WordPress.org

Make WordPress Core

Changeset 34570


Ignore:
Timestamp:
09/26/15 02:48:47 (17 months ago)
Author:
wonderboymusic
Message:

XML-RPC: wp.getComments should be allowed to return approved comments to those without the 'moderate_comments' cap.

Adds (rewrites) unit tests from 4 years ago that we never committed because....

Props wonderboymusic, koke, ericmann, nprasath002.
Fixes #17981.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-xmlrpc-server.php

    r34559 r34570  
    31563156        $comment_id = (int) $args[3]; 
    31573157 
    3158         if ( !$user = $this->login($username, $password) ) 
    3159             return $this->error; 
    3160  
    3161         if ( !current_user_can( 'moderate_comments' ) ) 
    3162             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) ); 
     3158        if ( ! $user = $this->login( $username, $password ) ) { 
     3159            return $this->error; 
     3160        } 
    31633161 
    31643162        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ 
    31653163        do_action( 'xmlrpc_call', 'wp.getComment' ); 
    31663164 
    3167         if ( ! $comment = get_comment($comment_id) ) 
     3165        if ( ! $comment = get_comment( $comment_id ) ) { 
    31683166            return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); 
     3167        } 
     3168 
     3169        if ( ! current_user_can( 'edit_comment', $comment_id ) ) { 
     3170            return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) ); 
     3171        } 
    31693172 
    31703173        return $this->_prepare_comment( $comment ); 
     
    32043207        $struct   = isset( $args[3] ) ? $args[3] : array(); 
    32053208 
    3206         if ( !$user = $this->login($username, $password) ) 
    3207             return $this->error; 
    3208  
    3209         if ( !current_user_can( 'moderate_comments' ) ) 
    3210             return new IXR_Error( 401, __( 'Sorry, you cannot edit comments.' ) ); 
     3209        if ( ! $user = $this->login($username, $password ) ) 
     3210            return $this->error; 
    32113211 
    32123212        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ 
    32133213        do_action( 'xmlrpc_call', 'wp.getComments' ); 
    32143214 
    3215         if ( isset($struct['status']) ) 
     3215        if ( isset( $struct['status'] ) ) 
    32163216            $status = $struct['status']; 
    32173217        else 
    32183218            $status = ''; 
     3219 
     3220        if ( ! current_user_can( 'moderate_comments' ) && 'approve' !== $status ) { 
     3221            return new IXR_Error( 401, __( 'Invalid comment status.' ) ); 
     3222        } 
    32193223 
    32203224        $post_id = ''; 
     
    32613265     * @return bool|IXR_Error {@link wp_delete_comment()} 
    32623266     */ 
    3263     public function wp_deleteComment($args) { 
     3267    public function wp_deleteComment( $args ) { 
    32643268        $this->escape($args); 
    32653269 
     
    32683272        $comment_ID = (int) $args[3]; 
    32693273 
    3270         if ( !$user = $this->login($username, $password) ) 
    3271             return $this->error; 
    3272  
    3273         if ( !current_user_can( 'moderate_comments' ) ) 
    3274             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) ); 
    3275  
    3276         if ( ! get_comment($comment_ID) ) 
     3274        if ( ! $user = $this->login( $username, $password ) ) { 
     3275            return $this->error; 
     3276        } 
     3277 
     3278        if ( ! get_comment( $comment_ID ) ) { 
    32773279            return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); 
    3278  
    3279         if ( !current_user_can( 'edit_comment', $comment_ID ) ) 
    3280             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) ); 
     3280        } 
     3281 
     3282        if ( !current_user_can( 'edit_comment', $comment_ID ) ) { 
     3283            return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) ); 
     3284        } 
    32813285 
    32823286        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ 
     
    33353339        $content_struct = $args[4]; 
    33363340 
    3337         if ( !$user = $this->login($username, $password) ) 
    3338             return $this->error; 
    3339  
    3340         if ( !current_user_can( 'moderate_comments' ) ) 
    3341             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) ); 
    3342  
    3343         if ( ! get_comment($comment_ID) ) 
     3341        if ( !$user = $this->login( $username, $password ) ) { 
     3342            return $this->error; 
     3343        } 
     3344 
     3345        if ( ! get_comment( $comment_ID ) ) { 
    33443346            return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); 
    3345  
    3346         if ( !current_user_can( 'edit_comment', $comment_ID ) ) 
    3347             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) ); 
     3347        } 
     3348 
     3349        if ( ! current_user_can( 'edit_comment', $comment_ID ) ) { 
     3350            return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) ); 
     3351        } 
    33483352 
    33493353        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ 
     
    35373541     * @return array|IXR_Error 
    35383542     */ 
    3539     public function wp_getCommentStatusList($args) { 
     3543    public function wp_getCommentStatusList( $args ) { 
    35403544        $this->escape( $args ); 
    35413545 
     
    35433547        $password = $args[2]; 
    35443548 
    3545         if ( !$user = $this->login($username, $password) ) 
    3546             return $this->error; 
    3547  
    3548         if ( !current_user_can( 'moderate_comments' ) ) 
     3549        if ( ! $user = $this->login( $username, $password ) ) { 
     3550            return $this->error; 
     3551        } 
     3552 
     3553        if ( ! current_user_can( 'publish_posts' ) ) { 
    35493554            return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) ); 
     3555        } 
    35503556 
    35513557        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ 
     
    35773583        $post_id    = (int) $args[3]; 
    35783584 
    3579         if ( !$user = $this->login($username, $password) ) 
    3580             return $this->error; 
    3581  
    3582         if ( !current_user_can( 'edit_posts' ) ) 
    3583             return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) ); 
     3585        if ( ! $user = $this->login( $username, $password ) ) { 
     3586            return $this->error; 
     3587        } 
     3588 
     3589        $post = get_post( $post_id, ARRAY_A ); 
     3590        if ( empty( $post['ID'] ) ) { 
     3591            return new IXR_Error( 404, __( 'Invalid post ID.' ) ); 
     3592        } 
     3593 
     3594        if ( ! current_user_can( 'edit_post', $post_id ) ) { 
     3595            return new IXR_Error( 403, __( 'You are not allowed access to details of this post.' ) ); 
     3596        } 
    35843597 
    35853598        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ 
     
    35873600 
    35883601        $count = wp_count_comments( $post_id ); 
     3602 
    35893603        return array( 
    35903604            'approved' => $count->approved, 
  • trunk/tests/phpunit/tests/xmlrpc/wp/editComment.php

    r34524 r34570  
    55 */ 
    66class Tests_XMLRPC_wp_editComment extends WP_XMLRPC_UnitTestCase { 
     7 
     8    function test_author_can_edit_own_comment() { 
     9        $author_id = $this->make_user_by_role( 'author' ); 
     10        $post_id = $this->factory->post->create( array( 
     11            'post_title' => 'Post test by author', 
     12            'post_author' => $author_id 
     13        ) ); 
     14 
     15        $comment_id = wp_insert_comment(array( 
     16            'comment_post_ID' => $post_id, 
     17            'comment_author' => 'Commenter 1', 
     18            'comment_author_url' => "http://example.com/1/", 
     19            'comment_approved' => 1, 
     20        )); 
     21 
     22        $result = $this->myxmlrpcserver->wp_editComment( array( 1, 'author', 'author', $comment_id, array( 
     23            'status' => 'hold' 
     24        ) ) ); 
     25        $this->assertNotInstanceOf( 'IXR_Error', $result ); 
     26        $this->assertTrue( $result ); 
     27    } 
     28 
     29    function test_author_cannot_edit_others_comment() { 
     30        $this->make_user_by_role( 'author' ); 
     31        $editor_id = $this->make_user_by_role( 'editor' ); 
     32        $post_id = $this->factory->post->create( array( 
     33            'post_title' => 'Post test by editor', 
     34            'post_author' => $editor_id 
     35        ) ); 
     36 
     37        $comment_id = wp_insert_comment( array( 
     38            'comment_post_ID' => $post_id, 
     39            'comment_author' => 'Commenter 2', 
     40            'comment_author_url' => 'http://example.com/2/', 
     41            'comment_approved' => 0, 
     42        ) ); 
     43 
     44        $result = $this->myxmlrpcserver->wp_editComment( array( 1, 'author', 'author', $comment_id, array( 'status' => 'hold' ) ) ); 
     45        $this->assertInstanceOf( 'IXR_Error', $result ); 
     46        $this->assertEquals( 403, $result->code ); 
     47        $this->assertEquals( __( 'You are not allowed to moderate or edit this comment.' ), $result->message ); 
     48    } 
     49 
    750    function test_trash_comment() { 
    851        $this->make_user_by_role( 'administrator' ); 
  • trunk/tests/phpunit/tests/xmlrpc/wp/getComments.php

    r25002 r34570  
    4343        $this->make_user_by_role( 'editor' ); 
    4444 
    45         $filter = array( 
     45        $results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array( 
    4646            'post_id' => $this->post_id 
    47         ); 
    48         $results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) ); 
     47        ) ) ); 
    4948        $this->assertNotInstanceOf( 'IXR_Error', $results ); 
    5049 
     
    5756        $this->make_user_by_role( 'editor' ); 
    5857 
    59         $filter = array( 
     58        $results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array( 
    6059            'post_id' => $this->post_id, 
    61         ); 
    62         $results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) ); 
     60        ) ) ); 
    6361        $this->assertNotInstanceOf( 'IXR_Error', $results ); 
    6462 
    6563        // if no 'number' filter is specified, default should be 10 
    66         $this->assertEquals( 10, count( $results ) ); 
    67  
    68         // explicitly set a 'number' filter and verify that only that many are returned 
    69         $filter['number'] = 5; 
    70         $results2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) ); 
     64        $this->assertCount( 10, $results ); 
     65 
     66        $results2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array( 
     67            'post_id' => $this->post_id, 
     68            'number' => 5 
     69        ) ) ); 
    7170        $this->assertNotInstanceOf( 'IXR_Error', $results2 ); 
    72         $this->assertEquals( 5, count( $results2 ) ); 
     71        $this->assertCount( 5, $results2 ); 
     72    } 
     73 
     74    function test_contributor_capabilities() { 
     75        $this->make_user_by_role( 'contributor' ); 
     76        $author_id = $this->make_user_by_role( 'author' ); 
     77        $author_post_id = $this->factory->post->create( array( 
     78            'post_title' => 'Author', 
     79            'post_author' => $author_id, 
     80            'post_status' => 'publish' 
     81        ) ); 
     82 
     83        $this->factory->comment->create( array( 
     84            'comment_post_ID' => $author_post_id, 
     85            'comment_author' => "Commenter 1", 
     86            'comment_author_url' => "http://example.com/1/", 
     87            'comment_approved' => 0, 
     88        ) ); 
     89 
     90        $editor_id = $this->make_user_by_role( 'editor' ); 
     91        $editor_post_id = $this->factory->post->create( array( 
     92            'post_title' => 'Editor', 
     93            'post_author' => $editor_id, 
     94            'post_status' => 'publish' 
     95        ) ); 
     96 
     97        $this->factory->comment->create( array( 
     98            'comment_post_ID' => $editor_post_id, 
     99            'comment_author' => 'Commenter 2', 
     100            'comment_author_url' => 'http://example.com/2/', 
     101            'comment_approved' => 0, 
     102        ) ); 
     103 
     104        $result = $this->myxmlrpcserver->wp_getComments( array( 1, 'contributor', 'contributor' ) ); 
     105        $this->assertInstanceOf( 'IXR_Error', $result ); 
     106        $this->assertEquals( 401, $result->code ); 
     107    } 
     108 
     109    function test_author_capabilities() { 
     110        $author_id = $this->make_user_by_role( 'author' ); 
     111        $author_post_id = $this->factory->post->create( array( 
     112            'post_title' => 'Author', 
     113            'post_author' => $author_id, 
     114            'post_status' => 'publish' 
     115        ) ); 
     116 
     117        $this->factory->comment->create( array( 
     118            'comment_post_ID' => $author_post_id, 
     119            'comment_author' => 'Commenter 1', 
     120            'comment_author_url' => 'http://example.com/1/', 
     121            'comment_approved' => 1, 
     122        ) ); 
     123 
     124        $editor_id = $this->make_user_by_role( 'editor' ); 
     125        $editor_post_id = $this->factory->post->create( array( 
     126            'post_title' => 'Editor', 
     127            'post_author' => $editor_id, 
     128            'post_status' => 'publish' 
     129        ) ); 
     130 
     131        $this->factory->comment->create( array( 
     132            'comment_post_ID' => $editor_post_id, 
     133            'comment_author' => 'Commenter 2', 
     134            'comment_author_url' => 'http://example.com/2/', 
     135            'comment_approved' => 0, 
     136        ) ); 
     137 
     138        $result1 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array( 
     139            'post_id' => $author_post_id 
     140        ) ) ); 
     141        $this->assertInstanceOf( 'IXR_Error', $result1 ); 
     142 
     143        $result2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array( 
     144            'status' => 'approve', 
     145            'post_id' => $author_post_id 
     146        ) ) ); 
     147 
     148        $this->assertInternalType( 'array', $result2 ); 
     149        $this->assertCount( 1, $result2 ); 
     150 
     151        $result3 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array( 
     152            'post_id' => $editor_post_id 
     153        ) ) ); 
     154        $this->assertInstanceOf( 'IXR_Error', $result3 ); 
     155 
     156        $result4 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array( 
     157            'status' => 'approve', 
     158            'post_id' => $author_post_id 
     159        ) ) ); 
     160 
     161        $this->assertInternalType( 'array', $result4 ); 
     162        $this->assertCount( 1, $result4 ); 
     163    } 
     164 
     165    function test_editor_capabilities() { 
     166        $author_id = $this->make_user_by_role( 'author' ); 
     167        $author_post_id = $this->factory->post->create( array( 
     168            'post_title' => 'Author', 
     169            'post_author' => $author_id, 
     170            'post_status' => 'publish' 
     171        ) ); 
     172 
     173        $this->factory->comment->create( array( 
     174            'comment_post_ID' => $author_post_id, 
     175            'comment_author' => 'Commenter 1', 
     176            'comment_author_url' => 'http://example.com/1/', 
     177            'comment_approved' => 1, 
     178        )); 
     179 
     180        $editor_id = $this->make_user_by_role( 'editor' ); 
     181        $editor_post_id = $this->factory->post->create( array( 
     182            'post_title' => 'Editor', 
     183            'post_author' => $editor_id, 
     184            'post_status' => 'publish' 
     185        ) ); 
     186 
     187        $this->factory->comment->create(array( 
     188            'comment_post_ID' => $editor_post_id, 
     189            'comment_author' => 'Commenter 2', 
     190            'comment_author_url' => 'http://example.com/2/', 
     191            'comment_approved' => 0, 
     192        )); 
     193 
     194        $result = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array( 
     195            'post_id' => $author_post_id 
     196        ) ) ); 
     197        $this->assertInternalType( 'array', $result ); 
     198        $this->assertCount( 1, $result ); 
     199 
     200        $result2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array( 
     201            'status' => 'approve', 
     202            'post_id' => $author_post_id 
     203        ) ) ); 
     204 
     205        $this->assertInternalType( 'array', $result2 ); 
     206        $this->assertCount( 1, $result2 ); 
    73207    } 
    74208} 
Note: See TracChangeset for help on using the changeset viewer.