WordPress.org

Make WordPress Core

Changeset 39295


Ignore:
Timestamp:
11/18/2016 07:06:26 PM (20 months ago)
Author:
joehoyle
Message:

REST API: Check read permissions on posts when viewing comments.

With a few tests for getting / creating comments to reflect core behaviour.

Props timmyc.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39292 r39295  
    14551455    protected function check_read_post_permission( $post ) {
    14561456        $posts_controller = new WP_REST_Posts_Controller( $post->post_type );
     1457        $post_type = get_post_type_object( $post->post_type );
     1458
     1459        if ( post_password_required( $post ) ) {
     1460            return current_user_can( $post_type->cap->edit_post, $post->ID );
     1461        }
    14571462
    14581463        return $posts_controller->check_read_permission( $post );
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39292 r39295  
    1818
    1919    protected static $post_id;
     20    protected static $password_id;
    2021    protected static $private_id;
    2122    protected static $draft_id;
     
    5354            'post_status' => 'private',
    5455        ) );
     56        self::$password_id = $factory->post->create( array(
     57            'post_password'    => 'toomanysecrets',
     58        ) );
    5559        self::$draft_id = $factory->post->create( array(
    5660            'post_status' => 'draft',
     
    7983        wp_delete_post( self::$post_id, true );
    8084        wp_delete_post( self::$private_id, true );
     85        wp_delete_post( self::$password_id, true );
    8186        wp_delete_post( self::$draft_id, true );
    8287        wp_delete_post( self::$trash_id, true );
     
    163168    }
    164169
     170    public function test_get_password_items_without_edit_post_permission() {
     171        wp_set_current_user( 0 );
     172
     173        $args = array(
     174            'comment_approved' => 1,
     175            'comment_post_ID'  => self::$password_id,
     176        );
     177        $password_comment = $this->factory->comment->create( $args );
     178
     179        $request = new WP_REST_Request( 'GET', '/wp/v2/comments' );
     180
     181        $response = $this->server->dispatch( $request );
     182        $this->assertEquals( 200, $response->get_status() );
     183
     184        $collection_data = $response->get_data();
     185        $this->assertFalse( in_array( $password_comment, wp_list_pluck( $collection_data, 'id' ), true ) );
     186    }
     187
     188    public function test_get_password_items_with_edit_post_permission() {
     189        wp_set_current_user( self::$admin_id );
     190
     191        $args = array(
     192            'comment_approved' => 1,
     193            'comment_post_ID'  => self::$password_id,
     194        );
     195        $password_comment = $this->factory->comment->create( $args );
     196
     197        $request = new WP_REST_Request( 'GET', '/wp/v2/comments' );
     198
     199        $response = $this->server->dispatch( $request );
     200        $this->assertEquals( 200, $response->get_status() );
     201
     202        $collection_data = $response->get_data();
     203        $this->assertTrue( in_array( $password_comment, wp_list_pluck( $collection_data, 'id' ), true ) );
     204    }
     205
    165206    public function test_get_items_without_private_post_permission() {
    166207        wp_set_current_user( 0 );
     
    801842    }
    802843
     844    public function test_get_comment_with_password_without_edit_post_permission() {
     845        wp_set_current_user( 0 );
     846        $args = array(
     847            'comment_approved' => 1,
     848            'comment_post_ID'  => self::$password_id,
     849        );
     850        $password_comment = $this->factory->comment->create( $args );
     851        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%s', $password_comment ) );
     852        $response = $this->server->dispatch( $request );
     853        $this->assertErrorResponse( 'rest_cannot_read', $response, 401 );
     854    }
     855
    803856    public function test_create_item() {
    804857        wp_set_current_user( 0 );
     
    13701423        $response = $this->server->dispatch( $request );
    13711424
     1425        $this->assertErrorResponse( 'rest_cannot_read_post', $response, 403 );
     1426    }
     1427
     1428    public function test_create_comment_password_post_invalid_permission() {
     1429        wp_set_current_user( self::$subscriber_id );
     1430
     1431        $params = array(
     1432            'post'         => self::$password_id,
     1433            'author_name'  => 'Homer Jay Simpson',
     1434            'author_email' => 'chunkylover53@aol.com',
     1435            'author_url'   => 'http://compuglobalhypermeganet.com',
     1436            'content'      => 'I\’d be a vegetarian if bacon grew on trees.',
     1437            'author'       => self::$subscriber_id,
     1438        );
     1439        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1440        $request->add_header( 'content-type', 'application/json' );
     1441        $request->set_body( wp_json_encode( $params ) );
     1442
     1443        $response = $this->server->dispatch( $request );
    13721444        $this->assertErrorResponse( 'rest_cannot_read_post', $response, 403 );
    13731445    }
Note: See TracChangeset for help on using the changeset viewer.