WordPress.org

Make WordPress Core

Changeset 39913


Ignore:
Timestamp:
01/16/17 16:21:00 (11 months ago)
Author:
jnylen0
Message:

REST API: Improve test coverage of single user endpoint for public data.

Add test coverage for requests of a single user resource for authors of post types registered as:

  • public = true, show_in_rest = true: success without auth.
  • public = true, show_in_rest = false: fail without auth.
  • public = false, show_in_rest = true: success without auth.
  • public = false, show_in_rest = false: fail without auth.

See #38878.
Fixes #39546.

Location:
trunk/tests/phpunit
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/includes/testcase.php

    r39906 r39913  
    185185     */ 
    186186    protected function reset_post_types() { 
    187         foreach ( get_post_types() as $pt ) { 
    188             _unregister_post_type( $pt ); 
     187        foreach ( get_post_types( array(), 'objects' ) as $pt ) { 
     188            if ( empty( $pt->tests_no_auto_unregister ) ) { 
     189                _unregister_post_type( $pt->name ); 
     190            } 
    189191        } 
    190192        create_initial_post_types(); 
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39597 r39913  
    7777 
    7878    public static function wpTearDownAfterClass() { 
     79        self::delete_user( self::$superadmin_id ); 
    7980        self::delete_user( self::$admin_id ); 
     81        self::delete_user( self::$editor_id ); 
    8082        self::delete_user( self::$subscriber_id ); 
    8183        self::delete_user( self::$author_id ); 
  • trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php

    r39643 r39913  
    5858        wp_delete_post( self::$post_id, true ); 
    5959 
     60        self::delete_user( self::$superadmin_id ); 
    6061        self::delete_user( self::$editor_id ); 
    6162        self::delete_user( self::$author_id ); 
  • trunk/tests/phpunit/tests/rest-api/rest-tags-controller.php

    r39371 r39913  
    3636 
    3737    public static function wpTearDownAfterClass() { 
     38        self::delete_user( self::$superadmin ); 
    3839        self::delete_user( self::$administrator ); 
     40        self::delete_user( self::$editor ); 
    3941        self::delete_user( self::$subscriber ); 
    4042    } 
  • trunk/tests/phpunit/tests/rest-api/rest-users-controller.php

    r39843 r39913  
    1414    protected static $user; 
    1515    protected static $editor; 
    16     protected static $editor2; 
    17     protected static $secret_editor; 
    18     protected static $secret_editor2; 
     16    protected static $draft_editor; 
     17    protected static $authors = array(); 
     18    protected static $posts = array(); 
    1919    protected static $site; 
    2020 
     
    3131            'user_email' => 'editor@example.com', 
    3232        ) ); 
    33         self::$editor2 = $factory->user->create( array( 
     33        self::$draft_editor = $factory->user->create( array( 
    3434            'role'       => 'editor', 
    35             'user_email' => 'editor2@example.com', 
     35            'user_email' => 'draft-editor@example.com', 
    3636        ) ); 
    37         self::$secret_editor = $factory->user->create( array( 
    38             'role'       => 'editor', 
    39             'user_email' => 'secret_editor@example.com', 
     37 
     38        foreach ( array( true, false ) as $show_in_rest ) { 
     39            foreach ( array( true, false ) as $public ) { 
     40                $post_type_name = 'r_' . json_encode( $show_in_rest ) . '_p_' . json_encode( $public ); 
     41                register_post_type( $post_type_name, array( 
     42                    'public'                   => $public, 
     43                    'show_in_rest'             => $show_in_rest, 
     44                    'tests_no_auto_unregister' => true, 
     45                ) ); 
     46                self::$authors[ $post_type_name ] = $factory->user->create( array( 
     47                    'role'       => 'editor', 
     48                    'user_email' => 'author_' . $post_type_name . '@example.com', 
     49                ) ); 
     50                self::$posts[ $post_type_name ] = $factory->post->create( array( 
     51                    'post_type'   => $post_type_name, 
     52                    'post_author' => self::$authors[ $post_type_name ], 
     53                ) ); 
     54            } 
     55        } 
     56 
     57        self::$posts['post'] = $factory->post->create( array( 
     58            'post_type'   => 'post', 
     59            'post_author' => self::$editor, 
    4060        ) ); 
    41         self::$secret_editor2 = $factory->user->create( array( 
    42             'role'       => 'editor', 
    43             'user_email' => 'secret_editor2@example.com', 
     61        self::$posts['r_true_p_true_DRAFT'] = $factory->post->create( array( 
     62            'post_type'   => 'r_true_p_true', 
     63            'post_author' => self::$draft_editor, 
     64            'post_status' => 'draft', 
    4465        ) ); 
    4566 
     
    5374        self::delete_user( self::$user ); 
    5475        self::delete_user( self::$editor ); 
    55         self::delete_user( self::$editor2 ); 
    56         self::delete_user( self::$secret_editor ); 
    57         self::delete_user( self::$secret_editor2 ); 
     76        self::delete_user( self::$draft_editor ); 
     77 
     78        foreach ( self::$posts as $post ) { 
     79            wp_delete_post( $post, true ); 
     80        } 
     81        foreach ( self::$authors as $author ) { 
     82            self::delete_user( $author ); 
     83        } 
     84        _unregister_post_type( 'r_true_p_true' ); 
     85        _unregister_post_type( 'r_true_p_false' ); 
     86        _unregister_post_type( 'r_false_p_true' ); 
     87        _unregister_post_type( 'r_false_p_false' ); 
    5888 
    5989        if ( is_multisite() ) { 
     
    6797    public function setUp() { 
    6898        parent::setUp(); 
    69  
    70         register_post_type( 'rest_public', array( 'public' => true, 'show_in_rest' => true ) ); 
    71         register_post_type( 'secret_public', array( 'public' => true, 'show_in_rest' => false ) ); 
    72         register_post_type( 'secret_hidden', array( 'public' => false, 'show_in_rest' => false ) ); 
    73         register_post_type( 'rest_hidden', array( 'public' => false, 'show_in_rest' => true ) ); 
    74  
    7599        $this->endpoint = new WP_REST_Users_Controller(); 
    76100    } 
     
    170194 
    171195    public function test_get_items_unauthenticated_includes_authors_of_post_types_shown_in_rest() { 
    172         $created_posts = array(); 
    173         $created_posts[] = $this->factory->post->create( array( 
    174             'post_author' => self::$user, 
    175             'post_status' => 'publish', 
    176         ) ); 
    177         // Expose authors if show_in_rest is true, even if the post_type is not public. 
    178         $created_posts[] = $this->factory->post->create( array( 
    179             'post_type' => 'rest_hidden', 
    180             'post_author' => self::$editor, 
    181             'post_status' => 'publish', 
    182         ) ); 
    183         $created_posts[] = $this->factory->post->create( array( 
    184             'post_type' => 'rest_public', 
    185             'post_author' => self::$editor2, 
    186             'post_status' => 'publish', 
    187         ) ); 
    188         $created_posts[] = $this->factory->post->create( array( 
    189             'post_type' => 'rest_public', 
    190             'post_author' => self::$secret_editor, 
    191             'post_status' => 'draft', 
    192         ) ); 
    193  
    194196        $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 
    195197        $response = $this->server->dispatch( $request ); 
    196198        $users = $response->get_data(); 
    197199 
    198         $public_post_types = array_values( get_post_types( array( 'show_in_rest' => true ), 'names' ) ); 
     200        $rest_post_types = array_values( get_post_types( array( 'show_in_rest' => true ), 'names' ) ); 
    199201 
    200202        foreach ( $users as $user ) { 
    201             $this->assertTrue( count_user_posts( $user['id'], $public_post_types ) > 0 ); 
     203            $this->assertTrue( count_user_posts( $user['id'], $rest_post_types ) > 0 ); 
    202204 
    203205            // Ensure we don't expose non-public data. 
     
    214216        } 
    215217 
    216         $this->assertTrue( in_array( self::$user, wp_list_pluck( $users, 'id' ), true ) ); 
    217         $this->assertTrue( in_array( self::$editor, wp_list_pluck( $users, 'id' ), true ) ); 
    218         $this->assertTrue( in_array( self::$editor2, wp_list_pluck( $users, 'id' ), true ) ); 
    219  
    220         // Do not include authors of unpublished posts. 
    221         $this->assertFalse( in_array( self::$secret_editor, wp_list_pluck( $users, 'id' ), true ) ); 
    222  
    223         foreach ( $created_posts as $post_id ) { 
    224             wp_delete_post( $post_id, true ); 
    225         } 
     218        $user_ids = wp_list_pluck( $users, 'id' ); 
     219 
     220        $this->assertTrue( in_array( self::$editor                   , $user_ids, true ) ); 
     221        $this->assertTrue( in_array( self::$authors['r_true_p_true'] , $user_ids, true ) ); 
     222        $this->assertTrue( in_array( self::$authors['r_true_p_false'], $user_ids, true ) ); 
     223        $this->assertCount( 3, $user_ids ); 
    226224    } 
    227225 
    228226    public function test_get_items_unauthenticated_does_not_include_authors_of_post_types_not_shown_in_rest() { 
    229         $created_posts = array(); 
    230         $created_posts[] = $this->factory->post->create( array( 
    231             'post_type' => 'secret_hidden', 
    232             'post_author' => self::$secret_editor, 
    233             'post_status' => 'publish', 
    234         ) ); 
    235         $created_posts[] = $this->factory->post->create( array( 
    236             'post_type' => 'secret_public', 
    237             'post_author' => self::$secret_editor2, 
    238             'post_status' => 'publish', 
    239         ) ); 
    240  
    241         $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 
    242         $response = $this->server->dispatch( $request ); 
    243         $data = $response->get_data(); 
    244  
    245         $this->assertFalse( in_array( self::$secret_editor, wp_list_pluck( $data, 'id' ), true ) ); 
    246         $this->assertFalse( in_array( self::$secret_editor2, wp_list_pluck( $data, 'id' ), true ) ); 
    247  
    248         foreach ( $created_posts as $post_id ) { 
    249             wp_delete_post( $post_id, true ); 
    250         } 
     227        $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 
     228        $response = $this->server->dispatch( $request ); 
     229        $users = $response->get_data(); 
     230        $user_ids = wp_list_pluck( $users, 'id' ); 
     231 
     232        $this->assertFalse( in_array( self::$authors['r_false_p_true'] , $user_ids, true ) ); 
     233        $this->assertFalse( in_array( self::$authors['r_false_p_false'], $user_ids, true ) ); 
     234    } 
     235 
     236    public function test_get_items_unauthenticated_does_not_include_users_without_published_posts() { 
     237        $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 
     238        $response = $this->server->dispatch( $request ); 
     239        $users = $response->get_data(); 
     240        $user_ids = wp_list_pluck( $users, 'id' ); 
     241 
     242        $this->assertFalse( in_array( self::$draft_editor, $user_ids, true ) ); 
     243        $this->assertFalse( in_array( self::$user        , $user_ids, true ) ); 
    251244    } 
    252245 
    253246    public function test_get_items_pagination_headers() { 
    254247        wp_set_current_user( self::$user ); 
    255         // Start of the index, including the six existing users. 
    256248        for ( $i = 0; $i < 44; $i++ ) { 
    257249            $this->factory->user->create( array( 
    258                 'name'   => "User {$i}", 
    259                 ) ); 
     250                'name' => "User {$i}", 
     251            ) ); 
    260252        } 
    261253        $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 
    262254        $response = $this->server->dispatch( $request ); 
    263255        $headers = $response->get_headers(); 
    264         $this->assertEquals( 51, $headers['X-WP-Total'] ); 
     256        $this->assertEquals( 53, $headers['X-WP-Total'] ); 
    265257        $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 
    266258        $next_link = add_query_arg( array( 
     
    277269        $response = $this->server->dispatch( $request ); 
    278270        $headers = $response->get_headers(); 
    279         $this->assertEquals( 52, $headers['X-WP-Total'] ); 
     271        $this->assertEquals( 54, $headers['X-WP-Total'] ); 
    280272        $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 
    281273        $prev_link = add_query_arg( array( 
     
    292284        $response = $this->server->dispatch( $request ); 
    293285        $headers = $response->get_headers(); 
    294         $this->assertEquals( 52, $headers['X-WP-Total'] ); 
     286        $this->assertEquals( 54, $headers['X-WP-Total'] ); 
    295287        $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 
    296288        $prev_link = add_query_arg( array( 
     
    304296        $response = $this->server->dispatch( $request ); 
    305297        $headers = $response->get_headers(); 
    306         $this->assertEquals( 52, $headers['X-WP-Total'] ); 
     298        $this->assertEquals( 54, $headers['X-WP-Total'] ); 
    307299        $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 
    308300        $prev_link = add_query_arg( array( 
     
    475467    public function test_get_items_offset() { 
    476468        wp_set_current_user( self::$user ); 
    477         // 5 users created in __construct(), plus default user. 
     469        // 7 users created in wpSetUpBeforeClass(), plus default user. 
    478470        $this->factory->user->create(); 
    479471        $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 
    480472        $request->set_param( 'offset', 1 ); 
    481473        $response = $this->server->dispatch( $request ); 
    482         $this->assertCount( 7, $response->get_data() ); 
     474        $this->assertCount( 9, $response->get_data() ); 
    483475        // 'offset' works with 'per_page' 
    484476        $request->set_param( 'per_page', 2 ); 
     
    531523        $id2 = $this->factory->user->create(); 
    532524        $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 
     525        $request->set_param( 'per_page', 20 ); // there are >10 users at this point 
    533526        $response = $this->server->dispatch( $request ); 
    534527        $data = $response->get_data(); 
     
    689682    } 
    690683 
    691     public function test_get_item_without_permission() { 
     684    public function test_cannot_get_item_without_permission() { 
    692685        wp_set_current_user( self::$editor ); 
    693  
    694686        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$user ) ); 
    695687        $response = $this->server->dispatch( $request ); 
    696  
    697688        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 ); 
     689    } 
     690 
     691    public function test_can_get_item_author_of_rest_true_public_true_unauthenticated() { 
     692        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_true_p_true'] ) ); 
     693        $response = $this->server->dispatch( $request ); 
     694        $this->assertEquals( 200, $response->get_status() ); 
     695    } 
     696 
     697    public function test_can_get_item_author_of_rest_true_public_true_authenticated() { 
     698        wp_set_current_user( self::$editor ); 
     699        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_true_p_true'] ) ); 
     700        $response = $this->server->dispatch( $request ); 
     701        $this->assertEquals( 200, $response->get_status() ); 
     702    } 
     703 
     704    public function test_can_get_item_author_of_rest_true_public_false() { 
     705        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_true_p_false'] ) ); 
     706        $response = $this->server->dispatch( $request ); 
     707        $this->assertEquals( 200, $response->get_status() ); 
     708    } 
     709 
     710    public function test_cannot_get_item_author_of_rest_false_public_true_unauthenticated() { 
     711        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_false_p_true'] ) ); 
     712        $response = $this->server->dispatch( $request ); 
     713        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 ); 
     714    } 
     715 
     716    public function test_cannot_get_item_author_of_rest_false_public_true_without_permission() { 
     717        wp_set_current_user( self::$editor ); 
     718        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_false_p_true'] ) ); 
     719        $response = $this->server->dispatch( $request ); 
     720        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 ); 
     721    } 
     722 
     723    public function test_cannot_get_item_author_of_rest_false_public_false() { 
     724        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_false_p_false'] ) ); 
     725        $response = $this->server->dispatch( $request ); 
     726        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 ); 
     727    } 
     728 
     729    public function test_can_get_item_author_of_post() { 
     730        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$editor ) ); 
     731        $response = $this->server->dispatch( $request ); 
     732        $this->assertEquals( 200, $response->get_status() ); 
     733    } 
     734 
     735    public function test_cannot_get_item_author_of_draft() { 
     736        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$draft_editor ) ); 
     737        $response = $this->server->dispatch( $request ); 
     738        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 ); 
    698739    } 
    699740 
     
    21672208 
    21682209    public function tearDown() { 
    2169         _unregister_post_type( 'rest_public' ); 
    2170         _unregister_post_type( 'secret_public' ); 
    2171         _unregister_post_type( 'secret_hidden' ); 
    2172         _unregister_post_type( 'rest_hidden' ); 
    2173  
    21742210        parent::tearDown(); 
    21752211    } 
Note: See TracChangeset for help on using the changeset viewer.