Make WordPress Core

Changeset 39426


Ignore:
Timestamp:
12/02/2016 06:53:59 AM (8 years ago)
Author:
pento
Message:

REST API: Require the reassign parameter when deleting users.

When deleting a user through the WordPress admin, a specific decision is presented - whether to assign all of the user's posts to another user, or to delete all of the posts.

This change requires reassign as a parameter in the corresponding REST API endpoint, so that content isn't accidentally lost.

Props jeremyfelt.
Fixes #39000.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r39400 r39426  
    9393                        'type'        => 'integer',
    9494                        'description' => __( 'Reassign the deleted user\'s posts and links to this user ID.' ),
     95                        'required'    => true,
     96                        'sanitize_callback' => array( $this, 'check_reassign' ),
    9597                    ),
    9698                ),
     
    126128                        'type'        => 'integer',
    127129                        'description' => __( 'Reassign the deleted user\'s posts and links to this user ID.' ),
     130                        'required'    => true,
     131                        'sanitize_callback' => array( $this, 'check_reassign' ),
    128132                    ),
    129133                ),
     
    131135            'schema' => array( $this, 'get_public_item_schema' ),
    132136        ));
     137    }
     138
     139    /**
     140     * Checks for a valid value for the reassign parameter when deleting users.
     141     *
     142     * The value can be an integer, 'false', false, or ''.
     143     *
     144     * @since 4.7.0
     145     *
     146     * @param int|bool        $value   The value passed to the reassign parameter.
     147     * @param WP_REST_Request $request Full details about the request.
     148     * @param string          $param   The parameter that is being sanitized.
     149     *
     150     * @return int|bool|WP_Error
     151     */
     152    public function check_reassign( $value, $request, $param ) {
     153        if ( is_numeric( $value ) ) {
     154            return $value;
     155        }
     156
     157        if ( empty( $value ) || false === $value || 'false' === $value ) {
     158            return false;
     159        }
     160
     161        return new WP_Error( 'rest_invalid_param', __( 'Invalid user parameter(s).' ), array( 'status' => 400 ) );
    133162    }
    134163
     
    674703    public function delete_item( $request ) {
    675704        $id       = (int) $request['id'];
    676         $reassign = isset( $request['reassign'] ) ? absint( $request['reassign'] ) : null;
     705        $reassign = false === $request['reassign'] ? null : absint( $request['reassign'] );
    677706        $force    = isset( $request['force'] ) ? (bool) $request['force'] : false;
    678707
  • trunk/tests/phpunit/tests/rest-api/rest-users-controller.php

    r39371 r39426  
    16401640        $userdata = get_userdata( $user_id ); // cache for later
    16411641        $request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
    1642         $request['force'] = true;
     1642        $request->set_param( 'force', true );
     1643        $request->set_param( 'reassign', false );
    16431644        $response = $this->server->dispatch( $request );
    16441645
     
    16581659
    16591660        $request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
     1661        $request->set_param( 'reassign', false );
    16601662        $response = $this->server->dispatch( $request );
    16611663        $this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 );
     
    16791681        $request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' );
    16801682        $request['force'] = true;
     1683        $request->set_param( 'reassign', false );
    16811684        $response = $this->server->dispatch( $request );
    16821685
     
    16951698
    16961699        $request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' );
     1700        $request->set_param( 'reassign', false );
    16971701        $response = $this->server->dispatch( $request );
    16981702        $this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 );
     
    17151719        $request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
    17161720        $request['force'] = true;
     1721        $request->set_param( 'reassign', false );
    17171722        $response = $this->server->dispatch( $request );
    17181723
     
    17211726        $request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' );
    17221727        $request['force'] = true;
     1728        $request->set_param( 'reassign', false );
    17231729        $response = $this->server->dispatch( $request );
    17241730
     
    17321738        $request = new WP_REST_Request( 'DELETE', '/wp/v2/users/100' );
    17331739        $request['force'] = true;
     1740        $request->set_param( 'reassign', false );
    17341741        $response = $this->server->dispatch( $request );
    17351742
     
    17771784
    17781785        $this->assertErrorResponse( 'rest_user_invalid_reassign', $response, 400 );
     1786    }
     1787
     1788    public function test_delete_user_invalid_reassign_passed_as_string() {
     1789        $user_id = $this->factory->user->create();
     1790
     1791        $this->allow_user_to_manage_multisite();
     1792        wp_set_current_user( self::$user );
     1793
     1794        $request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
     1795        $request['force'] = true;
     1796        $request->set_param( 'reassign', 'null' );
     1797        $response = $this->server->dispatch( $request );
     1798
     1799        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     1800    }
     1801
     1802    public function test_delete_user_reassign_passed_as_boolean_false_trashes_post() {
     1803        $user_id = $this->factory->user->create();
     1804
     1805        $this->allow_user_to_manage_multisite();
     1806        wp_set_current_user( self::$user );
     1807
     1808        $test_post = $this->factory->post->create(array(
     1809            'post_author' => $user_id,
     1810        ));
     1811
     1812        $request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
     1813        $request['force'] = true;
     1814        $request->set_param( 'reassign', false );
     1815        $this->server->dispatch( $request );
     1816
     1817        $test_post = get_post( $test_post );
     1818        $this->assertEquals( 'trash', $test_post->post_status );
     1819    }
     1820
     1821    public function test_delete_user_reassign_passed_as_string_false_trashes_post() {
     1822        $user_id = $this->factory->user->create();
     1823
     1824        $this->allow_user_to_manage_multisite();
     1825        wp_set_current_user( self::$user );
     1826
     1827        $test_post = $this->factory->post->create(array(
     1828            'post_author' => $user_id,
     1829        ));
     1830
     1831        $request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
     1832        $request['force'] = true;
     1833        $request->set_param( 'reassign', 'false' );
     1834        $this->server->dispatch( $request );
     1835
     1836        $test_post = get_post( $test_post );
     1837        $this->assertEquals( 'trash', $test_post->post_status );
     1838    }
     1839
     1840    public function test_delete_user_reassign_passed_as_empty_string_trashes_post() {
     1841        $user_id = $this->factory->user->create();
     1842
     1843        $this->allow_user_to_manage_multisite();
     1844        wp_set_current_user( self::$user );
     1845
     1846        $test_post = $this->factory->post->create(array(
     1847            'post_author' => $user_id,
     1848        ));
     1849
     1850        $request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
     1851        $request['force'] = true;
     1852        $request->set_param( 'reassign', '' );
     1853        $this->server->dispatch( $request );
     1854
     1855        $test_post = get_post( $test_post );
     1856        $this->assertEquals( 'trash', $test_post->post_status );
     1857    }
     1858
     1859    public function test_delete_user_reassign_passed_as_0_reassigns_author() {
     1860        $user_id = $this->factory->user->create();
     1861
     1862        $this->allow_user_to_manage_multisite();
     1863        wp_set_current_user( self::$user );
     1864
     1865        $test_post = $this->factory->post->create(array(
     1866            'post_author' => $user_id,
     1867        ));
     1868
     1869        $request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
     1870        $request['force'] = true;
     1871        $request->set_param( 'reassign', 0 );
     1872        $this->server->dispatch( $request );
     1873
     1874        $test_post = get_post( $test_post );
     1875        $this->assertEquals( 0, $test_post->post_author );
    17791876    }
    17801877
Note: See TracChangeset for help on using the changeset viewer.