Changeset 42000 for trunk/tests/phpunit/tests/rest-api/rest-settings-controller.php

Timestamp:

10/24/2017 09:04:50 PM (8 years ago)

Author:

joehoyle

Message:

REST API: Don’t remove unregistered properties from objects in schema.

In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.

See #38583.

File:

• trunk/tests/phpunit/tests/rest-api/rest-settings-controller.php (modified) (4 diffs)

trunk/tests/phpunit/tests/rest-api/rest-settings-controller.php

@@ -191 +191 @@
         ) );
 
+        // We have to re-register the route, as the args changes based off registered settings.
+        $this->server->override_by_default = true;
+        $this->endpoint->register_routes();
+
         // Object is cast to correct types.
         update_option( 'mycustomsetting', array( 'a' => '1' ) );
@@ -210 +214 @@
         $response = $this->server->dispatch( $request );
         $data = $response->get_data();
-        $this->assertEquals( array( 'a' => 1 ), $data['mycustomsetting'] );
+        $this->assertEquals( null, $data['mycustomsetting'] );
 
         unregister_setting( 'somegroup', 'mycustomsetting' );
@@ -373 +377 @@
     }
 
+    public function test_update_item_with_nested_object() {
+        register_setting( 'somegroup', 'mycustomsetting', array(
+            'show_in_rest' => array(
+                'schema' => array(
+                    'type'       => 'object',
+                    'properties' => array(
+                        'a' => array(
+                            'type' => 'object',
+                            'properties' => array(
+                                'b' => array(
+                                    'type' => 'number',
+                                ),
+                            ),
+                        ),
+                    ),
+                ),
+            ),
+            'type'         => 'object',
+        ) );
+
+        // We have to re-register the route, as the args changes based off registered settings.
+        $this->server->override_by_default = true;
+        $this->endpoint->register_routes();
+        wp_set_current_user( self::$administrator );
+
+        $request = new WP_REST_Request( 'PUT', '/wp/v2/settings' );
+        $request->set_param( 'mycustomsetting', array( 'a' => array( 'b' => 1, 'c' => 1 ) ) );
+        $response = $this->server->dispatch( $request );
+        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+    }
+
     public function test_update_item_with_object() {
         register_setting( 'somegroup', 'mycustomsetting', array(
@@ -408 +443 @@
         $this->assertEquals( array(), get_option( 'mycustomsetting' ) );
 
+        // Provide more keys.
+        $request = new WP_REST_Request( 'PUT', '/wp/v2/settings' );
+        $request->set_param( 'mycustomsetting', array( 'a' => 1, 'b' => 2 ) );
+        $response = $this->server->dispatch( $request );
+
+        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+
         // Setting an invalid object.
         $request = new WP_REST_Request( 'PUT', '/wp/v2/settings' );