WordPress.org

Make WordPress Core

Changeset 39295


Ignore:
Timestamp:
11/18/16 19:06:26 (4 months ago)
Author:
joehoyle
Message:

REST API: Check read permissions on posts when viewing comments.

With a few tests for getting / creating comments to reflect core behaviour.

Props timmyc.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39292 r39295  
    14551455    protected function check_read_post_permission( $post ) { 
    14561456        $posts_controller = new WP_REST_Posts_Controller( $post->post_type ); 
     1457        $post_type = get_post_type_object( $post->post_type ); 
     1458 
     1459        if ( post_password_required( $post ) ) { 
     1460            return current_user_can( $post_type->cap->edit_post, $post->ID ); 
     1461        } 
    14571462 
    14581463        return $posts_controller->check_read_permission( $post ); 
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39292 r39295  
    1818 
    1919    protected static $post_id; 
     20    protected static $password_id; 
    2021    protected static $private_id; 
    2122    protected static $draft_id; 
     
    5354            'post_status' => 'private', 
    5455        ) ); 
     56        self::$password_id = $factory->post->create( array( 
     57            'post_password'    => 'toomanysecrets', 
     58        ) ); 
    5559        self::$draft_id = $factory->post->create( array( 
    5660            'post_status' => 'draft', 
     
    7983        wp_delete_post( self::$post_id, true ); 
    8084        wp_delete_post( self::$private_id, true ); 
     85        wp_delete_post( self::$password_id, true ); 
    8186        wp_delete_post( self::$draft_id, true ); 
    8287        wp_delete_post( self::$trash_id, true ); 
     
    163168    } 
    164169 
     170    public function test_get_password_items_without_edit_post_permission() { 
     171        wp_set_current_user( 0 ); 
     172 
     173        $args = array( 
     174            'comment_approved' => 1, 
     175            'comment_post_ID'  => self::$password_id, 
     176        ); 
     177        $password_comment = $this->factory->comment->create( $args ); 
     178 
     179        $request = new WP_REST_Request( 'GET', '/wp/v2/comments' ); 
     180 
     181        $response = $this->server->dispatch( $request ); 
     182        $this->assertEquals( 200, $response->get_status() ); 
     183 
     184        $collection_data = $response->get_data(); 
     185        $this->assertFalse( in_array( $password_comment, wp_list_pluck( $collection_data, 'id' ), true ) ); 
     186    } 
     187 
     188    public function test_get_password_items_with_edit_post_permission() { 
     189        wp_set_current_user( self::$admin_id ); 
     190 
     191        $args = array( 
     192            'comment_approved' => 1, 
     193            'comment_post_ID'  => self::$password_id, 
     194        ); 
     195        $password_comment = $this->factory->comment->create( $args ); 
     196 
     197        $request = new WP_REST_Request( 'GET', '/wp/v2/comments' ); 
     198 
     199        $response = $this->server->dispatch( $request ); 
     200        $this->assertEquals( 200, $response->get_status() ); 
     201 
     202        $collection_data = $response->get_data(); 
     203        $this->assertTrue( in_array( $password_comment, wp_list_pluck( $collection_data, 'id' ), true ) ); 
     204    } 
     205 
    165206    public function test_get_items_without_private_post_permission() { 
    166207        wp_set_current_user( 0 ); 
     
    801842    } 
    802843 
     844    public function test_get_comment_with_password_without_edit_post_permission() { 
     845        wp_set_current_user( 0 ); 
     846        $args = array( 
     847            'comment_approved' => 1, 
     848            'comment_post_ID'  => self::$password_id, 
     849        ); 
     850        $password_comment = $this->factory->comment->create( $args ); 
     851        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%s', $password_comment ) ); 
     852        $response = $this->server->dispatch( $request ); 
     853        $this->assertErrorResponse( 'rest_cannot_read', $response, 401 ); 
     854    } 
     855 
    803856    public function test_create_item() { 
    804857        wp_set_current_user( 0 ); 
     
    13701423        $response = $this->server->dispatch( $request ); 
    13711424 
     1425        $this->assertErrorResponse( 'rest_cannot_read_post', $response, 403 ); 
     1426    } 
     1427 
     1428    public function test_create_comment_password_post_invalid_permission() { 
     1429        wp_set_current_user( self::$subscriber_id ); 
     1430 
     1431        $params = array( 
     1432            'post'         => self::$password_id, 
     1433            'author_name'  => 'Homer Jay Simpson', 
     1434            'author_email' => 'chunkylover53@aol.com', 
     1435            'author_url'   => 'http://compuglobalhypermeganet.com', 
     1436            'content'      => 'I\’d be a vegetarian if bacon grew on trees.', 
     1437            'author'       => self::$subscriber_id, 
     1438        ); 
     1439        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 
     1440        $request->add_header( 'content-type', 'application/json' ); 
     1441        $request->set_body( wp_json_encode( $params ) ); 
     1442 
     1443        $response = $this->server->dispatch( $request ); 
    13721444        $this->assertErrorResponse( 'rest_cannot_read_post', $response, 403 ); 
    13731445    } 
Note: See TracChangeset for help on using the changeset viewer.