Skip to content
This repository has been archived by the owner on Sep 24, 2018. It is now read-only.

Commit

Permalink
Merge pull request #2463 from websupporter/user-context-permission-fo…
Browse files Browse the repository at this point in the history 
…r-get_items

return error, if user can't list users & content=edit
  • Loading branch information
@danielbachhuber
danielbachhuber committed Apr 25, 2016
2 parents 6cfa0dd + 84c43b4 commit 44c7c8f
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 0 deletions.
4 changes: 4 additions & 0 deletions lib/endpoints/class-wp-rest-users-controller.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ public function get_items_permissions_check( $request ) {
return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you cannot filter by role.' ), array( 'status' => rest_authorization_required_code() ) );
}

if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view this resource with edit context.' ), array( 'status' => rest_authorization_required_code() ) );
}

return true;
}

Expand Down
32 changes: 32 additions & 0 deletions tests/test-rest-users-controller.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,38 @@ public function test_get_items() {
$this->check_user_data( $userdata, $data, 'view', $data['_links'] );
}

public function test_get_items_with_edit_context() {
wp_set_current_user( $this->user );

$request = new WP_REST_Request( 'GET', '/wp/v2/users' );
$request->set_param( 'context', 'edit' );
$response = $this->server->dispatch( $request );

$this->assertEquals( 200, $response->get_status() );

$all_data = $response->get_data();
$data = $all_data[0];
$userdata = get_userdata( $data['id'] );
$this->check_user_data( $userdata, $data, 'edit', $data['_links'] );
}

public function test_get_items_with_edit_context_without_permission() {
//test with a user not logged in
$request = new WP_REST_Request( 'GET', '/wp/v2/users' );
$request->set_param( 'context', 'edit' );
$response = $this->server->dispatch( $request );

$this->assertEquals( 401, $response->get_status() );

//test with a user logged in but without sufficient capabilities; capability in question: 'list_users'
wp_set_current_user( $this->editor );
$request = new WP_REST_Request( 'GET', '/wp/v2/users' );
$request->set_param( 'context', 'edit' );
$response = $this->server->dispatch( $request );

$this->assertEquals( 403, $response->get_status() );
}

public function test_get_items_unauthenticated_only_shows_public_users() {
$request = new WP_REST_Request( 'GET', '/wp/v2/users' );
$response = $this->server->dispatch( $request );
Expand Down

0 comments on commit 44c7c8f

Please sign in to comment.