Ticket #42202: 42202.1.diff
| File 42202.1.diff, 5.0 KB (added by , 5 years ago) |
|---|
-
src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php index 8b03e80d9b..404930cc15 100644
a b class WP_REST_Users_Controller extends WP_REST_Controller { 192 192 return new WP_Error( 'rest_forbidden_orderby', __( 'Sorry, you are not allowed to order users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) ); 193 193 } 194 194 195 if ( ! empty( $request['who'] ) ) { 196 $can_view = false; 197 $types = get_post_types( array( 'show_in_rest' => true ), 'objects' ); 198 foreach ( $types as $type ) { 199 if ( current_user_can( $type->cap->edit_posts ) ) { 200 $can_view = true; 201 } 202 } 203 if ( ! $can_view ) { 204 return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) ); 205 } 206 } 207 195 208 return true; 196 209 } 197 210 … … class WP_REST_Users_Controller extends WP_REST_Controller { 256 269 $prepared_args['orderby'] = $orderby_possibles[ $request['orderby'] ]; 257 270 } 258 271 259 if ( ! current_user_can( 'list_users' ) ) { 272 if ( isset( $registered['who'] ) && ! empty( $request['who'] ) && 'authors' === $request['who'] ) { 273 $prepared_args['who'] = 'authors'; 274 } elseif ( ! current_user_can( 'list_users' ) ) { 260 275 $prepared_args['has_published_posts'] = get_post_types( array( 'show_in_rest' => true ), 'names' ); 261 276 } 262 277 … … class WP_REST_Users_Controller extends WP_REST_Controller { 1372 1387 ), 1373 1388 ); 1374 1389 1390 $query_params['who'] = array( 1391 'description' => __( 'Limit result set to users who are considered authors.' ), 1392 'type' => 'string', 1393 'enum' => array( 1394 'authors', 1395 ), 1396 ); 1397 1375 1398 /** 1376 1399 * Filter collection parameters for the users controller. 1377 1400 * -
tests/phpunit/tests/rest-api/rest-users-controller.php
diff --git a/tests/phpunit/tests/rest-api/rest-users-controller.php b/tests/phpunit/tests/rest-api/rest-users-controller.php index 8c43f36089..06687054d3 100644
a b class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase { 14 14 protected static $user; 15 15 protected static $editor; 16 16 protected static $draft_editor; 17 protected static $subscriber; 17 18 protected static $authors = array(); 18 19 protected static $posts = array(); 19 20 protected static $site; … … class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase { 42 43 'user_email' => 'draft-editor@example.com', 43 44 ) 44 45 ); 46 self::$subscriber = $factory->user->create( 47 array( 48 'role' => 'subscriber', 49 'display_name' => 'subscriber', 50 'user_email' => 'subscriber@example.com', 51 ) 52 ); 45 53 46 54 foreach ( array( true, false ) as $show_in_rest ) { 47 55 foreach ( array( true, false ) as $public ) { … … class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase { 166 174 'roles', 167 175 'search', 168 176 'slug', 177 'who', 169 178 ), $keys 170 179 ); 171 180 } … … class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase { 784 793 $this->assertEquals( array(), $data ); 785 794 } 786 795 796 public function test_get_items_who_author_query() { 797 wp_set_current_user( self::$superadmin ); 798 // First request should include subscriber in the set. 799 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 800 $request->set_param( 'search', 'subscriber' ); 801 $response = rest_get_server()->dispatch( $request ); 802 $this->assertEquals( 200, $response->get_status() ); 803 $this->assertCount( 1, $response->get_data() ); 804 // Second request should exclude subscriber. 805 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 806 $request->set_param( 'who', 'authors' ); 807 $request->set_param( 'search', 'subscriber' ); 808 $response = rest_get_server()->dispatch( $request ); 809 $this->assertEquals( 200, $response->get_status() ); 810 $this->assertCount( 0, $response->get_data() ); 811 } 812 813 public function test_get_items_who_invalid_query() { 814 wp_set_current_user( self::$user ); 815 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 816 $request->set_param( 'who', 'editor' ); 817 $response = rest_get_server()->dispatch( $request ); 818 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 819 } 820 821 /** 822 * Any user with 'edit_posts' on a show_in_rest post type 823 * can view authors. Others (e.g. subscribers) cannot. 824 */ 825 public function test_get_items_who_unauthorized_query() { 826 wp_set_current_user( self::$subscriber ); 827 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 828 $request->set_param( 'who', 'authors' ); 829 $response = rest_get_server()->dispatch( $request ); 830 $this->assertErrorResponse( 'rest_forbidden_who', $response, 403 ); 831 } 832 787 833 public function test_get_item() { 788 834 $user_id = $this->factory->user->create(); 789 835 wp_set_current_user( self::$user );