WordPress.org

Make WordPress Core

Changeset 43001


Ignore:
Timestamp:
04/25/2018 01:05:48 PM (3 years ago)
Author:
pento
Message:

REST API: Add who=authors as a query parameter for GET wp/v2/users.

Any WordPress user who can edit_posts of a post type with show_in_rest=true can query for authors. This maps to current WordPress behavior where a WordPress user who can view the Manage Posts view for a post type can see any WordPress user assigned to a post (whether published or draft).

This implementation, over restricting who=authors to users with list_users, gives us future flexibility in displaying lists of posts. It still respects more restrictive permissions for context=edit.

Props danielbachhuber.
Fixes #42202.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r42761 r43001  
    193193        }
    194194
     195        if ( 'authors' === $request['who'] ) {
     196            $can_view = false;
     197            $types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
     198            foreach ( $types as $type ) {
     199                if ( current_user_can( $type->cap->edit_posts ) ) {
     200                    $can_view = true;
     201                }
     202            }
     203            if ( ! $can_view ) {
     204                return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
     205            }
     206        }
     207
    195208        return true;
    196209    }
     
    257270        }
    258271
    259         if ( ! current_user_can( 'list_users' ) ) {
     272        if ( isset( $registered['who'] ) && ! empty( $request['who'] ) && 'authors' === $request['who'] ) {
     273            $prepared_args['who'] = 'authors';
     274        } elseif ( ! current_user_can( 'list_users' ) ) {
    260275            $prepared_args['has_published_posts'] = get_post_types( array( 'show_in_rest' => true ), 'names' );
    261276        }
     
    13731388        );
    13741389
     1390        $query_params['who'] = array(
     1391            'description' => __( 'Limit result set to users who are considered authors.' ),
     1392            'type'        => 'string',
     1393            'enum'        => array(
     1394                'authors',
     1395            ),
     1396        );
     1397
    13751398        /**
    13761399         * Filter collection parameters for the users controller.
  • trunk/tests/phpunit/tests/rest-api/rest-users-controller.php

    r42724 r43001  
    1515    protected static $editor;
    1616    protected static $draft_editor;
     17    protected static $subscriber;
    1718    protected static $authors = array();
    1819    protected static $posts   = array();
     
    4142                'role'       => 'editor',
    4243                'user_email' => 'draft-editor@example.com',
     44            )
     45        );
     46        self::$subscriber    = $factory->user->create(
     47            array(
     48                'role'         => 'subscriber',
     49                'display_name' => 'subscriber',
     50                'user_email'   => 'subscriber@example.com',
    4351            )
    4452        );
     
    167175                'search',
    168176                'slug',
     177                'who',
    169178            ), $keys
    170179        );
     
    281290        $response = rest_get_server()->dispatch( $request );
    282291        $headers  = $response->get_headers();
    283         $this->assertEquals( 53, $headers['X-WP-Total'] );
     292        $this->assertEquals( 54, $headers['X-WP-Total'] );
    284293        $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
    285294        $next_link = add_query_arg(
     
    300309        $response = rest_get_server()->dispatch( $request );
    301310        $headers  = $response->get_headers();
    302         $this->assertEquals( 54, $headers['X-WP-Total'] );
     311        $this->assertEquals( 55, $headers['X-WP-Total'] );
    303312        $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
    304313        $prev_link = add_query_arg(
     
    319328        $response = rest_get_server()->dispatch( $request );
    320329        $headers  = $response->get_headers();
    321         $this->assertEquals( 54, $headers['X-WP-Total'] );
     330        $this->assertEquals( 55, $headers['X-WP-Total'] );
    322331        $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
    323332        $prev_link = add_query_arg(
     
    333342        $response = rest_get_server()->dispatch( $request );
    334343        $headers  = $response->get_headers();
    335         $this->assertEquals( 54, $headers['X-WP-Total'] );
     344        $this->assertEquals( 55, $headers['X-WP-Total'] );
    336345        $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
    337346        $prev_link = add_query_arg(
     
    526535    public function test_get_items_offset() {
    527536        wp_set_current_user( self::$user );
    528         // 7 users created in wpSetUpBeforeClass(), plus default user.
     537        // 9 users created in wpSetUpBeforeClass(), plus default user.
    529538        $this->factory->user->create();
    530539        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
    531540        $request->set_param( 'offset', 1 );
    532541        $response = rest_get_server()->dispatch( $request );
    533         $this->assertCount( 9, $response->get_data() );
     542        $this->assertCount( 10, $response->get_data() );
    534543        // 'offset' works with 'per_page'
    535544        $request->set_param( 'per_page', 2 );
     
    745754        $response = rest_get_server()->dispatch( $request );
    746755        $data     = $response->get_data();
    747         $this->assertEquals( 2, count( $data ) );
    748         $this->assertEquals( $tango, $data[0]['id'] );
    749         $this->assertEquals( $yolo, $data[1]['id'] );
     756        $this->assertEquals( 3, count( $data ) );
     757        $this->assertEquals( $tango, $data[1]['id'] );
     758        $this->assertEquals( $yolo, $data[2]['id'] );
    750759        $request->set_param( 'roles', 'author' );
    751760        $response = rest_get_server()->dispatch( $request );
     
    783792        $this->assertEquals( 0, count( $data ) );
    784793        $this->assertEquals( array(), $data );
     794    }
     795
     796    public function test_get_items_who_author_query() {
     797        wp_set_current_user( self::$superadmin );
     798        // First request should include subscriber in the set.
     799        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
     800        $request->set_param( 'search', 'subscriber' );
     801        $response = rest_get_server()->dispatch( $request );
     802        $this->assertEquals( 200, $response->get_status() );
     803        $this->assertCount( 1, $response->get_data() );
     804        // Second request should exclude subscriber.
     805        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
     806        $request->set_param( 'who', 'authors' );
     807        $request->set_param( 'search', 'subscriber' );
     808        $response = rest_get_server()->dispatch( $request );
     809        $this->assertEquals( 200, $response->get_status() );
     810        $this->assertCount( 0, $response->get_data() );
     811    }
     812
     813    public function test_get_items_who_invalid_query() {
     814        wp_set_current_user( self::$user );
     815        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
     816        $request->set_param( 'who', 'editor' );
     817        $response = rest_get_server()->dispatch( $request );
     818        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     819    }
     820
     821    /**
     822     * Any user with 'edit_posts' on a show_in_rest post type
     823     * can view authors. Others (e.g. subscribers) cannot.
     824     */
     825    public function test_get_items_who_unauthorized_query() {
     826        wp_set_current_user( self::$subscriber );
     827        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
     828        $request->set_param( 'who', 'authors' );
     829        $response = rest_get_server()->dispatch( $request );
     830        $this->assertErrorResponse( 'rest_forbidden_who', $response, 403 );
    785831    }
    786832
  • trunk/tests/qunit/fixtures/wp-api-generated.js

    r42997 r43001  
    25132513                                "type": "string"
    25142514                            }
     2515                        },
     2516                        "who": {
     2517                            "required": false,
     2518                            "enum": [
     2519                                "authors"
     2520                            ],
     2521                            "description": "Limit result set to users who are considered authors.",
     2522                            "type": "string"
    25152523                        }
    25162524                    }
Note: See TracChangeset for help on using the changeset viewer.