Changeset 49475

Timestamp:

11/02/2020 06:40:06 PM (4 years ago)

Author:

helen

Message:

Privacy: More precise checking of user request action names.

Props garrett-eclipse.
Fixes #46536.

Location:

trunk

Files:

• src/wp-includes/user.php (modified) (1 diff)
• tests/phpunit/tests/privacy/wpCreateUserRequest.php (modified) (2 diffs)
• tests/phpunit/tests/user/wpSendUserRequest.php (modified) (2 diffs)
• tests/qunit/fixtures/wp-api-generated.js (modified) (1 diff)

trunk/src/wp-includes/user.php

@@ -3774 +3774 @@
     }
 
-    if ( ! $action_name ) {
+    if ( ! in_array( $action_name, _wp_privacy_action_request_types(), true ) ) {
         return new WP_Error( 'invalid_action', __( 'Invalid action name.' ) );
     }

trunk/tests/phpunit/tests/privacy/wpCreateUserRequest.php

@@ -94 +94 @@
 
     /**
+     * Ensure a WP_Error is returned when no action is passed.
+     *
+     * @ticket 46536
+     */
+    public function test_missing_action() {
+        $actual = wp_create_user_request( self::$registered_user_email, false );
+
+        $this->assertWPError( $actual );
+        $this->assertSame( 'invalid_action', $actual->get_error_code() );
+    }
+
+    /**
      * Ensure a WP_Error is returned when an invalid action is passed.
      *
      * @ticket 44707
+     * @ticket 46536
      */
     public function test_invalid_action() {
-        $actual = wp_create_user_request( self::$registered_user_email, false );
+        $actual = wp_create_user_request( self::$registered_user_email, 'invalid_action_name' );
 
         $this->assertWPError( $actual );
@@ -162 +175 @@
      */
     public function test_sanitized_action_name() {
-        $actual = wp_create_user_request( self::$non_registered_user_email, 'some[custom*action\name' );
-
-        $this->assertNotWPError( $actual );
-
-        $post = get_post( $actual );
-
-        $this->assertSame( 'somecustomactionname', $post->post_name );
+        $actual = wp_create_user_request( self::$non_registered_user_email, 'export[_person*al_\data' );
+
+        $this->assertNotWPError( $actual );
+
+        $post = get_post( $actual );
+
+        $this->assertSame( 'export_personal_data', $post->post_name );
         $this->assertSame( self::$non_registered_user_email, $post->post_title );
     }

trunk/tests/phpunit/tests/user/wpSendUserRequest.php

@@ -375 +375 @@
         wp_set_current_user( self::$admin_user->ID );
 
-        $request_id = wp_create_user_request( 'erase-user-not-registered@example.com', 'erase_personal_data' );
+        $request_id = wp_create_user_request( 'erase-user-not-registered@example.com', 'remove_personal_data' );
 
         wp_send_user_request( $request_id );
@@ -397 +397 @@
         wp_set_current_user( self::$admin_user->ID );
 
-        $request_id = wp_create_user_request( 'export-user-not-registered@example.com', 'erase_personal_data' );
+        $request_id = wp_create_user_request( 'export-user-not-registered@example.com', 'remove_personal_data' );
 
         wp_send_user_request( $request_id );

trunk/tests/qunit/fixtures/wp-api-generated.js

@@ -6135 +6135 @@
                     {
                         "href": "http://example.org/index.php?rest_route=/wp-site-health/v1/tests/dotorg-communication"
+                    }
+                ]
+            }
+        },
+        "/wp-site-health/v1/tests/authorization-header": {
+            "namespace": "wp-site-health/v1",
+            "methods": [
+                "GET"
+            ],
+            "endpoints": [
+                {
+                    "methods": [
+                        "GET"
+                    ],
+                    "args": []
+                }
+            ],
+            "_links": {
+                "self": [
+                    {
+                        "href": "http://example.org/index.php?rest_route=/wp-site-health/v1/tests/authorization-header"
                     }
                 ]