Changeset 52016 for trunk/tests/phpunit/tests/rest-api/rest-widgets-controller.php

Timestamp:

11/05/2021 02:14:07 AM (2 years ago)

Author:

TimothyBlynJacobs

Message:

REST API: Allow sidebars and their widgets to be public.

By default, only users with the edit_theme_options capability can access the sidebars and widgets REST API endpoints. In this commit, A new show_in_rest parameter is added to the register_sidebar function. When enabled, all users will be able to access that sidebar and any widgets belonging to that sidebar.

This commit reduces the context for a widget's instance information to only edit. This is to ensure that internal widget data is not inadvertently exposed to the public. A future ticket may expose additional APIs to allow widget authors to indicate that their instance data can be safely exposed. REST API consumers intending to access this instance information should take care to explicitly set the context parameter to edit.

Props spacedmonkey, zieladam.
Fixes #53915.

File:

• trunk/tests/phpunit/tests/rest-api/rest-widgets-controller.php (modified) (6 diffs)

trunk/tests/phpunit/tests/rest-api/rest-widgets-controller.php

@@ -242 +242 @@
 
     /**
+     * @ticket 53915
+     */
+    public function test_get_items_no_permission_show_in_rest() {
+        $this->setup_widget(
+            'text',
+            1,
+            array(
+                'text' => 'Custom text test',
+            )
+        );
+        $this->setup_sidebar(
+            'sidebar-1',
+            array(
+                'name'         => 'Test sidebar',
+                'show_in_rest' => true,
+            ),
+            array( 'text-1', 'testwidget' )
+        );
+
+        $request  = new WP_REST_Request( 'GET', '/wp/v2/widgets' );
+        $response = rest_get_server()->dispatch( $request );
+        $data     = $response->get_data();
+        $data     = $this->remove_links( $data );
+        $this->assertSameIgnoreEOL(
+            array(
+                array(
+                    'id'       => 'text-1',
+                    'id_base'  => 'text',
+                    'sidebar'  => 'sidebar-1',
+                    'rendered' => '<div class="textwidget">Custom text test</div>',
+                ),
+                array(
+                    'id'       => 'testwidget',
+                    'id_base'  => 'testwidget',
+                    'sidebar'  => 'sidebar-1',
+                    'rendered' => '<h1>Default id</h1><span>Default text</span>',
+                ),
+            ),
+            $data
+        );
+    }
+
+    /**
+     * @ticket 53915
+     */
+    public function test_get_items_without_show_in_rest_are_removed_from_the_list() {
+        wp_set_current_user( self::$author_id );
+        $this->setup_widget(
+            'text',
+            1,
+            array(
+                'text' => 'Custom text test',
+            )
+        );
+        $this->setup_sidebar(
+            'sidebar-1',
+            array(
+                'name'         => 'Test sidebar 1',
+                'show_in_rest' => true,
+            ),
+            array( 'text-1', 'testwidget' )
+        );
+        $this->setup_sidebar(
+            'sidebar-2',
+            array(
+                'name'         => 'Test sidebar 2',
+                'show_in_rest' => false,
+            ),
+            array( 'text-1', 'testwidget' )
+        );
+        $request  = new WP_REST_Request( 'GET', '/wp/v2/widgets' );
+        $response = rest_get_server()->dispatch( $request );
+        $data     = $response->get_data();
+        $data     = $this->remove_links( $data );
+        $this->assertSameIgnoreEOL(
+            array(
+                array(
+                    'id'       => 'text-1',
+                    'id_base'  => 'text',
+                    'sidebar'  => 'sidebar-1',
+                    'rendered' => '<div class="textwidget">Custom text test</div>',
+                ),
+                array(
+                    'id'       => 'testwidget',
+                    'id_base'  => 'testwidget',
+                    'sidebar'  => 'sidebar-1',
+                    'rendered' => '<h1>Default id</h1><span>Default text</span>',
+                ),
+            ),
+            $data
+        );
+    }
+
+    /**
      * @ticket 41683
      */
@@ -296 +390 @@
                     'sidebar'  => 'sidebar-1',
                     'rendered' => '<p>Block test</p>',
-                    'instance' => array(
-                        'encoded' => base64_encode(
-                            serialize(
-                                array(
-                                    'content' => $block_content,
-                                )
-                            )
-                        ),
-                        'hash'    => wp_hash(
-                            serialize(
-                                array(
-                                    'content' => $block_content,
-                                )
-                            )
-                        ),
-                        'raw'     => array(
-                            'content' => $block_content,
-                        ),
-                    ),
                 ),
                 array(
@@ -321 +396 @@
                     'sidebar'  => 'sidebar-1',
                     'rendered' => '<a class="rsswidget" href="https://wordpress.org/news/feed"><img class="rss-widget-icon" style="border:0" width="14" height="14" src="http://example.org/wp-includes/images/rss.png" alt="RSS" /></a> <a class="rsswidget" href="https://wordpress.org/news">RSS test</a><ul><li><a class=\'rsswidget\' href=\'https://wordpress.org/news/2020/12/introducing-learn-wordpress/\'>Introducing Learn WordPress</a></li><li><a class=\'rsswidget\' href=\'https://wordpress.org/news/2020/12/simone/\'>WordPress 5.6 “Simone”</a></li><li><a class=\'rsswidget\' href=\'https://wordpress.org/news/2020/12/state-of-the-word-2020/\'>State of the Word 2020</a></li><li><a class=\'rsswidget\' href=\'https://wordpress.org/news/2020/12/the-month-in-wordpress-november-2020/\'>The Month in WordPress: November 2020</a></li><li><a class=\'rsswidget\' href=\'https://wordpress.org/news/2020/12/wordpress-5-6-release-candidate-2/\'>WordPress 5.6 Release Candidate 2</a></li><li><a class=\'rsswidget\' href=\'https://wordpress.org/news/2020/11/wordpress-5-6-release-candidate/\'>WordPress 5.6 Release Candidate</a></li><li><a class=\'rsswidget\' href=\'https://wordpress.org/news/2020/11/wordpress-5-6-beta-4/\'>WordPress 5.6 Beta 4</a></li><li><a class=\'rsswidget\' href=\'https://wordpress.org/news/2020/11/wordpress-5-6-beta-3/\'>WordPress 5.6 Beta 3</a></li><li><a class=\'rsswidget\' href=\'https://wordpress.org/news/2020/11/the-month-in-wordpress-october-2020/\'>The Month in WordPress: October 2020</a></li><li><a class=\'rsswidget\' href=\'https://wordpress.org/news/2020/10/wordpress-5-5-3-maintenance-release/\'>WordPress 5.5.3 Maintenance Release</a></li></ul>',
-                    'instance' => array(
-                        'encoded' => base64_encode(
-                            serialize(
-                                array(
-                                    'title' => 'RSS test',
-                                    'url'   => 'https://wordpress.org/news/feed',
-                                )
-                            )
-                        ),
-                        'hash'    => wp_hash(
-                            serialize(
-                                array(
-                                    'title' => 'RSS test',
-                                    'url'   => 'https://wordpress.org/news/feed',
-                                )
-                            )
-                        ),
-                    ),
                 ),
                 array(
@@ -345 +402 @@
                     'sidebar'  => 'sidebar-1',
                     'rendered' => '<h1>Default id</h1><span>Default text</span>',
-                    'instance' => null,
                 ),
             ),
@@ -470 +526 @@
                 'sidebar'  => 'sidebar-1',
                 'rendered' => '<div class="textwidget">Custom text test</div>',
-                'instance' => array(
-                    'encoded' => base64_encode(
-                        serialize(
-                            array(
-                                'text' => 'Custom text test',
-                            )
-                        )
-                    ),
-                    'hash'    => wp_hash(
-                        serialize(
-                            array(
-                                'text' => 'Custom text test',
-                            )
-                        )
-                    ),
-                    'raw'     => array(
-                        'text' => 'Custom text test',
-                    ),
-                ),
             ),
             $data
@@ -542 +579 @@
         $response = rest_get_server()->dispatch( $request );
         $this->assertErrorResponse( 'rest_cannot_manage_widgets', $response, 403 );
+    }
+
+    /**
+     * @ticket 53915
+     */
+    public function test_get_item_no_permission_show_in_rest() {
+        wp_set_current_user( 0 );
+
+        $this->setup_widget(
+            'text',
+            1,
+            array(
+                'text' => 'Custom text test',
+            )
+        );
+        $this->setup_sidebar(
+            'sidebar-1',
+            array(
+                'name'         => 'Test sidebar',
+                'show_in_rest' => true,
+            ),
+            array( 'text-1' )
+        );
+
+        $request  = new WP_REST_Request( 'GET', '/wp/v2/widgets/text-1' );
+        $response = rest_get_server()->dispatch( $request );
+        $data     = $response->get_data();
+        $this->assertSameSets(
+            array(
+                'id'       => 'text-1',
+                'id_base'  => 'text',
+                'sidebar'  => 'sidebar-1',
+                'rendered' => '<div class="textwidget">Custom text test</div>',
+            ),
+            $data
+        );
     }