WordPress.org

Make WordPress Core

Changeset 36643


Ignore:
Timestamp:
02/23/2016 06:13:30 PM (2 years ago)
Author:
westonruter
Message:

Customize: Skip exporting partials to client and handling rendering requests if user can't modify associated settings.

Introduces WP_Customize_Partial::check_capabilities() for parity with WP_Customize_Control::check_capabilities().

See #27355.
Fixes #35914.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/customize/class-wp-customize-partial.php

    r36586 r36643  
    7171
    7272    /**
    73      * All settings tied to the partial.
    74      *
    75      * @access public
    76      * @since 4.5.0
    77      * @var WP_Customize_Setting[]
     73     * IDs for settings tied to the partial.
     74     *
     75     * @access public
     76     * @since 4.5.0
     77     * @var array
    7878     */
    7979    public $settings;
     
    286286        return $exports;
    287287    }
     288
     289    /**
     290     * Checks if the user can refresh this partial.
     291     *
     292     * Returns false if the user cannot manipulate one of the associated settings,
     293     * or if one of the associated settings does not exist.
     294     *
     295     * @since 4.5.0
     296     * @access public
     297     *
     298     * @return bool False if user can't edit one one of the related settings,
     299     *                    or if one of the associated settings does not exist.
     300     */
     301    final public function check_capabilities() {
     302        foreach ( $this->settings as $setting_id ) {
     303            $setting = $this->component->manager->get_setting( $setting_id );
     304            if ( ! $setting || ! $setting->check_capabilities() ) {
     305                return false;
     306            }
     307        }
     308        return true;
     309    }
    288310}
  • trunk/src/wp-includes/customize/class-wp-customize-selective-refresh.php

    r36624 r36643  
    173173
    174174        foreach ( $this->partials() as $partial ) {
    175             $partials[ $partial->id ] = $partial->json();
     175            if ( $partial->check_capabilities() ) {
     176                $partials[ $partial->id ] = $partial->json();
     177            }
    176178        }
    177179
     
    357359            $partial = $this->get_partial( $partial_id );
    358360
    359             if ( ! $partial ) {
     361            if ( ! $partial || ! $partial->check_capabilities() ) {
    360362                $contents[ $partial_id ] = null;
    361363                continue;
  • trunk/tests/phpunit/tests/customize/partial.php

    r36586 r36643  
    274274
    275275    /**
    276      * Test WP_Customize_Partial::json() default.
     276     * Test WP_Customize_Partial::json().
    277277     *
    278278     * @see WP_Customize_Partial::json()
     
    302302
    303303    /**
     304     * Test WP_Customize_Partial::check_capabilities().
     305     *
     306     * @see WP_Customize_Partial::check_capabilities()
     307     */
     308    function test_check_capabilities() {
     309        wp_set_current_user( self::factory()->user->create( array( 'role' => 'administrator' ) ) );
     310        do_action( 'customize_register', $this->wp_customize );
     311        $partial = new WP_Customize_Partial( $this->selective_refresh, 'blogname', array(
     312            'settings' => array( 'blogname' ),
     313        ) );
     314        $this->assertTrue( $partial->check_capabilities() );
     315
     316        $partial = new WP_Customize_Partial( $this->selective_refresh, 'blogname', array(
     317            'settings' => array( 'blogname', 'non_existing' ),
     318        ) );
     319        $this->assertFalse( $partial->check_capabilities() );
     320
     321        $this->wp_customize->add_setting( 'top_secret_message', array(
     322            'capability' => 'top_secret_clearance',
     323        ) );
     324        $partial = new WP_Customize_Partial( $this->selective_refresh, 'blogname', array(
     325            'settings' => array( 'blogname', 'top_secret_clearance' ),
     326        ) );
     327        $this->assertFalse( $partial->check_capabilities() );
     328    }
     329
     330    /**
    304331     * Tear down.
    305332     */
  • trunk/tests/phpunit/tests/customize/selective-refresh.php

    r36586 r36643  
    138138     */
    139139    function test_export_preview_data() {
     140        $user_id = self::factory()->user->create( array( 'role' => 'administrator' ) );
     141        wp_set_current_user( $user_id );
     142        $user = new WP_User( $user_id );
     143        do_action( 'customize_register', $this->wp_customize );
     144        $user->remove_cap( 'top_secret_clearance' );
     145        $this->wp_customize->add_setting( 'top_secret_message', array(
     146            'capability' => 'top_secret_clearance', // The administrator role lacks this.
     147        ) );
    140148        $this->selective_refresh->add_partial( 'blogname', array(
    141149            'selector' => '#site-title',
     150        ) );
     151        $this->selective_refresh->add_partial( 'top_secret_message', array(
     152            'settings' => array( 'top_secret_message' ),
    142153        ) );
    143154        ob_start();
     
    150161        $this->assertInternalType( 'array', $exported_data['partials'] );
    151162        $this->assertArrayHasKey( 'blogname', $exported_data['partials'] );
     163        $this->assertArrayNotHasKey( 'top_secret_message', $exported_data['partials'] );
    152164        $this->assertEquals( '#site-title', $exported_data['partials']['blogname']['selector'] );
    153165        $this->assertArrayHasKey( 'renderQueryVar', $exported_data );
Note: See TracChangeset for help on using the changeset viewer.