Merge pull request from GHSA-xcx6-4gm7-wrfm

* Update permission check when duplicating stories Check for update instead of read permission * Disallow view context for `style_presets` field * Do not return `story_data` for password protected stories
GoogleForCreators · May 2, 2023 · ad49781 · ad49781
1 parent 20464ee
commit ad49781
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 4 deletions.
diff --git a/includes/REST_API/Stories_Base_Controller.php b/includes/REST_API/Stories_Base_Controller.php
@@ -134,7 +134,7 @@ public function prepare_item_for_response( $post, $request ): WP_REST_Response {
 
 		if ( ! empty( $schema['properties']['story_data'] ) && rest_is_field_included( 'story_data', $fields ) ) {
 			$post_story_data    = json_decode( $post->post_content_filtered, true );
-			$data['story_data'] = rest_sanitize_value_from_schema( $post_story_data, $schema['properties']['story_data'] );
+			$data['story_data'] = post_password_required( $post ) ? (object) [] : rest_sanitize_value_from_schema( $post_story_data, $schema['properties']['story_data'] );
 		}
 
 		/**
@@ -184,7 +184,7 @@ public function create_item( $request ) {
 			return $original_post;
 		}
 
-		if ( ! $this->check_read_permission( $original_post ) ) {
+		if ( ! $this->check_update_permission( $original_post ) ) {
 			return new \WP_Error(
 				'rest_cannot_create',
 				__( 'Sorry, you are not allowed to duplicate this story.', 'web-stories' ),

diff --git a/includes/REST_API/Stories_Controller.php b/includes/REST_API/Stories_Controller.php
@@ -215,7 +215,7 @@ public function get_item_schema(): array {
 		$schema['properties']['style_presets'] = [
 			'description' => __( 'Style presets used by all stories', 'web-stories' ),
 			'type'        => 'object',
-			'context'     => [ 'view', 'edit' ],
+			'context'     => [ 'edit' ],
 		];
 
 		$schema['properties']['preview_link'] = [

diff --git a/tests/phpunit/integration/tests/REST_API/Stories_Controller.php b/tests/phpunit/integration/tests/REST_API/Stories_Controller.php
@@ -411,6 +411,36 @@ public function test_get_item_lock(): void {
 		$this->assertArrayHasKey( 'https://api.w.org/lock', $links );
 	}
 
+	/**
+	 * @covers ::get_item
+	 * @covers ::prepare_item_for_response
+	 * @covers \Google\Web_Stories\REST_API\Stories_Base_Controller::prepare_item_for_response
+	 */
+	public function test_get_item_no_story_data_for_password_protected_post(): void {
+		$this->controller->register_routes();
+
+		$story = self::factory()->post->create(
+			[
+				'post_type'     => Story_Post_Type::POST_TYPE_SLUG,
+				'post_status'   => 'publish',
+				'post_password' => 'Top Secret',
+				'post_author'   => self::$user_id,
+			]
+		);
+
+		wp_set_current_user( self::$author_id );
+
+		$request  = new WP_REST_Request( \WP_REST_Server::READABLE, '/web-stories/v1/web-story/' . $story );
+		$response = rest_get_server()->dispatch( $request );
+
+		$data = $response->get_data();
+
+		$this->assertIsArray( $data );
+		$this->assertArrayHasKey( 'story_data', $data );
+		$this->assertIsObject( $data['story_data'] );
+		$this->assertEmpty( (array) $data['story_data'] );
+	}
+
 	/**
 	 * @covers ::get_item
 	 * @covers \Google\Web_Stories\REST_API\Stories_Base_Controller::get_available_actions
@@ -1070,7 +1100,7 @@ public function test_create_item_duplicate_id_invalid_id(): void {
 	/**
 	 * @covers ::create_item
 	 */
-	public function test_create_item_duplicate_id_permission(): void {
+	public function test_create_item_duplicate_id_no_permission_for_private_post(): void {
 		$this->controller->register_routes();
 
 		$unsanitized_content    = file_get_contents( WEB_STORIES_TEST_DATA_DIR . '/story_post_content.html' );
@@ -1107,6 +1137,48 @@ public function test_create_item_duplicate_id_permission(): void {
 		$this->assertErrorResponse( 'rest_cannot_create', $response, 403 );
 	}
 
+
+	/**
+	 * @covers ::create_item
+	 */
+	public function test_create_item_duplicate_id_no_permission_for_password_protected_post(): void {
+		$this->controller->register_routes();
+
+		$unsanitized_content    = file_get_contents( WEB_STORIES_TEST_DATA_DIR . '/story_post_content.html' );
+		$unsanitized_story_data = wp_json_encode( [ 'pages' => [] ] );
+		$original_id            = self::factory()->post->create(
+			[
+				'post_type'             => Story_Post_Type::POST_TYPE_SLUG,
+				'post_content'          => $unsanitized_content,
+				'post_title'            => 'Example title',
+				'post_excerpt'          => 'Example excerpt',
+				'post_author'           => self::$user_id,
+				'post_status'           => 'publish',
+				'post_password'         => 'Top Secret',
+				'post_content_filtered' => $unsanitized_story_data,
+			]
+		);
+
+		$attachment_id = self::factory()->attachment->create_upload_object( WEB_STORIES_TEST_DATA_DIR . '/attachment.jpg' );
+
+		$this->assertNotWPError( $attachment_id );
+
+		set_post_thumbnail( $original_id, $attachment_id );
+
+		wp_set_current_user( self::$author_id );
+		$this->kses_int();
+
+		$request = new WP_REST_Request( \WP_REST_Server::CREATABLE, '/web-stories/v1/web-story' );
+		$request->set_body_params(
+			[
+				'original_id' => $original_id,
+			]
+		);
+
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'rest_cannot_create', $response, 403 );
+	}
+
 	/**
 	 * @covers ::update_item
 	 * @covers \Google\Web_Stories\REST_API\Stories_Base_Controller::update_item