Changeset 43694
- Timestamp:
- 10/10/2018 08:48:21 PM (6 years ago)
- Location:
- branches/5.0
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
r43682 r43694 2499 2499 $post_type_obj = get_post_type_object( $this->post_type ); 2500 2500 2501 if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {2501 if ( current_user_can( $post_type_obj->cap->edit_posts ) || 'private' === $status && current_user_can( $post_type_obj->cap->read_private_posts ) ) { 2502 2502 $result = rest_validate_request_arg( $status, $request, $parameter ); 2503 2503 if ( is_wp_error( $result ) ) { -
branches/5.0/tests/phpunit/tests/rest-api/rest-posts-controller.php
r43682 r43694 17 17 protected static $author_id; 18 18 protected static $contributor_id; 19 protected static $private_reader_id; 19 20 20 21 protected static $supported_formats; … … 39 40 'role' => 'contributor', 40 41 ) ); 42 43 self::$private_reader_id = $factory->user->create( 44 array( 45 'role' => 'private_reader', 46 ) 47 ); 41 48 42 49 if ( is_multisite() ) { … … 63 70 self::delete_user( self::$author_id ); 64 71 self::delete_user( self::$contributor_id ); 72 self::delete_user( self::$private_reader_id ); 65 73 } 66 74 … … 68 76 parent::setUp(); 69 77 register_post_type( 'youseeme', array( 'supports' => array(), 'show_in_rest' => true ) ); 78 79 add_role( 'private_reader', 'Private Reader' ); 80 $role = get_role( 'private_reader' ); 81 $role->add_cap( 'read_private_posts' ); 82 70 83 add_filter( 'rest_pre_dispatch', array( $this, 'wpSetUpBeforeRequest' ), 10, 3 ); 71 84 add_filter( 'posts_clauses', array( $this, 'save_posts_clauses' ), 10, 2 ); … … 498 511 } 499 512 513 /** 514 * @ticket 43701 515 */ 516 public function test_get_items_multiple_statuses_custom_role_one_invalid_query() { 517 $private_post_id = $this->factory->post->create( array( 'post_status' => 'private' ) ); 518 519 wp_set_current_user( self::$private_reader_id ); 520 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 521 $request->set_param( 'status', array( 'private', 'future' ) ); 522 523 $response = rest_get_server()->dispatch( $request ); 524 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 525 } 526 500 527 public function test_get_items_invalid_status_query() { 501 528 wp_set_current_user( 0 ); … … 994 1021 } 995 1022 996 public function test_get_items_private_status_query_var() { 997 // Private query vars inaccessible to unauthorized users 1023 public function test_get_items_status_draft_permissions() { 1024 $draft_id = $this->factory->post->create( array( 'post_status' => 'draft' ) ); 1025 1026 // Drafts status query var inaccessible to unauthorized users. 998 1027 wp_set_current_user( 0 ); 999 $draft_id = $this->factory->post->create( array( 'post_status' => 'draft' ) ); 1000 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 1028 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 1001 1029 $request->set_param( 'status', 'draft' ); 1002 $response = $this->server->dispatch( $request );1030 $response = rest_get_server()->dispatch( $request ); 1003 1031 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 1004 1032 1005 // But they are accessible to authorized users 1006 wp_set_current_user( self::$editor_id ); 1007 $response = $this->server->dispatch( $request ); 1008 $data = $response->get_data(); 1033 // Users with 'read_private_posts' cap shouldn't also be able to view drafts. 1034 wp_set_current_user( self::$private_reader_id ); 1035 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 1036 $request->set_param( 'status', 'draft' ); 1037 $response = rest_get_server()->dispatch( $request ); 1038 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 1039 1040 // But drafts are accessible to authorized users. 1041 wp_set_current_user( self::$editor_id ); 1042 $response = rest_get_server()->dispatch( $request ); 1043 $data = $response->get_data(); 1044 1045 $this->assertEquals( $draft_id, $data[0]['id'] ); 1046 } 1047 1048 /** 1049 * @ticket 43701 1050 */ 1051 public function test_get_items_status_private_permissions() { 1052 $private_post_id = $this->factory->post->create( array( 'post_status' => 'private' ) ); 1053 1054 wp_set_current_user( 0 ); 1055 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 1056 $request->set_param( 'status', 'private' ); 1057 $response = rest_get_server()->dispatch( $request ); 1058 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 1059 1060 wp_set_current_user( self::$private_reader_id ); 1061 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 1062 $request->set_param( 'status', 'private' ); 1063 1064 $response = rest_get_server()->dispatch( $request ); 1065 $data = $response->get_data(); 1066 $this->assertEquals( 200, $response->get_status() ); 1009 1067 $this->assertCount( 1, $data ); 1010 $this->assertEquals( $ draft_id, $data[0]['id'] );1068 $this->assertEquals( $private_post_id, $data[0]['id'] ); 1011 1069 } 1012 1070
Note: See TracChangeset
for help on using the changeset viewer.