WordPress.org

Make WordPress Core

Changeset 39913


Ignore:
Timestamp:
01/16/2017 04:21:00 PM (16 months ago)
Author:
jnylen0
Message:

REST API: Improve test coverage of single user endpoint for public data.

Add test coverage for requests of a single user resource for authors of post types registered as:

  • public = true, show_in_rest = true: success without auth.
  • public = true, show_in_rest = false: fail without auth.
  • public = false, show_in_rest = true: success without auth.
  • public = false, show_in_rest = false: fail without auth.

See #38878.
Fixes #39546.

Location:
trunk/tests/phpunit
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/includes/testcase.php

    r39906 r39913  
    185185     */
    186186    protected function reset_post_types() {
    187         foreach ( get_post_types() as $pt ) {
    188             _unregister_post_type( $pt );
     187        foreach ( get_post_types( array(), 'objects' ) as $pt ) {
     188            if ( empty( $pt->tests_no_auto_unregister ) ) {
     189                _unregister_post_type( $pt->name );
     190            }
    189191        }
    190192        create_initial_post_types();
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39597 r39913  
    7777
    7878    public static function wpTearDownAfterClass() {
     79        self::delete_user( self::$superadmin_id );
    7980        self::delete_user( self::$admin_id );
     81        self::delete_user( self::$editor_id );
    8082        self::delete_user( self::$subscriber_id );
    8183        self::delete_user( self::$author_id );
  • trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php

    r39643 r39913  
    5858        wp_delete_post( self::$post_id, true );
    5959
     60        self::delete_user( self::$superadmin_id );
    6061        self::delete_user( self::$editor_id );
    6162        self::delete_user( self::$author_id );
  • trunk/tests/phpunit/tests/rest-api/rest-tags-controller.php

    r39371 r39913  
    3636
    3737    public static function wpTearDownAfterClass() {
     38        self::delete_user( self::$superadmin );
    3839        self::delete_user( self::$administrator );
     40        self::delete_user( self::$editor );
    3941        self::delete_user( self::$subscriber );
    4042    }
  • trunk/tests/phpunit/tests/rest-api/rest-users-controller.php

    r39843 r39913  
    1414    protected static $user;
    1515    protected static $editor;
    16     protected static $editor2;
    17     protected static $secret_editor;
    18     protected static $secret_editor2;
     16    protected static $draft_editor;
     17    protected static $authors = array();
     18    protected static $posts = array();
    1919    protected static $site;
    2020
     
    3131            'user_email' => 'editor@example.com',
    3232        ) );
    33         self::$editor2 = $factory->user->create( array(
     33        self::$draft_editor = $factory->user->create( array(
    3434            'role'       => 'editor',
    35             'user_email' => 'editor2@example.com',
     35            'user_email' => 'draft-editor@example.com',
    3636        ) );
    37         self::$secret_editor = $factory->user->create( array(
    38             'role'       => 'editor',
    39             'user_email' => 'secret_editor@example.com',
     37
     38        foreach ( array( true, false ) as $show_in_rest ) {
     39            foreach ( array( true, false ) as $public ) {
     40                $post_type_name = 'r_' . json_encode( $show_in_rest ) . '_p_' . json_encode( $public );
     41                register_post_type( $post_type_name, array(
     42                    'public'                   => $public,
     43                    'show_in_rest'             => $show_in_rest,
     44                    'tests_no_auto_unregister' => true,
     45                ) );
     46                self::$authors[ $post_type_name ] = $factory->user->create( array(
     47                    'role'       => 'editor',
     48                    'user_email' => 'author_' . $post_type_name . '@example.com',
     49                ) );
     50                self::$posts[ $post_type_name ] = $factory->post->create( array(
     51                    'post_type'   => $post_type_name,
     52                    'post_author' => self::$authors[ $post_type_name ],
     53                ) );
     54            }
     55        }
     56
     57        self::$posts['post'] = $factory->post->create( array(
     58            'post_type'   => 'post',
     59            'post_author' => self::$editor,
    4060        ) );
    41         self::$secret_editor2 = $factory->user->create( array(
    42             'role'       => 'editor',
    43             'user_email' => 'secret_editor2@example.com',
     61        self::$posts['r_true_p_true_DRAFT'] = $factory->post->create( array(
     62            'post_type'   => 'r_true_p_true',
     63            'post_author' => self::$draft_editor,
     64            'post_status' => 'draft',
    4465        ) );
    4566
     
    5374        self::delete_user( self::$user );
    5475        self::delete_user( self::$editor );
    55         self::delete_user( self::$editor2 );
    56         self::delete_user( self::$secret_editor );
    57         self::delete_user( self::$secret_editor2 );
     76        self::delete_user( self::$draft_editor );
     77
     78        foreach ( self::$posts as $post ) {
     79            wp_delete_post( $post, true );
     80        }
     81        foreach ( self::$authors as $author ) {
     82            self::delete_user( $author );
     83        }
     84        _unregister_post_type( 'r_true_p_true' );
     85        _unregister_post_type( 'r_true_p_false' );
     86        _unregister_post_type( 'r_false_p_true' );
     87        _unregister_post_type( 'r_false_p_false' );
    5888
    5989        if ( is_multisite() ) {
     
    6797    public function setUp() {
    6898        parent::setUp();
    69 
    70         register_post_type( 'rest_public', array( 'public' => true, 'show_in_rest' => true ) );
    71         register_post_type( 'secret_public', array( 'public' => true, 'show_in_rest' => false ) );
    72         register_post_type( 'secret_hidden', array( 'public' => false, 'show_in_rest' => false ) );
    73         register_post_type( 'rest_hidden', array( 'public' => false, 'show_in_rest' => true ) );
    74 
    7599        $this->endpoint = new WP_REST_Users_Controller();
    76100    }
     
    170194
    171195    public function test_get_items_unauthenticated_includes_authors_of_post_types_shown_in_rest() {
    172         $created_posts = array();
    173         $created_posts[] = $this->factory->post->create( array(
    174             'post_author' => self::$user,
    175             'post_status' => 'publish',
    176         ) );
    177         // Expose authors if show_in_rest is true, even if the post_type is not public.
    178         $created_posts[] = $this->factory->post->create( array(
    179             'post_type' => 'rest_hidden',
    180             'post_author' => self::$editor,
    181             'post_status' => 'publish',
    182         ) );
    183         $created_posts[] = $this->factory->post->create( array(
    184             'post_type' => 'rest_public',
    185             'post_author' => self::$editor2,
    186             'post_status' => 'publish',
    187         ) );
    188         $created_posts[] = $this->factory->post->create( array(
    189             'post_type' => 'rest_public',
    190             'post_author' => self::$secret_editor,
    191             'post_status' => 'draft',
    192         ) );
    193 
    194196        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
    195197        $response = $this->server->dispatch( $request );
    196198        $users = $response->get_data();
    197199
    198         $public_post_types = array_values( get_post_types( array( 'show_in_rest' => true ), 'names' ) );
     200        $rest_post_types = array_values( get_post_types( array( 'show_in_rest' => true ), 'names' ) );
    199201
    200202        foreach ( $users as $user ) {
    201             $this->assertTrue( count_user_posts( $user['id'], $public_post_types ) > 0 );
     203            $this->assertTrue( count_user_posts( $user['id'], $rest_post_types ) > 0 );
    202204
    203205            // Ensure we don't expose non-public data.
     
    214216        }
    215217
    216         $this->assertTrue( in_array( self::$user, wp_list_pluck( $users, 'id' ), true ) );
    217         $this->assertTrue( in_array( self::$editor, wp_list_pluck( $users, 'id' ), true ) );
    218         $this->assertTrue( in_array( self::$editor2, wp_list_pluck( $users, 'id' ), true ) );
    219 
    220         // Do not include authors of unpublished posts.
    221         $this->assertFalse( in_array( self::$secret_editor, wp_list_pluck( $users, 'id' ), true ) );
    222 
    223         foreach ( $created_posts as $post_id ) {
    224             wp_delete_post( $post_id, true );
    225         }
     218        $user_ids = wp_list_pluck( $users, 'id' );
     219
     220        $this->assertTrue( in_array( self::$editor                   , $user_ids, true ) );
     221        $this->assertTrue( in_array( self::$authors['r_true_p_true'] , $user_ids, true ) );
     222        $this->assertTrue( in_array( self::$authors['r_true_p_false'], $user_ids, true ) );
     223        $this->assertCount( 3, $user_ids );
    226224    }
    227225
    228226    public function test_get_items_unauthenticated_does_not_include_authors_of_post_types_not_shown_in_rest() {
    229         $created_posts = array();
    230         $created_posts[] = $this->factory->post->create( array(
    231             'post_type' => 'secret_hidden',
    232             'post_author' => self::$secret_editor,
    233             'post_status' => 'publish',
    234         ) );
    235         $created_posts[] = $this->factory->post->create( array(
    236             'post_type' => 'secret_public',
    237             'post_author' => self::$secret_editor2,
    238             'post_status' => 'publish',
    239         ) );
    240 
    241         $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
    242         $response = $this->server->dispatch( $request );
    243         $data = $response->get_data();
    244 
    245         $this->assertFalse( in_array( self::$secret_editor, wp_list_pluck( $data, 'id' ), true ) );
    246         $this->assertFalse( in_array( self::$secret_editor2, wp_list_pluck( $data, 'id' ), true ) );
    247 
    248         foreach ( $created_posts as $post_id ) {
    249             wp_delete_post( $post_id, true );
    250         }
     227        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
     228        $response = $this->server->dispatch( $request );
     229        $users = $response->get_data();
     230        $user_ids = wp_list_pluck( $users, 'id' );
     231
     232        $this->assertFalse( in_array( self::$authors['r_false_p_true'] , $user_ids, true ) );
     233        $this->assertFalse( in_array( self::$authors['r_false_p_false'], $user_ids, true ) );
     234    }
     235
     236    public function test_get_items_unauthenticated_does_not_include_users_without_published_posts() {
     237        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
     238        $response = $this->server->dispatch( $request );
     239        $users = $response->get_data();
     240        $user_ids = wp_list_pluck( $users, 'id' );
     241
     242        $this->assertFalse( in_array( self::$draft_editor, $user_ids, true ) );
     243        $this->assertFalse( in_array( self::$user        , $user_ids, true ) );
    251244    }
    252245
    253246    public function test_get_items_pagination_headers() {
    254247        wp_set_current_user( self::$user );
    255         // Start of the index, including the six existing users.
    256248        for ( $i = 0; $i < 44; $i++ ) {
    257249            $this->factory->user->create( array(
    258                 'name'   => "User {$i}",
    259                 ) );
     250                'name' => "User {$i}",
     251            ) );
    260252        }
    261253        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
    262254        $response = $this->server->dispatch( $request );
    263255        $headers = $response->get_headers();
    264         $this->assertEquals( 51, $headers['X-WP-Total'] );
     256        $this->assertEquals( 53, $headers['X-WP-Total'] );
    265257        $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
    266258        $next_link = add_query_arg( array(
     
    277269        $response = $this->server->dispatch( $request );
    278270        $headers = $response->get_headers();
    279         $this->assertEquals( 52, $headers['X-WP-Total'] );
     271        $this->assertEquals( 54, $headers['X-WP-Total'] );
    280272        $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
    281273        $prev_link = add_query_arg( array(
     
    292284        $response = $this->server->dispatch( $request );
    293285        $headers = $response->get_headers();
    294         $this->assertEquals( 52, $headers['X-WP-Total'] );
     286        $this->assertEquals( 54, $headers['X-WP-Total'] );
    295287        $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
    296288        $prev_link = add_query_arg( array(
     
    304296        $response = $this->server->dispatch( $request );
    305297        $headers = $response->get_headers();
    306         $this->assertEquals( 52, $headers['X-WP-Total'] );
     298        $this->assertEquals( 54, $headers['X-WP-Total'] );
    307299        $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
    308300        $prev_link = add_query_arg( array(
     
    475467    public function test_get_items_offset() {
    476468        wp_set_current_user( self::$user );
    477         // 5 users created in __construct(), plus default user.
     469        // 7 users created in wpSetUpBeforeClass(), plus default user.
    478470        $this->factory->user->create();
    479471        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
    480472        $request->set_param( 'offset', 1 );
    481473        $response = $this->server->dispatch( $request );
    482         $this->assertCount( 7, $response->get_data() );
     474        $this->assertCount( 9, $response->get_data() );
    483475        // 'offset' works with 'per_page'
    484476        $request->set_param( 'per_page', 2 );
     
    531523        $id2 = $this->factory->user->create();
    532524        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
     525        $request->set_param( 'per_page', 20 ); // there are >10 users at this point
    533526        $response = $this->server->dispatch( $request );
    534527        $data = $response->get_data();
     
    689682    }
    690683
    691     public function test_get_item_without_permission() {
     684    public function test_cannot_get_item_without_permission() {
    692685        wp_set_current_user( self::$editor );
    693 
    694686        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$user ) );
    695687        $response = $this->server->dispatch( $request );
    696 
    697688        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 );
     689    }
     690
     691    public function test_can_get_item_author_of_rest_true_public_true_unauthenticated() {
     692        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_true_p_true'] ) );
     693        $response = $this->server->dispatch( $request );
     694        $this->assertEquals( 200, $response->get_status() );
     695    }
     696
     697    public function test_can_get_item_author_of_rest_true_public_true_authenticated() {
     698        wp_set_current_user( self::$editor );
     699        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_true_p_true'] ) );
     700        $response = $this->server->dispatch( $request );
     701        $this->assertEquals( 200, $response->get_status() );
     702    }
     703
     704    public function test_can_get_item_author_of_rest_true_public_false() {
     705        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_true_p_false'] ) );
     706        $response = $this->server->dispatch( $request );
     707        $this->assertEquals( 200, $response->get_status() );
     708    }
     709
     710    public function test_cannot_get_item_author_of_rest_false_public_true_unauthenticated() {
     711        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_false_p_true'] ) );
     712        $response = $this->server->dispatch( $request );
     713        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
     714    }
     715
     716    public function test_cannot_get_item_author_of_rest_false_public_true_without_permission() {
     717        wp_set_current_user( self::$editor );
     718        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_false_p_true'] ) );
     719        $response = $this->server->dispatch( $request );
     720        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 );
     721    }
     722
     723    public function test_cannot_get_item_author_of_rest_false_public_false() {
     724        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$authors['r_false_p_false'] ) );
     725        $response = $this->server->dispatch( $request );
     726        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
     727    }
     728
     729    public function test_can_get_item_author_of_post() {
     730        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$editor ) );
     731        $response = $this->server->dispatch( $request );
     732        $this->assertEquals( 200, $response->get_status() );
     733    }
     734
     735    public function test_cannot_get_item_author_of_draft() {
     736        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/users/%d', self::$draft_editor ) );
     737        $response = $this->server->dispatch( $request );
     738        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
    698739    }
    699740
     
    21672208
    21682209    public function tearDown() {
    2169         _unregister_post_type( 'rest_public' );
    2170         _unregister_post_type( 'secret_public' );
    2171         _unregister_post_type( 'secret_hidden' );
    2172         _unregister_post_type( 'rest_hidden' );
    2173 
    21742210        parent::tearDown();
    21752211    }
Note: See TracChangeset for help on using the changeset viewer.