Changeset 43067
- Timestamp:
- 05/01/2018 10:17:26 PM (7 years ago)
- Location:
- branches/4.9
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/4.9
-
branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
r41760 r43067 187 187 } 188 188 189 if ( 'authors' === $request['who'] ) { 190 $can_view = false; 191 $types = get_post_types( array( 'show_in_rest' => true ), 'objects' ); 192 foreach ( $types as $type ) { 193 if ( current_user_can( $type->cap->edit_posts ) ) { 194 $can_view = true; 195 } 196 } 197 if ( ! $can_view ) { 198 return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) ); 199 } 200 } 201 189 202 return true; 190 203 } … … 251 264 } 252 265 253 if ( ! current_user_can( 'list_users' ) ) { 266 if ( isset( $registered['who'] ) && ! empty( $request['who'] ) && 'authors' === $request['who'] ) { 267 $prepared_args['who'] = 'authors'; 268 } elseif ( ! current_user_can( 'list_users' ) ) { 254 269 $prepared_args['has_published_posts'] = get_post_types( array( 'show_in_rest' => true ), 'names' ); 255 270 } … … 1363 1378 ); 1364 1379 1380 $query_params['who'] = array( 1381 'description' => __( 'Limit result set to users who are considered authors.' ), 1382 'type' => 'string', 1383 'enum' => array( 1384 'authors', 1385 ), 1386 ); 1387 1365 1388 /** 1366 1389 * Filter collection parameters for the users controller. -
branches/4.9/tests/phpunit/tests/rest-api/rest-users-controller.php
r41760 r43067 15 15 protected static $editor; 16 16 protected static $draft_editor; 17 protected static $subscriber; 17 18 protected static $authors = array(); 18 19 protected static $posts = array(); … … 35 36 'user_email' => 'draft-editor@example.com', 36 37 ) ); 38 self::$subscriber = $factory->user->create( 39 array( 40 'role' => 'subscriber', 41 'display_name' => 'subscriber', 42 'user_email' => 'subscriber@example.com', 43 ) 44 ); 37 45 38 46 foreach ( array( true, false ) as $show_in_rest ) { … … 143 151 'search', 144 152 'slug', 153 'who', 145 154 ), $keys ); 146 155 } … … 254 263 $response = $this->server->dispatch( $request ); 255 264 $headers = $response->get_headers(); 256 $this->assertEquals( 5 3, $headers['X-WP-Total'] );265 $this->assertEquals( 54, $headers['X-WP-Total'] ); 257 266 $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 258 267 $next_link = add_query_arg( array( … … 269 278 $response = $this->server->dispatch( $request ); 270 279 $headers = $response->get_headers(); 271 $this->assertEquals( 5 4, $headers['X-WP-Total'] );280 $this->assertEquals( 55, $headers['X-WP-Total'] ); 272 281 $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 273 282 $prev_link = add_query_arg( array( … … 284 293 $response = $this->server->dispatch( $request ); 285 294 $headers = $response->get_headers(); 286 $this->assertEquals( 5 4, $headers['X-WP-Total'] );295 $this->assertEquals( 55, $headers['X-WP-Total'] ); 287 296 $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 288 297 $prev_link = add_query_arg( array( … … 296 305 $response = $this->server->dispatch( $request ); 297 306 $headers = $response->get_headers(); 298 $this->assertEquals( 5 4, $headers['X-WP-Total'] );307 $this->assertEquals( 55, $headers['X-WP-Total'] ); 299 308 $this->assertEquals( 6, $headers['X-WP-TotalPages'] ); 300 309 $prev_link = add_query_arg( array( … … 485 494 public function test_get_items_offset() { 486 495 wp_set_current_user( self::$user ); 487 // 7users created in wpSetUpBeforeClass(), plus default user.496 // 9 users created in wpSetUpBeforeClass(), plus default user. 488 497 $this->factory->user->create(); 489 498 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 490 499 $request->set_param( 'offset', 1 ); 491 500 $response = $this->server->dispatch( $request ); 492 $this->assertCount( 9, $response->get_data() );501 $this->assertCount( 10, $response->get_data() ); 493 502 // 'offset' works with 'per_page' 494 503 $request->set_param( 'per_page', 2 ); … … 664 673 $response = $this->server->dispatch( $request ); 665 674 $data = $response->get_data(); 666 $this->assertEquals( 2, count( $data ) );667 $this->assertEquals( $tango, $data[ 0]['id'] );668 $this->assertEquals( $yolo, $data[ 1]['id'] );675 $this->assertEquals( 3, count( $data ) ); 676 $this->assertEquals( $tango, $data[1]['id'] ); 677 $this->assertEquals( $yolo, $data[2]['id'] ); 669 678 $request->set_param( 'roles', 'author' ); 670 679 $response = $this->server->dispatch( $request ); … … 697 706 $this->assertEquals( 0, count( $data ) ); 698 707 $this->assertEquals( array(), $data ); 708 } 709 710 public function test_get_items_who_author_query() { 711 wp_set_current_user( self::$superadmin ); 712 // First request should include subscriber in the set. 713 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 714 $request->set_param( 'search', 'subscriber' ); 715 $response = rest_get_server()->dispatch( $request ); 716 $this->assertEquals( 200, $response->get_status() ); 717 $this->assertCount( 1, $response->get_data() ); 718 // Second request should exclude subscriber. 719 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 720 $request->set_param( 'who', 'authors' ); 721 $request->set_param( 'search', 'subscriber' ); 722 $response = rest_get_server()->dispatch( $request ); 723 $this->assertEquals( 200, $response->get_status() ); 724 $this->assertCount( 0, $response->get_data() ); 725 } 726 727 public function test_get_items_who_invalid_query() { 728 wp_set_current_user( self::$user ); 729 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 730 $request->set_param( 'who', 'editor' ); 731 $response = rest_get_server()->dispatch( $request ); 732 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 733 } 734 735 /** 736 * Any user with 'edit_posts' on a show_in_rest post type 737 * can view authors. Others (e.g. subscribers) cannot. 738 */ 739 public function test_get_items_who_unauthorized_query() { 740 wp_set_current_user( self::$subscriber ); 741 $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); 742 $request->set_param( 'who', 'authors' ); 743 $response = rest_get_server()->dispatch( $request ); 744 $this->assertErrorResponse( 'rest_forbidden_who', $response, 403 ); 699 745 } 700 746 -
branches/4.9/tests/qunit/fixtures/wp-api-generated.js
r42032 r43067 2505 2505 "type": "string" 2506 2506 } 2507 }, 2508 "who": { 2509 "required": false, 2510 "enum": [ 2511 "authors" 2512 ], 2513 "description": "Limit result set to users who are considered authors.", 2514 "type": "string" 2507 2515 } 2508 2516 }
Note: See TracChangeset
for help on using the changeset viewer.