mirror_php/wordpress
1
0
Fork 0
mirror of git://develop.git.wordpress.org/ synced 2025-03-14 17:09:47 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

REST API: Enable users with read_private_posts to query for them.

Browse Source 
An authorized request with the `read_private_posts` capability for a post type should be able to `GET /wp/v2/posts` for posts of `status=private`. This query is further sanity-checked by `WP_REST_Posts_Controller->check_read_permission()`, which is unchanged.

Props rachelbaker, soulseekah, twoelevenjay.
Fixes #43701.


git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43694 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Daniel Bachhuber 2018-10-10 20:48:21 +00:00
parent 99f178c4cd
commit f5c8be7077
2 changed files with 68 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
View File

@ -2498,7 +2498,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
$post_type_obj = get_post_type_object( $this->post_type );
if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
if ( current_user_can( $post_type_obj->cap->edit_posts ) || 'private' === $status && current_user_can( $post_type_obj->cap->read_private_posts ) ) {
$result = rest_validate_request_arg( $status, $request, $parameter );
if ( is_wp_error( $result ) ) {
return $result;

76
tests/phpunit/tests/rest-api/rest-posts-controller.php
View File

@ -16,6 +16,7 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
protected static $editor_id;
protected static $author_id;
protected static $contributor_id;
protected static $private_reader_id;
protected static $supported_formats;
@ -39,6 +40,12 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
'role' => 'contributor',
) );
self::$private_reader_id = $factory->user->create(
array(
'role' => 'private_reader',
)
);
if ( is_multisite() ) {
update_site_option( 'site_admins', array( 'superadmin' ) );
}
@ -62,11 +69,17 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
self::delete_user( self::$editor_id );
self::delete_user( self::$author_id );
self::delete_user( self::$contributor_id );
self::delete_user( self::$private_reader_id );
}
public function setUp() {
parent::setUp();
register_post_type( 'youseeme', array( 'supports' => array(), 'show_in_rest' => true ) );
add_role( 'private_reader', 'Private Reader' );
$role = get_role( 'private_reader' );
$role->add_cap( 'read_private_posts' );
add_filter( 'rest_pre_dispatch', array( $this, 'wpSetUpBeforeRequest' ), 10, 3 );
add_filter( 'posts_clauses', array( $this, 'save_posts_clauses' ), 10, 2 );
}
@ -497,6 +510,20 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
}
/**
* @ticket 43701
*/
public function test_get_items_multiple_statuses_custom_role_one_invalid_query() {
$private_post_id = $this->factory->post->create( array( 'post_status' => 'private' ) );
wp_set_current_user( self::$private_reader_id );
$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
$request->set_param( 'status', array( 'private', 'future' ) );
$response = rest_get_server()->dispatch( $request );
$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
}
public function test_get_items_invalid_status_query() {
wp_set_current_user( 0 );
$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
@ -993,23 +1020,54 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
$this->assertContains( '<' . $next_link . '>; rel="next"', $headers['Link'] );
}
public function test_get_items_private_status_query_var() {
// Private query vars inaccessible to unauthorized users
wp_set_current_user( 0 );
public function test_get_items_status_draft_permissions() {
$draft_id = $this->factory->post->create( array( 'post_status' => 'draft' ) );
$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
// Drafts status query var inaccessible to unauthorized users.
wp_set_current_user( 0 );
$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
$request->set_param( 'status', 'draft' );
$response = $this->server->dispatch( $request );
$response = rest_get_server()->dispatch( $request );
$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
// But they are accessible to authorized users
// Users with 'read_private_posts' cap shouldn't also be able to view drafts.
wp_set_current_user( self::$private_reader_id );
$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
$request->set_param( 'status', 'draft' );
$response = rest_get_server()->dispatch( $request );
$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
// But drafts are accessible to authorized users.
wp_set_current_user( self::$editor_id );
$response = $this->server->dispatch( $request );
$data = $response->get_data();
$this->assertCount( 1, $data );
$response = rest_get_server()->dispatch( $request );
$data = $response->get_data();
$this->assertEquals( $draft_id, $data[0]['id'] );
}
/**
* @ticket 43701
*/
public function test_get_items_status_private_permissions() {
$private_post_id = $this->factory->post->create( array( 'post_status' => 'private' ) );
wp_set_current_user( 0 );
$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
$request->set_param( 'status', 'private' );
$response = rest_get_server()->dispatch( $request );
$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
wp_set_current_user( self::$private_reader_id );
$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
$request->set_param( 'status', 'private' );
$response = rest_get_server()->dispatch( $request );
$data = $response->get_data();
$this->assertEquals( 200, $response->get_status() );
$this->assertCount( 1, $data );
$this->assertEquals( $private_post_id, $data[0]['id'] );
}
public function test_get_items_invalid_per_page() {
$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
$request->set_query_params( array( 'per_page' => -1 ) );