WordPress.org

Make WordPress Core

Changeset 36643


Ignore:
Timestamp:
02/23/16 18:13:30 (22 months ago)
Author:
westonruter
Message:

Customize: Skip exporting partials to client and handling rendering requests if user can't modify associated settings.

Introduces WP_Customize_Partial::check_capabilities() for parity with WP_Customize_Control::check_capabilities().

See #27355.
Fixes #35914.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/customize/class-wp-customize-partial.php

    r36586 r36643  
    7171 
    7272    /** 
    73      * All settings tied to the partial. 
    74      * 
    75      * @access public 
    76      * @since 4.5.0 
    77      * @var WP_Customize_Setting[] 
     73     * IDs for settings tied to the partial. 
     74     * 
     75     * @access public 
     76     * @since 4.5.0 
     77     * @var array 
    7878     */ 
    7979    public $settings; 
     
    286286        return $exports; 
    287287    } 
     288 
     289    /** 
     290     * Checks if the user can refresh this partial. 
     291     * 
     292     * Returns false if the user cannot manipulate one of the associated settings, 
     293     * or if one of the associated settings does not exist. 
     294     * 
     295     * @since 4.5.0 
     296     * @access public 
     297     * 
     298     * @return bool False if user can't edit one one of the related settings, 
     299     *                    or if one of the associated settings does not exist. 
     300     */ 
     301    final public function check_capabilities() { 
     302        foreach ( $this->settings as $setting_id ) { 
     303            $setting = $this->component->manager->get_setting( $setting_id ); 
     304            if ( ! $setting || ! $setting->check_capabilities() ) { 
     305                return false; 
     306            } 
     307        } 
     308        return true; 
     309    } 
    288310} 
  • trunk/src/wp-includes/customize/class-wp-customize-selective-refresh.php

    r36624 r36643  
    173173 
    174174        foreach ( $this->partials() as $partial ) { 
    175             $partials[ $partial->id ] = $partial->json(); 
     175            if ( $partial->check_capabilities() ) { 
     176                $partials[ $partial->id ] = $partial->json(); 
     177            } 
    176178        } 
    177179 
     
    357359            $partial = $this->get_partial( $partial_id ); 
    358360 
    359             if ( ! $partial ) { 
     361            if ( ! $partial || ! $partial->check_capabilities() ) { 
    360362                $contents[ $partial_id ] = null; 
    361363                continue; 
  • trunk/tests/phpunit/tests/customize/partial.php

    r36586 r36643  
    274274 
    275275    /** 
    276      * Test WP_Customize_Partial::json() default. 
     276     * Test WP_Customize_Partial::json(). 
    277277     * 
    278278     * @see WP_Customize_Partial::json() 
     
    302302 
    303303    /** 
     304     * Test WP_Customize_Partial::check_capabilities(). 
     305     * 
     306     * @see WP_Customize_Partial::check_capabilities() 
     307     */ 
     308    function test_check_capabilities() { 
     309        wp_set_current_user( self::factory()->user->create( array( 'role' => 'administrator' ) ) ); 
     310        do_action( 'customize_register', $this->wp_customize ); 
     311        $partial = new WP_Customize_Partial( $this->selective_refresh, 'blogname', array( 
     312            'settings' => array( 'blogname' ), 
     313        ) ); 
     314        $this->assertTrue( $partial->check_capabilities() ); 
     315 
     316        $partial = new WP_Customize_Partial( $this->selective_refresh, 'blogname', array( 
     317            'settings' => array( 'blogname', 'non_existing' ), 
     318        ) ); 
     319        $this->assertFalse( $partial->check_capabilities() ); 
     320 
     321        $this->wp_customize->add_setting( 'top_secret_message', array( 
     322            'capability' => 'top_secret_clearance', 
     323        ) ); 
     324        $partial = new WP_Customize_Partial( $this->selective_refresh, 'blogname', array( 
     325            'settings' => array( 'blogname', 'top_secret_clearance' ), 
     326        ) ); 
     327        $this->assertFalse( $partial->check_capabilities() ); 
     328    } 
     329 
     330    /** 
    304331     * Tear down. 
    305332     */ 
  • trunk/tests/phpunit/tests/customize/selective-refresh.php

    r36586 r36643  
    138138     */ 
    139139    function test_export_preview_data() { 
     140        $user_id = self::factory()->user->create( array( 'role' => 'administrator' ) ); 
     141        wp_set_current_user( $user_id ); 
     142        $user = new WP_User( $user_id ); 
     143        do_action( 'customize_register', $this->wp_customize ); 
     144        $user->remove_cap( 'top_secret_clearance' ); 
     145        $this->wp_customize->add_setting( 'top_secret_message', array( 
     146            'capability' => 'top_secret_clearance', // The administrator role lacks this. 
     147        ) ); 
    140148        $this->selective_refresh->add_partial( 'blogname', array( 
    141149            'selector' => '#site-title', 
     150        ) ); 
     151        $this->selective_refresh->add_partial( 'top_secret_message', array( 
     152            'settings' => array( 'top_secret_message' ), 
    142153        ) ); 
    143154        ob_start(); 
     
    150161        $this->assertInternalType( 'array', $exported_data['partials'] ); 
    151162        $this->assertArrayHasKey( 'blogname', $exported_data['partials'] ); 
     163        $this->assertArrayNotHasKey( 'top_secret_message', $exported_data['partials'] ); 
    152164        $this->assertEquals( '#site-title', $exported_data['partials']['blogname']['selector'] ); 
    153165        $this->assertArrayHasKey( 'renderQueryVar', $exported_data ); 
Note: See TracChangeset for help on using the changeset viewer.