Changeset 43979
- Timestamp:
- 12/11/2018 10:29:36 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/rest-api.php
r42343 r43979 991 991 992 992 // Everything else will map nicely to boolean. 993 return (bool ean) $value;993 return (bool) $value; 994 994 } 995 995 -
trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
r43974 r43979 2510 2510 $post_type_obj = get_post_type_object( $this->post_type ); 2511 2511 2512 if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {2512 if ( current_user_can( $post_type_obj->cap->edit_posts ) || 'private' === $status && current_user_can( $post_type_obj->cap->read_private_posts ) ) { 2513 2513 $result = rest_validate_request_arg( $status, $request, $parameter ); 2514 2514 if ( is_wp_error( $result ) ) { -
trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php
r43974 r43979 17 17 protected static $author_id; 18 18 protected static $contributor_id; 19 protected static $private_reader_id; 19 20 20 21 protected static $supported_formats; … … 45 46 array( 46 47 'role' => 'contributor', 48 ) 49 ); 50 51 self::$private_reader_id = $factory->user->create( 52 array( 53 'role' => 'private_reader', 47 54 ) 48 55 ); … … 71 78 self::delete_user( self::$author_id ); 72 79 self::delete_user( self::$contributor_id ); 80 self::delete_user( self::$private_reader_id ); 73 81 } 74 82 … … 82 90 ) 83 91 ); 92 93 add_role( 'private_reader', 'Private Reader' ); 94 $role = get_role( 'private_reader' ); 95 $role->add_cap( 'read_private_posts' ); 96 84 97 add_filter( 'rest_pre_dispatch', array( $this, 'wpSetUpBeforeRequest' ), 10, 3 ); 85 98 add_filter( 'posts_clauses', array( $this, 'save_posts_clauses' ), 10, 2 ); … … 593 606 } 594 607 608 /** 609 * @ticket 43701 610 */ 611 public function test_get_items_multiple_statuses_custom_role_one_invalid_query() { 612 $private_post_id = $this->factory->post->create( array( 'post_status' => 'private' ) ); 613 614 wp_set_current_user( self::$private_reader_id ); 615 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 616 $request->set_param( 'status', array( 'private', 'future' ) ); 617 618 $response = rest_get_server()->dispatch( $request ); 619 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 620 } 621 595 622 public function test_get_items_invalid_status_query() { 596 623 wp_set_current_user( 0 ); … … 1195 1222 } 1196 1223 1197 public function test_get_items_private_status_query_var() { 1198 // Private query vars inaccessible to unauthorized users 1224 public function test_get_items_status_draft_permissions() { 1225 $draft_id = $this->factory->post->create( array( 'post_status' => 'draft' ) ); 1226 1227 // Drafts status query var inaccessible to unauthorized users. 1199 1228 wp_set_current_user( 0 ); 1200 $draft_id = $this->factory->post->create( array( 'post_status' => 'draft' ) ); 1201 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 1229 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 1202 1230 $request->set_param( 'status', 'draft' ); 1203 1231 $response = rest_get_server()->dispatch( $request ); 1204 1232 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 1205 1233 1206 // But they are accessible to authorized users 1207 wp_set_current_user( self::$editor_id ); 1208 $response = rest_get_server()->dispatch( $request ); 1209 $data = $response->get_data(); 1234 // Users with 'read_private_posts' cap shouldn't also be able to view drafts. 1235 wp_set_current_user( self::$private_reader_id ); 1236 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 1237 $request->set_param( 'status', 'draft' ); 1238 $response = rest_get_server()->dispatch( $request ); 1239 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 1240 1241 // But drafts are accessible to authorized users. 1242 wp_set_current_user( self::$editor_id ); 1243 $response = rest_get_server()->dispatch( $request ); 1244 $data = $response->get_data(); 1245 1246 $this->assertEquals( $draft_id, $data[0]['id'] ); 1247 } 1248 1249 /** 1250 * @ticket 43701 1251 */ 1252 public function test_get_items_status_private_permissions() { 1253 $private_post_id = $this->factory->post->create( array( 'post_status' => 'private' ) ); 1254 1255 wp_set_current_user( 0 ); 1256 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 1257 $request->set_param( 'status', 'private' ); 1258 $response = rest_get_server()->dispatch( $request ); 1259 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 1260 1261 wp_set_current_user( self::$private_reader_id ); 1262 $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); 1263 $request->set_param( 'status', 'private' ); 1264 1265 $response = rest_get_server()->dispatch( $request ); 1266 $data = $response->get_data(); 1267 $this->assertEquals( 200, $response->get_status() ); 1210 1268 $this->assertCount( 1, $data ); 1211 $this->assertEquals( $ draft_id, $data[0]['id'] );1269 $this->assertEquals( $private_post_id, $data[0]['id'] ); 1212 1270 } 1213 1271
Note: See TracChangeset
for help on using the changeset viewer.