WordPress.org

Make WordPress Core

Changeset 34570


Ignore:
Timestamp:
09/26/2015 02:48:47 AM (3 years ago)
Author:
wonderboymusic
Message:

XML-RPC: wp.getComments should be allowed to return approved comments to those without the 'moderate_comments' cap.

Adds (rewrites) unit tests from 4 years ago that we never committed because....

Props wonderboymusic, koke, ericmann, nprasath002.
Fixes #17981.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-xmlrpc-server.php

    r34559 r34570  
    31563156        $comment_id = (int) $args[3];
    31573157
    3158         if ( !$user = $this->login($username, $password) )
    3159             return $this->error;
    3160 
    3161         if ( !current_user_can( 'moderate_comments' ) )
    3162             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
     3158        if ( ! $user = $this->login( $username, $password ) ) {
     3159            return $this->error;
     3160        }
    31633161
    31643162        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
    31653163        do_action( 'xmlrpc_call', 'wp.getComment' );
    31663164
    3167         if ( ! $comment = get_comment($comment_id) )
     3165        if ( ! $comment = get_comment( $comment_id ) ) {
    31683166            return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
     3167        }
     3168
     3169        if ( ! current_user_can( 'edit_comment', $comment_id ) ) {
     3170            return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
     3171        }
    31693172
    31703173        return $this->_prepare_comment( $comment );
     
    32043207        $struct   = isset( $args[3] ) ? $args[3] : array();
    32053208
    3206         if ( !$user = $this->login($username, $password) )
    3207             return $this->error;
    3208 
    3209         if ( !current_user_can( 'moderate_comments' ) )
    3210             return new IXR_Error( 401, __( 'Sorry, you cannot edit comments.' ) );
     3209        if ( ! $user = $this->login($username, $password ) )
     3210            return $this->error;
    32113211
    32123212        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
    32133213        do_action( 'xmlrpc_call', 'wp.getComments' );
    32143214
    3215         if ( isset($struct['status']) )
     3215        if ( isset( $struct['status'] ) )
    32163216            $status = $struct['status'];
    32173217        else
    32183218            $status = '';
     3219
     3220        if ( ! current_user_can( 'moderate_comments' ) && 'approve' !== $status ) {
     3221            return new IXR_Error( 401, __( 'Invalid comment status.' ) );
     3222        }
    32193223
    32203224        $post_id = '';
     
    32613265     * @return bool|IXR_Error {@link wp_delete_comment()}
    32623266     */
    3263     public function wp_deleteComment($args) {
     3267    public function wp_deleteComment( $args ) {
    32643268        $this->escape($args);
    32653269
     
    32683272        $comment_ID = (int) $args[3];
    32693273
    3270         if ( !$user = $this->login($username, $password) )
    3271             return $this->error;
    3272 
    3273         if ( !current_user_can( 'moderate_comments' ) )
    3274             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
    3275 
    3276         if ( ! get_comment($comment_ID) )
     3274        if ( ! $user = $this->login( $username, $password ) ) {
     3275            return $this->error;
     3276        }
     3277
     3278        if ( ! get_comment( $comment_ID ) ) {
    32773279            return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
    3278 
    3279         if ( !current_user_can( 'edit_comment', $comment_ID ) )
    3280             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
     3280        }
     3281
     3282        if ( !current_user_can( 'edit_comment', $comment_ID ) ) {
     3283            return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
     3284        }
    32813285
    32823286        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
     
    33353339        $content_struct = $args[4];
    33363340
    3337         if ( !$user = $this->login($username, $password) )
    3338             return $this->error;
    3339 
    3340         if ( !current_user_can( 'moderate_comments' ) )
    3341             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
    3342 
    3343         if ( ! get_comment($comment_ID) )
     3341        if ( !$user = $this->login( $username, $password ) ) {
     3342            return $this->error;
     3343        }
     3344
     3345        if ( ! get_comment( $comment_ID ) ) {
    33443346            return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
    3345 
    3346         if ( !current_user_can( 'edit_comment', $comment_ID ) )
    3347             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
     3347        }
     3348
     3349        if ( ! current_user_can( 'edit_comment', $comment_ID ) ) {
     3350            return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
     3351        }
    33483352
    33493353        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
     
    35373541     * @return array|IXR_Error
    35383542     */
    3539     public function wp_getCommentStatusList($args) {
     3543    public function wp_getCommentStatusList( $args ) {
    35403544        $this->escape( $args );
    35413545
     
    35433547        $password = $args[2];
    35443548
    3545         if ( !$user = $this->login($username, $password) )
    3546             return $this->error;
    3547 
    3548         if ( !current_user_can( 'moderate_comments' ) )
     3549        if ( ! $user = $this->login( $username, $password ) ) {
     3550            return $this->error;
     3551        }
     3552
     3553        if ( ! current_user_can( 'publish_posts' ) ) {
    35493554            return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) );
     3555        }
    35503556
    35513557        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
     
    35773583        $post_id    = (int) $args[3];
    35783584
    3579         if ( !$user = $this->login($username, $password) )
    3580             return $this->error;
    3581 
    3582         if ( !current_user_can( 'edit_posts' ) )
    3583             return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) );
     3585        if ( ! $user = $this->login( $username, $password ) ) {
     3586            return $this->error;
     3587        }
     3588
     3589        $post = get_post( $post_id, ARRAY_A );
     3590        if ( empty( $post['ID'] ) ) {
     3591            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
     3592        }
     3593
     3594        if ( ! current_user_can( 'edit_post', $post_id ) ) {
     3595            return new IXR_Error( 403, __( 'You are not allowed access to details of this post.' ) );
     3596        }
    35843597
    35853598        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
     
    35873600
    35883601        $count = wp_count_comments( $post_id );
     3602
    35893603        return array(
    35903604            'approved' => $count->approved,
  • trunk/tests/phpunit/tests/xmlrpc/wp/editComment.php

    r34524 r34570  
    55 */
    66class Tests_XMLRPC_wp_editComment extends WP_XMLRPC_UnitTestCase {
     7
     8    function test_author_can_edit_own_comment() {
     9        $author_id = $this->make_user_by_role( 'author' );
     10        $post_id = $this->factory->post->create( array(
     11            'post_title' => 'Post test by author',
     12            'post_author' => $author_id
     13        ) );
     14
     15        $comment_id = wp_insert_comment(array(
     16            'comment_post_ID' => $post_id,
     17            'comment_author' => 'Commenter 1',
     18            'comment_author_url' => "http://example.com/1/",
     19            'comment_approved' => 1,
     20        ));
     21
     22        $result = $this->myxmlrpcserver->wp_editComment( array( 1, 'author', 'author', $comment_id, array(
     23            'status' => 'hold'
     24        ) ) );
     25        $this->assertNotInstanceOf( 'IXR_Error', $result );
     26        $this->assertTrue( $result );
     27    }
     28
     29    function test_author_cannot_edit_others_comment() {
     30        $this->make_user_by_role( 'author' );
     31        $editor_id = $this->make_user_by_role( 'editor' );
     32        $post_id = $this->factory->post->create( array(
     33            'post_title' => 'Post test by editor',
     34            'post_author' => $editor_id
     35        ) );
     36
     37        $comment_id = wp_insert_comment( array(
     38            'comment_post_ID' => $post_id,
     39            'comment_author' => 'Commenter 2',
     40            'comment_author_url' => 'http://example.com/2/',
     41            'comment_approved' => 0,
     42        ) );
     43
     44        $result = $this->myxmlrpcserver->wp_editComment( array( 1, 'author', 'author', $comment_id, array( 'status' => 'hold' ) ) );
     45        $this->assertInstanceOf( 'IXR_Error', $result );
     46        $this->assertEquals( 403, $result->code );
     47        $this->assertEquals( __( 'You are not allowed to moderate or edit this comment.' ), $result->message );
     48    }
     49
    750    function test_trash_comment() {
    851        $this->make_user_by_role( 'administrator' );
  • trunk/tests/phpunit/tests/xmlrpc/wp/getComments.php

    r25002 r34570  
    4343        $this->make_user_by_role( 'editor' );
    4444
    45         $filter = array(
     45        $results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
    4646            'post_id' => $this->post_id
    47         );
    48         $results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) );
     47        ) ) );
    4948        $this->assertNotInstanceOf( 'IXR_Error', $results );
    5049
     
    5756        $this->make_user_by_role( 'editor' );
    5857
    59         $filter = array(
     58        $results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
    6059            'post_id' => $this->post_id,
    61         );
    62         $results = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) );
     60        ) ) );
    6361        $this->assertNotInstanceOf( 'IXR_Error', $results );
    6462
    6563        // if no 'number' filter is specified, default should be 10
    66         $this->assertEquals( 10, count( $results ) );
    67 
    68         // explicitly set a 'number' filter and verify that only that many are returned
    69         $filter['number'] = 5;
    70         $results2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', $filter ) );
     64        $this->assertCount( 10, $results );
     65
     66        $results2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
     67            'post_id' => $this->post_id,
     68            'number' => 5
     69        ) ) );
    7170        $this->assertNotInstanceOf( 'IXR_Error', $results2 );
    72         $this->assertEquals( 5, count( $results2 ) );
     71        $this->assertCount( 5, $results2 );
     72    }
     73
     74    function test_contributor_capabilities() {
     75        $this->make_user_by_role( 'contributor' );
     76        $author_id = $this->make_user_by_role( 'author' );
     77        $author_post_id = $this->factory->post->create( array(
     78            'post_title' => 'Author',
     79            'post_author' => $author_id,
     80            'post_status' => 'publish'
     81        ) );
     82
     83        $this->factory->comment->create( array(
     84            'comment_post_ID' => $author_post_id,
     85            'comment_author' => "Commenter 1",
     86            'comment_author_url' => "http://example.com/1/",
     87            'comment_approved' => 0,
     88        ) );
     89
     90        $editor_id = $this->make_user_by_role( 'editor' );
     91        $editor_post_id = $this->factory->post->create( array(
     92            'post_title' => 'Editor',
     93            'post_author' => $editor_id,
     94            'post_status' => 'publish'
     95        ) );
     96
     97        $this->factory->comment->create( array(
     98            'comment_post_ID' => $editor_post_id,
     99            'comment_author' => 'Commenter 2',
     100            'comment_author_url' => 'http://example.com/2/',
     101            'comment_approved' => 0,
     102        ) );
     103
     104        $result = $this->myxmlrpcserver->wp_getComments( array( 1, 'contributor', 'contributor' ) );
     105        $this->assertInstanceOf( 'IXR_Error', $result );
     106        $this->assertEquals( 401, $result->code );
     107    }
     108
     109    function test_author_capabilities() {
     110        $author_id = $this->make_user_by_role( 'author' );
     111        $author_post_id = $this->factory->post->create( array(
     112            'post_title' => 'Author',
     113            'post_author' => $author_id,
     114            'post_status' => 'publish'
     115        ) );
     116
     117        $this->factory->comment->create( array(
     118            'comment_post_ID' => $author_post_id,
     119            'comment_author' => 'Commenter 1',
     120            'comment_author_url' => 'http://example.com/1/',
     121            'comment_approved' => 1,
     122        ) );
     123
     124        $editor_id = $this->make_user_by_role( 'editor' );
     125        $editor_post_id = $this->factory->post->create( array(
     126            'post_title' => 'Editor',
     127            'post_author' => $editor_id,
     128            'post_status' => 'publish'
     129        ) );
     130
     131        $this->factory->comment->create( array(
     132            'comment_post_ID' => $editor_post_id,
     133            'comment_author' => 'Commenter 2',
     134            'comment_author_url' => 'http://example.com/2/',
     135            'comment_approved' => 0,
     136        ) );
     137
     138        $result1 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
     139            'post_id' => $author_post_id
     140        ) ) );
     141        $this->assertInstanceOf( 'IXR_Error', $result1 );
     142
     143        $result2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
     144            'status' => 'approve',
     145            'post_id' => $author_post_id
     146        ) ) );
     147
     148        $this->assertInternalType( 'array', $result2 );
     149        $this->assertCount( 1, $result2 );
     150
     151        $result3 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
     152            'post_id' => $editor_post_id
     153        ) ) );
     154        $this->assertInstanceOf( 'IXR_Error', $result3 );
     155
     156        $result4 = $this->myxmlrpcserver->wp_getComments( array( 1, 'author', 'author', array(
     157            'status' => 'approve',
     158            'post_id' => $author_post_id
     159        ) ) );
     160
     161        $this->assertInternalType( 'array', $result4 );
     162        $this->assertCount( 1, $result4 );
     163    }
     164
     165    function test_editor_capabilities() {
     166        $author_id = $this->make_user_by_role( 'author' );
     167        $author_post_id = $this->factory->post->create( array(
     168            'post_title' => 'Author',
     169            'post_author' => $author_id,
     170            'post_status' => 'publish'
     171        ) );
     172
     173        $this->factory->comment->create( array(
     174            'comment_post_ID' => $author_post_id,
     175            'comment_author' => 'Commenter 1',
     176            'comment_author_url' => 'http://example.com/1/',
     177            'comment_approved' => 1,
     178        ));
     179
     180        $editor_id = $this->make_user_by_role( 'editor' );
     181        $editor_post_id = $this->factory->post->create( array(
     182            'post_title' => 'Editor',
     183            'post_author' => $editor_id,
     184            'post_status' => 'publish'
     185        ) );
     186
     187        $this->factory->comment->create(array(
     188            'comment_post_ID' => $editor_post_id,
     189            'comment_author' => 'Commenter 2',
     190            'comment_author_url' => 'http://example.com/2/',
     191            'comment_approved' => 0,
     192        ));
     193
     194        $result = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
     195            'post_id' => $author_post_id
     196        ) ) );
     197        $this->assertInternalType( 'array', $result );
     198        $this->assertCount( 1, $result );
     199
     200        $result2 = $this->myxmlrpcserver->wp_getComments( array( 1, 'editor', 'editor', array(
     201            'status' => 'approve',
     202            'post_id' => $author_post_id
     203        ) ) );
     204
     205        $this->assertInternalType( 'array', $result2 );
     206        $this->assertCount( 1, $result2 );
    73207    }
    74208}
Note: See TracChangeset for help on using the changeset viewer.