Ticket #40263: 40263.2.diff
| File 40263.2.diff, 4.4 KB (added by , 6 years ago) |
|---|
-
src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php index 63fb4e9..f81fee3 100644
a b class WP_REST_Users_Controller extends WP_REST_Controller { 570 570 return $user; 571 571 } 572 572 573 if ( ! current_user_can( 'edit_user', $user->ID ) ) { 574 return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); 573 if ( ! empty( $request['roles'] ) ) { 574 if ( ! current_user_can( 'promote_user', $user->ID ) ) { 575 return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) ); 576 } 577 578 $request_params = array_keys( $request->get_params() ); 579 sort( $request_params ); 580 // If only 'id' and 'roles' are specified (we are only trying to 581 // edit roles), then only the 'promote_user' cap is required. 582 if ( $request_params === array( 'id', 'roles' ) ) { 583 return true; 584 } 575 585 } 576 586 577 if ( ! empty( $request['roles'] ) && ! current_user_can( 'edit_users') ) {578 return new WP_Error( 'rest_cannot_edit _roles', __( 'Sorry, you are not allowed to edit roles ofthis user.' ), array( 'status' => rest_authorization_required_code() ) );587 if ( ! current_user_can( 'edit_user', $user->ID ) ) { 588 return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); 579 589 } 580 590 581 591 return true; -
tests/phpunit/tests/rest-api/rest-users-controller.php
diff --git a/tests/phpunit/tests/rest-api/rest-users-controller.php b/tests/phpunit/tests/rest-api/rest-users-controller.php index 3024693..6af355d 100644
a b class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase { 1569 1569 $this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 ); 1570 1570 } 1571 1571 1572 /** 1573 * @ticket 40263 1574 */ 1575 public function test_update_item_only_roles_as_editor() { 1576 $user_id = $this->factory->user->create( array( 1577 'role' => 'author', 1578 ) ); 1579 1580 wp_set_current_user( self::$editor ); 1581 $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) ); 1582 $request->set_param( 'roles', array( 'editor' ) ); 1583 $response = $this->server->dispatch( $request ); 1584 $this->assertErrorResponse( 'rest_cannot_edit_roles', $response, 403 ); 1585 } 1586 1587 /** 1588 * @ticket 40263 1589 */ 1590 public function test_update_item_only_roles_as_site_administrator() { 1591 $user_id = $this->factory->user->create( array( 1592 'role' => 'author', 1593 ) ); 1594 1595 wp_set_current_user( self::$user ); 1596 $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) ); 1597 $request->set_param( 'roles', array( 'editor' ) ); 1598 $response = $this->server->dispatch( $request ); 1599 $this->assertEquals( 200, $response->get_status() ); 1600 1601 $new_data = $response->get_data(); 1602 $this->assertEquals( 'editor', $new_data['roles'][0] ); 1603 } 1604 1605 /** 1606 * @ticket 40263 1607 */ 1608 public function test_update_item_including_roles_and_other_params() { 1609 $user_id = $this->factory->user->create( array( 1610 'role' => 'author', 1611 ) ); 1612 1613 wp_set_current_user( self::$user ); 1614 $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) ); 1615 $request->set_param( 'roles', array( 'editor' ) ); 1616 $request->set_param( 'name', 'Short-Lived User' ); 1617 $response = $this->server->dispatch( $request ); 1618 1619 if ( is_multisite() ) { 1620 // Site administrators can promote users, as verified by the 1621 // previous test, but they cannot perform other user-editing 1622 // operations. This also tests the branch of logic that verifies 1623 // that no parameters other than 'id' and 'roles' are specified for 1624 // a roles update. 1625 $this->assertErrorResponse( 'rest_cannot_edit', $response, 403 ); 1626 } else { 1627 $this->assertEquals( 200, $response->get_status() ); 1628 1629 $new_data = $response->get_data(); 1630 $this->assertEquals( 'editor', $new_data['roles'][0] ); 1631 } 1632 } 1633 1572 1634 public function test_update_item_invalid_password() { 1573 1635 $this->allow_user_to_manage_multisite(); 1574 1636 wp_set_current_user( self::$user );