Changeset 43001 for trunk/tests/phpunit/tests/rest-api/rest-users-controller.php

Timestamp:

04/25/2018 01:05:48 PM (8 years ago)

Author:

pento

Message:

REST API: Add who=authors as a query parameter for GET wp/v2/users.

Any WordPress user who can edit_posts of a post type with show_in_rest=true can query for authors. This maps to current WordPress behavior where a WordPress user who can view the Manage Posts view for a post type can see any WordPress user assigned to a post (whether published or draft).

This implementation, over restricting who=authors to users with list_users, gives us future flexibility in displaying lists of posts. It still respects more restrictive permissions for context=edit.

Props danielbachhuber.
Fixes #42202.

File:

• trunk/tests/phpunit/tests/rest-api/rest-users-controller.php (modified) (10 diffs)

trunk/tests/phpunit/tests/rest-api/rest-users-controller.php

@@ -15 +15 @@
     protected static $editor;
     protected static $draft_editor;
+    protected static $subscriber;
     protected static $authors = array();
     protected static $posts   = array();
@@ -41 +42 @@
                 'role'       => 'editor',
                 'user_email' => 'draft-editor@example.com',
+            )
+        );
+        self::$subscriber    = $factory->user->create(
+            array(
+                'role'         => 'subscriber',
+                'display_name' => 'subscriber',
+                'user_email'   => 'subscriber@example.com',
             )
         );
@@ -167 +175 @@
                 'search',
                 'slug',
+                'who',
             ), $keys
         );
@@ -281 +290 @@
         $response = rest_get_server()->dispatch( $request );
         $headers  = $response->get_headers();
-        $this->assertEquals( 53, $headers['X-WP-Total'] );
+        $this->assertEquals( 54, $headers['X-WP-Total'] );
         $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
         $next_link = add_query_arg(
@@ -300 +309 @@
         $response = rest_get_server()->dispatch( $request );
         $headers  = $response->get_headers();
-        $this->assertEquals( 54, $headers['X-WP-Total'] );
+        $this->assertEquals( 55, $headers['X-WP-Total'] );
         $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
         $prev_link = add_query_arg(
@@ -319 +328 @@
         $response = rest_get_server()->dispatch( $request );
         $headers  = $response->get_headers();
-        $this->assertEquals( 54, $headers['X-WP-Total'] );
+        $this->assertEquals( 55, $headers['X-WP-Total'] );
         $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
         $prev_link = add_query_arg(
@@ -333 +342 @@
         $response = rest_get_server()->dispatch( $request );
         $headers  = $response->get_headers();
-        $this->assertEquals( 54, $headers['X-WP-Total'] );
+        $this->assertEquals( 55, $headers['X-WP-Total'] );
         $this->assertEquals( 6, $headers['X-WP-TotalPages'] );
         $prev_link = add_query_arg(
@@ -526 +535 @@
     public function test_get_items_offset() {
         wp_set_current_user( self::$user );
-        // 7 users created in wpSetUpBeforeClass(), plus default user.
+        // 9 users created in wpSetUpBeforeClass(), plus default user.
         $this->factory->user->create();
         $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
         $request->set_param( 'offset', 1 );
         $response = rest_get_server()->dispatch( $request );
-        $this->assertCount( 9, $response->get_data() );
+        $this->assertCount( 10, $response->get_data() );
         // 'offset' works with 'per_page'
         $request->set_param( 'per_page', 2 );
@@ -745 +754 @@
         $response = rest_get_server()->dispatch( $request );
         $data     = $response->get_data();
-        $this->assertEquals( 2, count( $data ) );
-        $this->assertEquals( $tango, $data[0]['id'] );
-        $this->assertEquals( $yolo, $data[1]['id'] );
+        $this->assertEquals( 3, count( $data ) );
+        $this->assertEquals( $tango, $data[1]['id'] );
+        $this->assertEquals( $yolo, $data[2]['id'] );
         $request->set_param( 'roles', 'author' );
         $response = rest_get_server()->dispatch( $request );
@@ -783 +792 @@
         $this->assertEquals( 0, count( $data ) );
         $this->assertEquals( array(), $data );
+    }
+
+    public function test_get_items_who_author_query() {
+        wp_set_current_user( self::$superadmin );
+        // First request should include subscriber in the set.
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_param( 'search', 'subscriber' );
+        $response = rest_get_server()->dispatch( $request );
+        $this->assertEquals( 200, $response->get_status() );
+        $this->assertCount( 1, $response->get_data() );
+        // Second request should exclude subscriber.
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_param( 'who', 'authors' );
+        $request->set_param( 'search', 'subscriber' );
+        $response = rest_get_server()->dispatch( $request );
+        $this->assertEquals( 200, $response->get_status() );
+        $this->assertCount( 0, $response->get_data() );
+    }
+
+    public function test_get_items_who_invalid_query() {
+        wp_set_current_user( self::$user );
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_param( 'who', 'editor' );
+        $response = rest_get_server()->dispatch( $request );
+        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+    }
+
+    /**
+     * Any user with 'edit_posts' on a show_in_rest post type
+     * can view authors. Others (e.g. subscribers) cannot.
+     */
+    public function test_get_items_who_unauthorized_query() {
+        wp_set_current_user( self::$subscriber );
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_param( 'who', 'authors' );
+        $response = rest_get_server()->dispatch( $request );
+        $this->assertErrorResponse( 'rest_forbidden_who', $response, 403 );
     }