Skip to:
Content

BuddyPress.org

Changeset 14034


Ignore:
Timestamp:
10/02/2024 03:23:39 AM (6 weeks ago)
Author:
espellcaste
Message:

BP REST API: spammed users can not be retrivied from non-admin users.

Align the BP REST API with the web version, and show spammer users to Administrators only.

Props imath and emaralive.

See #9145
Fixes #9231

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-members/classes/class-bp-members-rest-controller.php

    r14028 r14034  
    244244            $member       = reset( $member_query->results );
    245245
    246             $member   = $this->prepare_item_for_response( $member, $request );
    247             $response = rest_ensure_response( $member );
    248 
    249             return $response;
     246            $member = $this->prepare_item_for_response( $member, $request );
     247
     248            return rest_ensure_response( $member );
    250249        }
    251250
     
    258257     * @since 15.0.0
    259258     *
    260      * @param  WP_REST_Request $request Full details about the request.
     259     * @param WP_REST_Request $request Full details about the request.
    261260     * @return true|WP_Error
    262261     */
     
    281280                    )
    282281                );
    283             } elseif ( 'edit' === $request->get_param( 'context' ) ) {
    284                 if ( get_current_user_id() === $user->ID || bp_current_user_can( 'list_users' ) ) {
    285                     $retval = true;
    286                 } else {
    287                     $retval = new WP_Error(
    288                         'bp_rest_authorization_required',
    289                         __( 'Sorry, you are not allowed to view members with the edit context.', 'buddypress' ),
    290                         array(
    291                             'status' => rest_authorization_required_code(),
    292                         )
    293                     );
    294                 }
    295             } else {
     282            } elseif ( get_current_user_id() === $user->ID && ! bp_is_user_spammer( $user->ID ) ) {
     283                $retval = true;
     284            } elseif ( 'edit' === $request->get_param( 'context' ) && ! bp_current_user_can( 'list_users' ) ) {
     285                $retval = new WP_Error(
     286                    'bp_rest_authorization_required',
     287                    __( 'Sorry, you are not allowed to view members with the edit context.', 'buddypress' ),
     288                    array( 'status' => rest_authorization_required_code() )
     289                );
     290            } elseif ( bp_current_user_can( 'bp_moderate' ) || ! bp_is_user_spammer( $user->ID ) ) {
    296291                $retval = true;
    297292            }
  • trunk/tests/phpunit/testcases/members/test-controller.php

    r14026 r14034  
    3737            )
    3838        );
    39         $request->set_param( 'context', 'view' );
    4039        $response = $this->server->dispatch( $request );
    4140
     
    6564            )
    6665        );
    67         $request->set_param( 'context', 'view' );
    6866        $response = $this->server->dispatch( $request );
    6967
     
    115113
    116114        $members = $response->get_data();
     115
    117116        $this->assertNotEmpty( $members );
    118 
    119         $this->assertTrue( 3 === count( $members ) );
     117        $this->assertCount( 3, $members );
    120118
    121119        $latest_activities = wp_list_pluck( $members, 'last_activity', 'id' );
     
    138136
    139137        $request = new WP_REST_Request( 'GET', $this->endpoint_url );
     138        $request->set_param( 'context', 'view' );
    140139        $request->set_query_params(
    141140            array(
     
    146145        );
    147146
    148         $request->set_param( 'context', 'view' );
    149147        $response = $this->server->dispatch( $request );
    150148
     
    183181
    184182        $request = new WP_REST_Request( 'GET', $this->endpoint_url );
     183        $request->set_param( 'context', 'view' );
    185184        $request->set_query_params(
    186185            array(
     
    188187            )
    189188        );
    190         $request->set_param( 'context', 'view' );
    191189        $response = $this->server->dispatch( $request );
    192190
     
    541539
    542540        $this->assertErrorResponse( 'bp_rest_member_invalid_id', $response, 404 );
     541    }
     542
     543    /**
     544     * @group get_item
     545     */
     546    public function test_get_spammed_user() {
     547        $u = static::factory()->user->create();
     548
     549        // Spam the user.
     550        bp_core_process_spammer_status( $u, 'spam' );
     551
     552        $this->assertTrue( bp_is_user_spammer( $u ) );
     553
     554        $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $u ) );
     555        $request->set_param( 'context', 'view' );
     556        $response = $this->server->dispatch( $request );
     557
     558        $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() );
     559    }
     560
     561    /**
     562     * @group get_item
     563     */
     564    public function test_get_spammed_user_with_random_logged_in_user() {
     565        $u  = static::factory()->user->create();
     566        $u2 = static::factory()->user->create();
     567
     568        // Spam the user.
     569        bp_core_process_spammer_status( $u, 'spam' );
     570
     571        $this->assertTrue( bp_is_user_spammer( $u ) );
     572
     573        wp_set_current_user( $u2 );
     574
     575        $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $u ) );
     576        $request->set_param( 'context', 'view' );
     577        $response = $this->server->dispatch( $request );
     578
     579        $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() );
     580    }
     581
     582    /**
     583     * @group get_item
     584     */
     585    public function test_get_spammed_user_with_spammed_user() {
     586        $u = static::factory()->user->create();
     587
     588        // Spam the user.
     589        bp_core_process_spammer_status( $u, 'spam' );
     590
     591        $this->assertTrue( bp_is_user_spammer( $u ) );
     592
     593        wp_set_current_user( $u );
     594
     595        $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $u ) );
     596        $request->set_param( 'context', 'view' );
     597        $response = $this->server->dispatch( $request );
     598
     599        $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() );
     600    }
     601
     602    /**
     603     * @group get_item
     604     */
     605    public function test_get_spammed_user_as_admin() {
     606        $u = static::factory()->user->create();
     607
     608        // Spam the user.
     609        bp_core_process_spammer_status( $u, 'spam' );
     610
     611        $this->assertTrue( bp_is_user_spammer( $u ) );
     612
     613        wp_set_current_user( $this->user );
     614
     615        $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $u ) );
     616        $request->set_param( 'context', 'view' );
     617        $response = $this->server->dispatch( $request );
     618
     619        $this->assertEquals( 200, $response->get_status() );
     620
     621        $member = $response->get_data();
     622
     623        $this->assertNotEmpty( $member );
     624        $this->assertSame( $u, $member['id'] );
    543625    }
    544626
Note: See TracChangeset for help on using the changeset viewer.