output['name'] , $actual_output['name'] ); |
| 1435 | $this->assertEquals( $expected_output['first_name'] , $actual_output['first_name'] ); |
| 1436 | $this->assertEquals( $expected_output['last_name'] , $actual_output['last_name'] ); |
| 1437 | $this->assertEquals( $expected_output['url'] , $actual_output['url'] ); |
| 1438 | $this->assertEquals( $expected_output['description'], $actual_output['description'] ); |
| 1439 | $this->assertEquals( $expected_output['nickname'] , $actual_output['nickname'] ); |
| 1440 | |
| 1441 | // Compare expected API output to WP internal values |
| 1442 | $user = get_userdata( $actual_output['id'] ); |
| 1443 | $this->assertEquals( $expected_output['username'] , $user->user_login ); |
| 1444 | $this->assertEquals( $expected_output['name'] , $user->display_name ); |
| 1445 | $this->assertEquals( $expected_output['first_name'] , $user->first_name ); |
| 1446 | $this->assertEquals( $expected_output['last_name'] , $user->last_name ); |
| 1447 | $this->assertEquals( $expected_output['url'] , $user->user_url ); |
| 1448 | $this->assertEquals( $expected_output['description'], $user->description ); |
| 1449 | $this->assertEquals( $expected_output['nickname'] , $user->nickname ); |
| 1450 | $this->assertTrue( wp_check_password( addslashes( $expected_output['password'] ), $user->user_pass ) ); |
| 1451 | |
| 1452 | $user_id = $actual_output['id']; |
| 1453 | } |
| 1454 | |
| 1455 | // Update the user |
| 1456 | $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) ); |
| 1457 | foreach ( $input as $name => $value ) { |
| 1458 | if ( 'username' !== $name ) { |
| 1459 | $request->set_param( $name, $value ); |
| 1460 | } |
| 1461 | } |
| 1462 | $response = $this->server->dispatch( $request ); |
| 1463 | $this->assertEquals( 200, $response->get_status() ); |
| 1464 | $actual_output = $response->get_data(); |
| 1465 | |
| 1466 | // Compare expected API output to actual API output |
| 1467 | if ( isset( $expected_output['username'] ) ) { |
| 1468 | $this->assertEquals( $expected_output['username'], $actual_output['username'] ); |
| 1469 | } |
| 1470 | $this->assertEquals( $expected_output['name'] , $actual_output['name'] ); |
| 1471 | $this->assertEquals( $expected_output['first_name'] , $actual_output['first_name'] ); |
| 1472 | $this->assertEquals( $expected_output['last_name'] , $actual_output['last_name'] ); |
| 1473 | $this->assertEquals( $expected_output['url'] , $actual_output['url'] ); |
| 1474 | $this->assertEquals( $expected_output['description'], $actual_output['description'] ); |
| 1475 | $this->assertEquals( $expected_output['nickname'] , $actual_output['nickname'] ); |
| 1476 | |
| 1477 | // Compare expected API output to WP internal values |
| 1478 | $user = get_userdata( $actual_output['id'] ); |
| 1479 | if ( isset( $expected_output['username'] ) ) { |
| 1480 | $this->assertEquals( $expected_output['username'], $user->user_login ); |
| 1481 | } |
| 1482 | $this->assertEquals( $expected_output['name'] , $user->display_name ); |
| 1483 | $this->assertEquals( $expected_output['first_name'] , $user->first_name ); |
| 1484 | $this->assertEquals( $expected_output['last_name'] , $user->last_name ); |
| 1485 | $this->assertEquals( $expected_output['url'] , $user->user_url ); |
| 1486 | $this->assertEquals( $expected_output['description'], $user->description ); |
| 1487 | $this->assertEquals( $expected_output['nickname'] , $user->nickname ); |
| 1488 | $this->assertTrue( wp_check_password( addslashes( $expected_output['password'] ), $user->user_pass ) ); |
| 1489 | } |
| 1490 | |
| 1491 | public function test_user_roundtrip_as_editor() { |
| 1492 | wp_set_current_user( self::$editor ); |
| 1493 | $this->assertEquals( ! is_multisite(), current_user_can( 'unfiltered_html' ) ); |
| 1494 | $this->verify_user_roundtrip( array( |
| 1495 | 'id' => self::$editor, |
| 1496 | 'name' => '\o/ ¯\_(ツ)_/¯', |
| 1497 | 'first_name' => '\o/ ¯\_(ツ)_/¯', |
| 1498 | 'last_name' => '\o/ ¯\_(ツ)_/¯', |
| 1499 | 'url' => '\o/ ¯\_(ツ)_/¯', |
| 1500 | 'description' => '\o/ ¯\_(ツ)_/¯', |
| 1501 | 'nickname' => '\o/ ¯\_(ツ)_/¯', |
| 1502 | 'password' => 'o/ ¯_(ツ)_/¯ \'"', |
| 1503 | ), array( |
| 1504 | 'name' => '\o/ ¯\_(ツ)_/¯', |
| 1505 | 'first_name' => '\o/ ¯\_(ツ)_/¯', |
| 1506 | 'last_name' => '\o/ ¯\_(ツ)_/¯', |
| 1507 | 'url' => 'http://o/%20¯_(ツ)_/¯', |
| 1508 | 'description' => '\o/ ¯\_(ツ)_/¯', |
| 1509 | 'nickname' => '\o/ ¯\_(ツ)_/¯', |
| 1510 | 'password' => 'o/ ¯_(ツ)_/¯ \'"', |
| 1511 | ) ); |
| 1512 | } |
| 1513 | |
| 1514 | public function test_user_roundtrip_as_editor_html() { |
| 1515 | wp_set_current_user( self::$editor ); |
| 1516 | if ( is_multisite() ) { |
| 1517 | $this->assertFalse( current_user_can( 'unfiltered_html' ) ); |
| 1518 | $this->verify_user_roundtrip( array( |
| 1519 | 'id' => self::$editor, |
| 1520 | 'name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1521 | 'first_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1522 | 'last_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1523 | 'url' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1524 | 'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1525 | 'nickname' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1526 | 'password' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1527 | ), array( |
| 1528 | 'name' => 'div strong', |
| 1529 | 'first_name' => 'div strong', |
| 1530 | 'last_name' => 'div strong', |
| 1531 | 'url' => 'http://divdiv/div%20strongstrong/strong%20scriptoh%20noes/script', |
| 1532 | 'description' => 'div <strong>strong</strong> oh noes', |
| 1533 | 'nickname' => 'div strong', |
| 1534 | 'password' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1535 | ) ); |
| 1536 | } else { |
| 1537 | $this->assertTrue( current_user_can( 'unfiltered_html' ) ); |
| 1538 | $this->verify_user_roundtrip( array( |
| 1539 | 'id' => self::$editor, |
| 1540 | 'name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1541 | 'first_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1542 | 'last_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1543 | 'url' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1544 | 'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1545 | 'nickname' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1546 | 'password' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1547 | ), array( |
| 1548 | 'name' => 'div strong', |
| 1549 | 'first_name' => 'div strong', |
| 1550 | 'last_name' => 'div strong', |
| 1551 | 'url' => 'http://divdiv/div%20strongstrong/strong%20scriptoh%20noes/script', |
| 1552 | 'description' => 'div <strong>strong</strong> oh noes', |
| 1553 | 'nickname' => 'div strong', |
| 1554 | 'password' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1555 | ) ); |
| 1556 | } |
| 1557 | } |
| 1558 | |
| 1559 | public function test_user_roundtrip_as_superadmin() { |
| 1560 | wp_set_current_user( self::$superadmin ); |
| 1561 | $this->assertTrue( current_user_can( 'unfiltered_html' ) ); |
| 1562 | $valid_username = is_multisite() ? 'noinvalidcharshere' : 'no-invalid-chars-here'; |
| 1563 | $this->verify_user_roundtrip( array( |
| 1564 | 'username' => $valid_username, |
| 1565 | 'name' => '\\\&\\\ & &invalid; < < &lt;', |
| 1566 | 'first_name' => '\\\&\\\ & &invalid; < < &lt;', |
| 1567 | 'last_name' => '\\\&\\\ & &invalid; < < &lt;', |
| 1568 | 'url' => '\\\&\\\ & &invalid; < < &lt;', |
| 1569 | 'description' => '\\\&\\\ & &invalid; < < &lt;', |
| 1570 | 'nickname' => '\\\&\\\ & &invalid; < < &lt;', |
| 1571 | 'password' => '& & &invalid; < < &lt;', |
| 1572 | ), array( |
| 1573 | 'username' => $valid_username, |
| 1574 | 'name' => '\\\&\\\ & &invalid; < < &lt;', |
| 1575 | 'first_name' => '\\\&\\\ & &invalid; < < &lt;', |
| 1576 | 'last_name' => '\\\&\\\ & &invalid; < < &lt;', |
| 1577 | 'url' => 'http://&%20&%20&invalid;%20%20<%20&lt;', |
| 1578 | 'description' => '\\\&\\\ & &invalid; < < &lt;', |
| 1579 | 'nickname' => '\\\&\\\ & &invalid; < < &lt;', |
| 1580 | 'password' => '& & &invalid; < < &lt;', |
| 1581 | ) ); |
| 1582 | } |
| 1583 | |
| 1584 | public function test_user_roundtrip_as_superadmin_html() { |
| 1585 | wp_set_current_user( self::$superadmin ); |
| 1586 | $this->assertTrue( current_user_can( 'unfiltered_html' ) ); |
| 1587 | $valid_username = is_multisite() ? 'noinvalidcharshere' : 'no-invalid-chars-here'; |
| 1588 | $this->verify_user_roundtrip( array( |
| 1589 | 'username' => $valid_username, |
| 1590 | 'name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1591 | 'first_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1592 | 'last_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1593 | 'url' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1594 | 'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1595 | 'nickname' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1596 | 'password' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1597 | ), array( |
| 1598 | 'username' => $valid_username, |
| 1599 | 'name' => 'div strong', |
| 1600 | 'first_name' => 'div strong', |
| 1601 | 'last_name' => 'div strong', |
| 1602 | 'url' => 'http://divdiv/div%20strongstrong/strong%20scriptoh%20noes/script', |
| 1603 | 'description' => 'div <strong>strong</strong> oh noes', |
| 1604 | 'nickname' => 'div strong', |
| 1605 | 'password' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', |
| 1606 | ) ); |
| 1607 | } |
| 1608 | |