Changeset 43001
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
r42761 r43001 193 193 } 194 194 195 if ( 'authors' === $request['who'] ) { 196 $can_view = false; 197 $types = get_post_types( array( 'show_in_rest' => true ), 'objects' ); 198 foreach ( $types as $type ) { 199 if ( current_user_can( $type->cap->edit_posts ) ) { 200 $can_view = true; 201 } 202 } 203 if ( ! $can_view ) { 204 return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) ); 205 } 206 } 207 195 208 return true; 196 209 } … … 257 270 } 258 271 259 if ( ! current_user_can( 'list_users' ) ) { 272 if ( isset( $registered['who'] ) && ! empty( $request['who'] ) && 'authors' === $request['who'] ) { 273 $prepared_args['who'] = 'authors'; 274 } elseif ( ! current_user_can( 'list_users' ) ) { 260 275 $prepared_args['has_published_posts'] = get_post_types( array( 'show_in_rest' => true ), 'names' ); 261 276 } … … 1373 1388 ); 1374 1389 1390 $query_params['who'] = array( 1391 'description' => __( 'Limit result set to users who are considered authors.' ), 1392 'type' => 'string', 1393 'enum' => array( 1394 'authors', 1395 ), 1396 ); 1397 1375 1398 /** 1376 1399 * Filter collection parameters for the users controller. -
trunk/tests/phpunit/tests/rest-api/rest-users-controller.php
r42724 r43001 15 15 protected static $editor; 16 16 protected static $draft_editor; 17 protected static $subscriber; 17 18 protected static $authors = array(); 18 19 protected static $posts = array(); … … 41 42 'role' => 'editor', 42 43 'user_email' => 'draft-editor@example.com', 44 ) 45 ); 46 self::$subscriber = $factory->user->create( 47 array( 48 'role' => 'subscriber', 49 'display_name' => 'subscriber', 50 'user_email' => 'subscriber@example.com', 43 51 ) 44 52 ); … … 167 175 'search', 168 176 'slug', 177 'who', 169 178 ), $keys 170 179 ); … … 281 290 $response = rest_get_server()->dispatch( $request ); 282 291 $headers = $response->get_headers(); 283 $this->assertEquals( 5 3, $headers['X-WP-Total'] );292 $this->assertEquals( 54, $headers['X-WP-Total'] ); 284 293 $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 285 294 $next_link = add_query_arg( … … 300 309 $response = rest_get_server()->dispatch( $request ); 301 310 $headers = $response->get_headers(); 302 $this->assertEquals( 5 4, $headers['X-WP-Total'] );311 $this->assertEquals( 55, $headers['X-WP-Total'] ); 303 312 $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 304 313 $prev_link = add_query_arg( … … 319 328 $response = rest_get_server()->dispatch( $request ); 320 329 $headers = $response->get_headers(); 321 $this->assertEquals( 5 4, $headers['X-WP-Total'] );330 $this->assertEquals( 55, $headers['X-WP-Total'] ); 322 331 $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 323 332 $prev_link = add_query_arg( … … 333 342 $response = rest_get_server()->dispatch( $request ); 334 343 $headers = $response->get_headers(); 335 $this->assertEquals( 5 4, $headers['X-WP-Total'] );344 $this->assertEquals( 55, $headers['X-WP-Total'] ); 336 345 $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 337 346 $prev_link = add_query_arg( … … 526 535 public function test_get_items_offset() { 527 536 wp_set_current_user( self::$user ); 528 // 7users created in wpSetUpBeforeClass(), plus default user.537 // 9 users created in wpSetUpBeforeClass(), plus default user. 529 538 $this->factory->user->create(); 530 539 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 531 540 $request->set_param( 'offset', 1 ); 532 541 $response = rest_get_server()->dispatch( $request ); 533 $this->assertCount( 9, $response->get_data() );542 $this->assertCount( 10, $response->get_data() ); 534 543 // 'offset' works with 'per_page' 535 544 $request->set_param( 'per_page', 2 ); … … 745 754 $response = rest_get_server()->dispatch( $request ); 746 755 $data = $response->get_data(); 747 $this->assertEquals( 2, count( $data ) );748 $this->assertEquals( $tango, $data[ 0]['id'] );749 $this->assertEquals( $yolo, $data[ 1]['id'] );756 $this->assertEquals( 3, count( $data ) ); 757 $this->assertEquals( $tango, $data[1]['id'] ); 758 $this->assertEquals( $yolo, $data[2]['id'] ); 750 759 $request->set_param( 'roles', 'author' ); 751 760 $response = rest_get_server()->dispatch( $request ); … … 783 792 $this->assertEquals( 0, count( $data ) ); 784 793 $this->assertEquals( array(), $data ); 794 } 795 796 public function test_get_items_who_author_query() { 797 wp_set_current_user( self::$superadmin ); 798 // First request should include subscriber in the set. 799 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 800 $request->set_param( 'search', 'subscriber' ); 801 $response = rest_get_server()->dispatch( $request ); 802 $this->assertEquals( 200, $response->get_status() ); 803 $this->assertCount( 1, $response->get_data() ); 804 // Second request should exclude subscriber. 805 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 806 $request->set_param( 'who', 'authors' ); 807 $request->set_param( 'search', 'subscriber' ); 808 $response = rest_get_server()->dispatch( $request ); 809 $this->assertEquals( 200, $response->get_status() ); 810 $this->assertCount( 0, $response->get_data() ); 811 } 812 813 public function test_get_items_who_invalid_query() { 814 wp_set_current_user( self::$user ); 815 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 816 $request->set_param( 'who', 'editor' ); 817 $response = rest_get_server()->dispatch( $request ); 818 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 819 } 820 821 /** 822 * Any user with 'edit_posts' on a show_in_rest post type 823 * can view authors. Others (e.g. subscribers) cannot. 824 */ 825 public function test_get_items_who_unauthorized_query() { 826 wp_set_current_user( self::$subscriber ); 827 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 828 $request->set_param( 'who', 'authors' ); 829 $response = rest_get_server()->dispatch( $request ); 830 $this->assertErrorResponse( 'rest_forbidden_who', $response, 403 ); 785 831 } 786 832 -
trunk/tests/qunit/fixtures/wp-api-generated.js
r42997 r43001 2513 2513 "type": "string" 2514 2514 } 2515 }, 2516 "who": { 2517 "required": false, 2518 "enum": [ 2519 "authors" 2520 ], 2521 "description": "Limit result set to users who are considered authors.", 2522 "type": "string" 2515 2523 } 2516 2524 }
Note: See TracChangeset
for help on using the changeset viewer.