From a078acdcfa4ab6169c73a447a95c700bb9fbc483 Mon Sep 17 00:00:00 2001 From: Renato Alves <19148962+renatonascalves@users.noreply.github.com> Date: Mon, 20 May 2024 23:56:06 -0300 Subject: [PATCH 1/2] Review support for the `bp_view` feature --- .../class-bp-rest-activity-endpoint.php | 15 +- ...-rest-attachments-blog-avatar-endpoint.php | 39 ++- .../classes/class-bp-rest-blogs-endpoint.php | 26 +- ...rest-attachments-group-avatar-endpoint.php | 8 +- ...-rest-attachments-group-cover-endpoint.php | 5 +- .../class-bp-rest-group-invites-endpoint.php | 227 +++++++++--------- ...rest-group-membership-request-endpoint.php | 160 ++++++------ ...est-attachments-member-avatar-endpoint.php | 3 +- ...rest-attachments-member-cover-endpoint.php | 3 +- .../class-bp-rest-members-endpoint.php | 12 +- .../classes/class-bp-rest-signup-endpoint.php | 58 +++-- ...bp-rest-xprofile-field-groups-endpoint.php | 12 +- tests/bootstrap.php | 20 ++ tests/testcases/activity/test-controller.php | 31 +++ .../test-blog-avatar-controller.php | 14 ++ .../test-group-avatar-controller.php | 13 + .../test-group-cover-controller.php | 14 ++ .../test-member-avatar-controller.php | 13 + .../test-member-cover-controller.php | 13 + tests/testcases/blogs/test-controller.php | 20 ++ tests/testcases/groups/test-controller.php | 30 +++ .../groups/test-group-invites-controller.php | 45 ++++ tests/testcases/members/test-controller.php | 40 +++ .../test-group-membership-controller.php | 22 ++ ...st-group-membership-request-controller.php | 40 +++ .../xprofile/test-data-controller.php | 14 ++ .../xprofile/test-field-controller.php | 29 +++ .../xprofile/test-group-controller.php | 31 +++ 28 files changed, 708 insertions(+), 249 deletions(-) diff --git a/includes/bp-activity/classes/class-bp-rest-activity-endpoint.php b/includes/bp-activity/classes/class-bp-rest-activity-endpoint.php index e879b1e0..89ff4ed8 100644 --- a/includes/bp-activity/classes/class-bp-rest-activity-endpoint.php +++ b/includes/bp-activity/classes/class-bp-rest-activity-endpoint.php @@ -260,6 +260,17 @@ public function get_items( $request ) { * @return true|WP_Error */ public function get_items_permissions_check( $request ) { + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you are not allowed to perform this action.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'activity' ) ) ) { + $retval = true; + } /** * Filter the activity `get_items` permissions check. @@ -269,7 +280,7 @@ public function get_items_permissions_check( $request ) { * @param true|WP_Error $retval Returned value. * @param WP_REST_Request $request Full data about the request. */ - return apply_filters( 'bp_rest_activity_get_items_permissions_check', true, $request ); + return apply_filters( 'bp_rest_activity_get_items_permissions_check', $retval, $request ); } /** @@ -332,7 +343,7 @@ public function get_item_permissions_check( $request ) { ) ); - if ( $this->can_see( $request ) ) { + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'activity' ) ) && $this->can_see( $request ) ) { $retval = true; } diff --git a/includes/bp-blogs/classes/class-bp-rest-attachments-blog-avatar-endpoint.php b/includes/bp-blogs/classes/class-bp-rest-attachments-blog-avatar-endpoint.php index 8e4223a5..6d2a39c3 100644 --- a/includes/bp-blogs/classes/class-bp-rest-attachments-blog-avatar-endpoint.php +++ b/includes/bp-blogs/classes/class-bp-rest-attachments-blog-avatar-endpoint.php @@ -14,7 +14,6 @@ * @since 6.0.0 */ class BP_REST_Attachments_Blog_Avatar_Endpoint extends WP_REST_Controller { - use BP_REST_Attachments; /** @@ -172,26 +171,24 @@ public function get_item_permissions_check( $request ) { ) ); - $this->blog = $this->blogs_endpoint->get_blog_object( $request->get_param( 'id' ) ); - - if ( ! is_object( $this->blog ) ) { - $retval = new WP_Error( - 'bp_rest_blog_invalid_id', - __( 'Invalid group ID.', 'buddypress' ), - array( - 'status' => 404, - ) - ); - } elseif ( buddypress()->avatar->show_avatars ) { - $retval = true; - } else { - $retval = new WP_Error( - 'bp_rest_attachments_blog_avatar_disabled', - __( 'Sorry, blog avatar is disabled.', 'buddypress' ), - array( - 'status' => 500, - ) - ); + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'blogs' ) ) ) { + $this->blog = $this->blogs_endpoint->get_blog_object( $request->get_param( 'id' ) ); + + if ( ! is_object( $this->blog ) ) { + $retval = new WP_Error( + 'bp_rest_blog_invalid_id', + __( 'Invalid group ID.', 'buddypress' ), + array( 'status' => 404 ) + ); + } elseif ( buddypress()->avatar->show_avatars ) { + $retval = true; + } else { + $retval = new WP_Error( + 'bp_rest_attachments_blog_avatar_disabled', + __( 'Sorry, blog avatar is disabled.', 'buddypress' ), + array( 'status' => 500 ) + ); + } } /** diff --git a/includes/bp-blogs/classes/class-bp-rest-blogs-endpoint.php b/includes/bp-blogs/classes/class-bp-rest-blogs-endpoint.php index 763af7d1..28b3e78f 100644 --- a/includes/bp-blogs/classes/class-bp-rest-blogs-endpoint.php +++ b/includes/bp-blogs/classes/class-bp-rest-blogs-endpoint.php @@ -165,6 +165,17 @@ public function get_items( $request ) { * @return true|WP_Error */ public function get_items_permissions_check( $request ) { + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you are not allowed to perform this action.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'blogs' ) ) ) { + $retval = true; + } /** * Filter the blogs `get_items` permissions check. @@ -174,7 +185,7 @@ public function get_items_permissions_check( $request ) { * @param true|WP_Error $retval Returned value. * @param WP_REST_Request $request The request sent to the API. */ - return apply_filters( 'bp_rest_blogs_get_items_permissions_check', true, $request ); + return apply_filters( 'bp_rest_blogs_get_items_permissions_check', $retval, $request ); } /** @@ -229,6 +240,17 @@ public function get_item( $request ) { * @return true|WP_Error */ public function get_item_permissions_check( $request ) { + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you are not allowed to perform this action.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'blogs' ) ) ) { + $retval = true; + } /** * Filter the blog `get_item` permissions check. @@ -238,7 +260,7 @@ public function get_item_permissions_check( $request ) { * @param true|WP_Error $retval Returned value. * @param WP_REST_Request $request The request sent to the API. */ - return apply_filters( 'bp_rest_blogs_get_item_permissions_check', true, $request ); + return apply_filters( 'bp_rest_blogs_get_item_permissions_check', $retval, $request ); } /** diff --git a/includes/bp-groups/classes/class-bp-rest-attachments-group-avatar-endpoint.php b/includes/bp-groups/classes/class-bp-rest-attachments-group-avatar-endpoint.php index 2ba0eaef..f377022a 100644 --- a/includes/bp-groups/classes/class-bp-rest-attachments-group-avatar-endpoint.php +++ b/includes/bp-groups/classes/class-bp-rest-attachments-group-avatar-endpoint.php @@ -14,7 +14,6 @@ * @since 0.1.0 */ class BP_REST_Attachments_Group_Avatar_Endpoint extends WP_REST_Controller { - use BP_REST_Attachments; /** @@ -178,13 +177,12 @@ public function get_item_permissions_check( $request ) { ); if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'groups' ) ) ) { - $retval = new WP_Error( + $retval = new WP_Error( 'bp_rest_group_invalid_id', __( 'Invalid group ID.', 'buddypress' ), - array( - 'status' => 404, - ) + array( 'status' => 404 ) ); + $this->group = $this->groups_endpoint->get_group_object( $request ); if ( false !== $this->group ) { diff --git a/includes/bp-groups/classes/class-bp-rest-attachments-group-cover-endpoint.php b/includes/bp-groups/classes/class-bp-rest-attachments-group-cover-endpoint.php index 0d604c63..ec973848 100644 --- a/includes/bp-groups/classes/class-bp-rest-attachments-group-cover-endpoint.php +++ b/includes/bp-groups/classes/class-bp-rest-attachments-group-cover-endpoint.php @@ -16,7 +16,6 @@ * @since 6.0.0 */ class BP_REST_Attachments_Group_Cover_Endpoint extends WP_REST_Controller { - use BP_REST_Attachments; /** @@ -167,9 +166,7 @@ public function get_item_permissions_check( $request ) { $retval = new WP_Error( 'bp_rest_group_invalid_id', __( 'Invalid group ID.', 'buddypress' ), - array( - 'status' => 404, - ) + array( 'status' => 404 ) ); $this->group = $this->groups_endpoint->get_group_object( $request ); diff --git a/includes/bp-groups/classes/class-bp-rest-group-invites-endpoint.php b/includes/bp-groups/classes/class-bp-rest-group-invites-endpoint.php index ce8ff5b0..2d2d5a68 100644 --- a/includes/bp-groups/classes/class-bp-rest-group-invites-endpoint.php +++ b/includes/bp-groups/classes/class-bp-rest-group-invites-endpoint.php @@ -178,109 +178,113 @@ public function get_items( $request ) { * @return bool|WP_Error */ public function get_items_permissions_check( $request ) { - $error = new WP_Error( + $error = new WP_Error( 'bp_rest_group_invites_cannot_get_items', __( 'Sorry, you are not allowed to fetch group invitations with those arguments.', 'buddypress' ), array( 'status' => rest_authorization_required_code(), ) ); - $retval = $error; - $group_id = (int) $request->get_param( 'group_id' ); - $current_user_id = (int) bp_loggedin_user_id(); - $user_id_arg = (int) $request->get_param( 'user_id' ); - $inviter_id = (int) $request->get_param( 'inviter_id' ); - if ( ! is_user_logged_in() ) { - $retval = new WP_Error( - 'bp_rest_authorization_required', - __( 'Sorry, you need to be logged in to see the group invitations.', 'buddypress' ), - array( - 'status' => rest_authorization_required_code(), - ) - ); - } elseif ( $group_id ) { - if ( ! $user_id_arg ) { - $user_id_arg = $current_user_id; - } + $retval = $error; - $user = bp_rest_get_user( $user_id_arg ); + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'groups' ) ) ) { + $group_id = (int) $request->get_param( 'group_id' ); + $current_user_id = (int) bp_loggedin_user_id(); + $user_id_arg = (int) $request->get_param( 'user_id' ); + $inviter_id = (int) $request->get_param( 'inviter_id' ); - // Check the user is valid. - if ( ! $user instanceof WP_User ) { + if ( ! is_user_logged_in() ) { $retval = new WP_Error( - 'bp_rest_member_invalid_id', - __( 'Invalid member ID.', 'buddypress' ), + 'bp_rest_authorization_required', + __( 'Sorry, you need to be logged in to see the group invitations.', 'buddypress' ), array( - 'status' => 404, + 'status' => rest_authorization_required_code(), ) ); - } else { - $group = $this->groups_endpoint->get_group_object( $group_id ); + } elseif ( $group_id ) { + if ( ! $user_id_arg ) { + $user_id_arg = $current_user_id; + } - // Check the group is valid. - if ( ! $group instanceof BP_Groups_Group ) { + $user = bp_rest_get_user( $user_id_arg ); + + // Check the user is valid. + if ( ! $user instanceof WP_User ) { $retval = new WP_Error( - 'bp_rest_group_invalid_id', - __( 'Invalid group ID.', 'buddypress' ), + 'bp_rest_member_invalid_id', + __( 'Invalid member ID.', 'buddypress' ), + array( + 'status' => 404, + ) + ); + } else { + $group = $this->groups_endpoint->get_group_object( $group_id ); + + // Check the group is valid. + if ( ! $group instanceof BP_Groups_Group ) { + $retval = new WP_Error( + 'bp_rest_group_invalid_id', + __( 'Invalid group ID.', 'buddypress' ), + array( + 'status' => 404, + ) + ); + } elseif ( bp_current_user_can( 'bp_moderate' ) || $this->can_see( $group->id ) ) { + /* + * Users can see invitations if they + * - are a site admin, + * - are a group admin of the subject group (group_id must be specified). + */ + $retval = true; + } else { + $retval = $error; + } + } + } elseif ( $user_id_arg ) { + $user = bp_rest_get_user( $user_id_arg ); + + // Check the user is valid. + if ( ! $user instanceof WP_User ) { + $retval = new WP_Error( + 'bp_rest_member_invalid_id', + __( 'Invalid member ID.', 'buddypress' ), array( 'status' => 404, ) ); - } elseif ( bp_current_user_can( 'bp_moderate' ) || $this->can_see( $group->id ) ) { + } elseif ( bp_current_user_can( 'bp_moderate' ) || $user->ID === $current_user_id ) { /* - * Users can see invitations if they - * - are a site admin, - * - are a group admin of the subject group (group_id must be specified). - */ + * Users can see invitations if they: + * - are a site admin, + * - are the invite recipient (user_id must be specified). + */ $retval = true; } else { $retval = $error; } - } - } elseif ( $user_id_arg ) { - $user = bp_rest_get_user( $user_id_arg ); - - // Check the user is valid. - if ( ! $user instanceof WP_User ) { - $retval = new WP_Error( - 'bp_rest_member_invalid_id', - __( 'Invalid member ID.', 'buddypress' ), - array( - 'status' => 404, - ) - ); - } elseif ( bp_current_user_can( 'bp_moderate' ) || $user->ID === $current_user_id ) { - /* - * Users can see invitations if they: - * - are a site admin, - * - are the invite recipient (user_id must be specified). - */ - $retval = true; - } else { - $retval = $error; - } - } elseif ( $inviter_id ) { - $inviter = bp_rest_get_user( $inviter_id ); + } elseif ( $inviter_id ) { + $inviter = bp_rest_get_user( $inviter_id ); - // Check the inviter is valid. - if ( ! $inviter instanceof WP_User ) { - $retval = new WP_Error( - 'bp_rest_member_invalid_id', - __( 'Invalid member ID.', 'buddypress' ), - array( - 'status' => 404, - ) - ); - } elseif ( bp_current_user_can( 'bp_moderate' ) || $inviter->ID === $current_user_id ) { - /* - * Users can see invitations if they: - * - are a site admin, - * - are the inviter (inviter_id must be specified). - */ - $retval = true; - } else { - $retval = $error; + // Check the inviter is valid. + if ( ! $inviter instanceof WP_User ) { + $retval = new WP_Error( + 'bp_rest_member_invalid_id', + __( 'Invalid member ID.', 'buddypress' ), + array( + 'status' => 404, + ) + ); + } elseif ( bp_current_user_can( 'bp_moderate' ) || $inviter->ID === $current_user_id ) { + /* + * Users can see invitations if they: + * - are a site admin, + * - are the inviter (inviter_id must be specified). + */ + $retval = true; + } else { + $retval = $error; + } } } @@ -334,8 +338,7 @@ public function get_item( $request ) { * @return true|WP_Error */ public function get_item_permissions_check( $request ) { - $user_id = bp_loggedin_user_id(); - $retval = new WP_Error( + $retval = new WP_Error( 'bp_rest_authorization_required', __( 'Sorry, you are not allowed to perform this action.', 'buddypress' ), array( @@ -343,42 +346,46 @@ public function get_item_permissions_check( $request ) { ) ); - if ( ! $user_id ) { - $retval = new WP_Error( - 'bp_rest_authorization_required', - __( 'Sorry, you need to be logged in to see the group invitations.', 'buddypress' ), - array( - 'status' => rest_authorization_required_code(), - ) - ); - } else { - $invite = $this->fetch_single_invite( $request->get_param( 'invite_id' ) ); + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'groups' ) ) ) { + $user_id = bp_loggedin_user_id(); - if ( ! $invite ) { - $retval = new WP_Error( - 'bp_rest_group_invite_invalid_id', - __( 'Invalid group invitation ID.', 'buddypress' ), - array( - 'status' => 404, - ) - ); - } elseif ( bp_current_user_can( 'bp_moderate' ) || $this->can_see( $invite->item_id ) || in_array( $user_id, array( $invite->user_id, $invite->inviter_id ), true ) ) { - /* - * Users can see a specific invitation if they - * - are a site admin - * - are a group admin of the subject group - * - are the invite recipient - * - are the inviter - */ - $retval = true; - } else { + if ( ! $user_id ) { $retval = new WP_Error( - 'bp_rest_group_invites_cannot_get_item', - __( 'Sorry, you are not allowed to fetch an invitation.', 'buddypress' ), + 'bp_rest_authorization_required', + __( 'Sorry, you need to be logged in to see the group invitations.', 'buddypress' ), array( 'status' => rest_authorization_required_code(), ) ); + } else { + $invite = $this->fetch_single_invite( $request->get_param( 'invite_id' ) ); + + if ( ! $invite ) { + $retval = new WP_Error( + 'bp_rest_group_invite_invalid_id', + __( 'Invalid group invitation ID.', 'buddypress' ), + array( + 'status' => 404, + ) + ); + } elseif ( bp_current_user_can( 'bp_moderate' ) || $this->can_see( $invite->item_id ) || in_array( $user_id, array( $invite->user_id, $invite->inviter_id ), true ) ) { + /* + * Users can see a specific invitation if they + * - are a site admin + * - are a group admin of the subject group + * - are the invite recipient + * - are the inviter + */ + $retval = true; + } else { + $retval = new WP_Error( + 'bp_rest_group_invites_cannot_get_item', + __( 'Sorry, you are not allowed to fetch an invitation.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + } } } diff --git a/includes/bp-groups/classes/class-bp-rest-group-membership-request-endpoint.php b/includes/bp-groups/classes/class-bp-rest-group-membership-request-endpoint.php index 0d3b919a..ca1046b4 100644 --- a/includes/bp-groups/classes/class-bp-rest-group-membership-request-endpoint.php +++ b/includes/bp-groups/classes/class-bp-rest-group-membership-request-endpoint.php @@ -174,61 +174,64 @@ public function get_items( $request ) { * @return true|WP_Error */ public function get_items_permissions_check( $request ) { - $retval = new WP_Error( + $retval = new WP_Error( 'bp_rest_authorization_required', __( 'Sorry, you are not allowed to perform this action.', 'buddypress' ), array( 'status' => rest_authorization_required_code(), ) ); - $user_id = bp_loggedin_user_id(); - $user_id_arg = $request->get_param( 'user_id' ); - $group = $this->groups_endpoint->get_group_object( $request->get_param( 'group_id' ) ); - // If the query is not restricted by group or user, limit it to the current user, if not an admin. - if ( ! $request->get_param( 'group_id' ) && ! $request->get_param( 'user_id' ) && ! bp_current_user_can( 'bp_moderate' ) ) { - $user_id_arg = $user_id; - } - $user = bp_rest_get_user( $user_id_arg ); - - if ( ! $user_id ) { - $retval = new WP_Error( - 'bp_rest_authorization_required', - __( 'Sorry, you need to be logged in to view membership requests.', 'buddypress' ), - array( - 'status' => rest_authorization_required_code(), - ) - ); - } elseif ( $request->get_param( 'group_id' ) && ! $group instanceof BP_Groups_Group ) { - $retval = new WP_Error( - 'bp_rest_group_invalid_id', - __( 'Invalid group ID.', 'buddypress' ), - array( - 'status' => 404, - ) - ); - } elseif ( $user_id_arg && ! $user instanceof WP_User ) { - $retval = new WP_Error( - 'bp_rest_member_invalid_id', - __( 'Invalid member ID.', 'buddypress' ), - array( - 'status' => 404, - ) - ); - } elseif ( - bp_current_user_can( 'bp_moderate' ) - || ( $request->get_param( 'group_id' ) && groups_is_user_admin( $user_id, $request->get_param( 'group_id' ) ) ) - || $user_id_arg === $user_id - ) { - $retval = true; - } else { - $retval = new WP_Error( - 'bp_rest_group_membership_requests_cannot_get_items', - __( 'Sorry, you are not allowed to view membership requests.', 'buddypress' ), - array( - 'status' => rest_authorization_required_code(), - ) - ); + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'groups' ) ) ) { + $user_id = bp_loggedin_user_id(); + $user_id_arg = $request->get_param( 'user_id' ); + $group = $this->groups_endpoint->get_group_object( $request->get_param( 'group_id' ) ); + + // If the query is not restricted by group or user, limit it to the current user, if not an admin. + if ( ! $request->get_param( 'group_id' ) && ! $request->get_param( 'user_id' ) && ! bp_current_user_can( 'bp_moderate' ) ) { + $user_id_arg = $user_id; + } + $user = bp_rest_get_user( $user_id_arg ); + + if ( ! $user_id ) { + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you need to be logged in to view membership requests.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + } elseif ( $request->get_param( 'group_id' ) && ! $group instanceof BP_Groups_Group ) { + $retval = new WP_Error( + 'bp_rest_group_invalid_id', + __( 'Invalid group ID.', 'buddypress' ), + array( + 'status' => 404, + ) + ); + } elseif ( $user_id_arg && ! $user instanceof WP_User ) { + $retval = new WP_Error( + 'bp_rest_member_invalid_id', + __( 'Invalid member ID.', 'buddypress' ), + array( + 'status' => 404, + ) + ); + } elseif ( + bp_current_user_can( 'bp_moderate' ) + || ( $request->get_param( 'group_id' ) && groups_is_user_admin( $user_id, $request->get_param( 'group_id' ) ) ) + || $user_id_arg === $user_id + ) { + $retval = true; + } else { + $retval = new WP_Error( + 'bp_rest_group_membership_requests_cannot_get_items', + __( 'Sorry, you are not allowed to view membership requests.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + } } /** @@ -281,42 +284,45 @@ public function get_item( $request ) { * @return true|WP_Error */ public function get_item_permissions_check( $request ) { - $retval = new WP_Error( + $retval = new WP_Error( 'bp_rest_authorization_required', __( 'Sorry, you are not allowed to perform this action.', 'buddypress' ), array( 'status' => rest_authorization_required_code(), ) ); - $user_id = bp_loggedin_user_id(); - $group_request = $this->fetch_single_membership_request( $request->get_param( 'request_id' ) ); - if ( ! $user_id ) { - $retval = new WP_Error( - 'bp_rest_authorization_required', - __( 'Sorry, you need to be logged in to get a membership.', 'buddypress' ), - array( - 'status' => rest_authorization_required_code(), - ) - ); - } elseif ( ! $group_request ) { - $retval = new WP_Error( - 'bp_rest_group_membership_requests_invalid_id', - __( 'Invalid group membership request ID.', 'buddypress' ), - array( - 'status' => 404, - ) - ); - } elseif ( bp_current_user_can( 'bp_moderate' ) || $user_id === $group_request->user_id || groups_is_user_admin( $user_id, $group_request->item_id ) ) { - $retval = true; - } else { - $retval = new WP_Error( - 'bp_rest_group_membership_requests_cannot_get_item', - __( 'Sorry, you are not allowed to view a membership request.', 'buddypress' ), - array( - 'status' => rest_authorization_required_code(), - ) - ); + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'groups' ) ) ) { + $user_id = bp_loggedin_user_id(); + $group_request = $this->fetch_single_membership_request( $request->get_param( 'request_id' ) ); + + if ( ! $user_id ) { + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you need to be logged in to get a membership.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + } elseif ( ! $group_request ) { + $retval = new WP_Error( + 'bp_rest_group_membership_requests_invalid_id', + __( 'Invalid group membership request ID.', 'buddypress' ), + array( + 'status' => 404, + ) + ); + } elseif ( bp_current_user_can( 'bp_moderate' ) || $user_id === $group_request->user_id || groups_is_user_admin( $user_id, $group_request->item_id ) ) { + $retval = true; + } else { + $retval = new WP_Error( + 'bp_rest_group_membership_requests_cannot_get_item', + __( 'Sorry, you are not allowed to view a membership request.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + } } /** diff --git a/includes/bp-members/classes/class-bp-rest-attachments-member-avatar-endpoint.php b/includes/bp-members/classes/class-bp-rest-attachments-member-avatar-endpoint.php index fa1c641f..8d0ad08a 100644 --- a/includes/bp-members/classes/class-bp-rest-attachments-member-avatar-endpoint.php +++ b/includes/bp-members/classes/class-bp-rest-attachments-member-avatar-endpoint.php @@ -14,7 +14,6 @@ * @since 0.1.0 */ class BP_REST_Attachments_Member_Avatar_Endpoint extends WP_REST_Controller { - use BP_REST_Attachments; /** @@ -162,7 +161,7 @@ public function get_item( $request ) { public function get_item_permissions_check( $request ) { $retval = new WP_Error( 'bp_rest_authorization_required', - __( 'Sorry, you cannot view member details.', 'buddypress' ), + __( 'Sorry, you are not authorized to perform this action.', 'buddypress' ), array( 'status' => rest_authorization_required_code(), ) diff --git a/includes/bp-members/classes/class-bp-rest-attachments-member-cover-endpoint.php b/includes/bp-members/classes/class-bp-rest-attachments-member-cover-endpoint.php index 39fa5c98..1db9e2bf 100644 --- a/includes/bp-members/classes/class-bp-rest-attachments-member-cover-endpoint.php +++ b/includes/bp-members/classes/class-bp-rest-attachments-member-cover-endpoint.php @@ -16,7 +16,6 @@ * @since 6.0.0 */ class BP_REST_Attachments_Member_Cover_Endpoint extends WP_REST_Controller { - use BP_REST_Attachments; /** @@ -152,7 +151,7 @@ public function get_item( $request ) { public function get_item_permissions_check( $request ) { $retval = new WP_Error( 'bp_rest_authorization_required', - __( 'Sorry, you cannot view member details.', 'buddypress' ), + __( 'Sorry, you are not authorized to perform this action.', 'buddypress' ), array( 'status' => rest_authorization_required_code(), ) diff --git a/includes/bp-members/classes/class-bp-rest-members-endpoint.php b/includes/bp-members/classes/class-bp-rest-members-endpoint.php index 45e088d7..269f9fea 100644 --- a/includes/bp-members/classes/class-bp-rest-members-endpoint.php +++ b/includes/bp-members/classes/class-bp-rest-members-endpoint.php @@ -201,7 +201,17 @@ public function get_items( $request ) { * @return true|WP_Error */ public function get_items_permissions_check( $request ) { - $retval = bp_current_user_can( 'bp_view', array( 'bp_component' => 'members' ) ); + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you are not allowed to perform this action.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'members' ) ) ) { + $retval = true; + } /** * Filter the members `get_items` permissions check. diff --git a/includes/bp-members/classes/class-bp-rest-signup-endpoint.php b/includes/bp-members/classes/class-bp-rest-signup-endpoint.php index 703bf9bd..26ee5820 100644 --- a/includes/bp-members/classes/class-bp-rest-signup-endpoint.php +++ b/includes/bp-members/classes/class-bp-rest-signup-endpoint.php @@ -203,20 +203,18 @@ public function get_items_permissions_check( $request ) { array( 'status' => rest_authorization_required_code() ) ); - $capability = 'edit_users'; + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'members' ) ) ) { + $capability = is_multisite() ? 'manage_network_users' : 'edit_users'; - if ( is_multisite() ) { - $capability = 'manage_network_users'; - } - - if ( ! is_user_logged_in() ) { - $retval = new WP_Error( - 'bp_rest_authorization_required', - __( 'Sorry, you need to be logged in to perform this action.', 'buddypress' ), - array( 'status' => rest_authorization_required_code() ) - ); - } elseif ( bp_current_user_can( $capability ) ) { - $retval = true; + if ( ! is_user_logged_in() ) { + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you need to be logged in to perform this action.', 'buddypress' ), + array( 'status' => rest_authorization_required_code() ) + ); + } elseif ( bp_current_user_can( $capability ) ) { + $retval = true; + } } /** @@ -272,19 +270,35 @@ public function get_item( $request ) { * @return true|WP_Error */ public function get_item_permissions_check( $request ) { - $retval = $this->get_items_permissions_check( $request ); + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you are not authorized to perform this action.', 'buddypress' ), + array( 'status' => rest_authorization_required_code() ) + ); - if ( ! is_wp_error( $retval ) ) { - $signup = $this->get_signup_object( $request->get_param( 'id' ) ); + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'members' ) ) ) { + $capability = is_multisite() ? 'manage_network_users' : 'edit_users'; - if ( empty( $signup ) ) { + if ( ! is_user_logged_in() ) { $retval = new WP_Error( - 'bp_rest_invalid_id', - __( 'Invalid signup id.', 'buddypress' ), - array( - 'status' => 404, - ) + 'bp_rest_authorization_required', + __( 'Sorry, you need to be logged in to perform this action.', 'buddypress' ), + array( 'status' => rest_authorization_required_code() ) ); + } elseif ( bp_current_user_can( $capability ) ) { + $retval = true; + } + + if ( ! is_wp_error( $retval ) ) { + $signup = $this->get_signup_object( $request->get_param( 'id' ) ); + + if ( empty( $signup ) ) { + $retval = new WP_Error( + 'bp_rest_invalid_id', + __( 'Invalid signup id.', 'buddypress' ), + array( 'status' => 404 ) + ); + } } } diff --git a/includes/bp-xprofile/classes/class-bp-rest-xprofile-field-groups-endpoint.php b/includes/bp-xprofile/classes/class-bp-rest-xprofile-field-groups-endpoint.php index a6459efa..38a59e21 100644 --- a/includes/bp-xprofile/classes/class-bp-rest-xprofile-field-groups-endpoint.php +++ b/includes/bp-xprofile/classes/class-bp-rest-xprofile-field-groups-endpoint.php @@ -297,7 +297,17 @@ public function get_item( $request ) { * @return true|WP_Error */ public function get_item_permissions_check( $request ) { - $retval = $this->get_items_permissions_check( $request ); + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you are not allowed to perform this action.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + + if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'xprofile' ) ) ) { + $retval = true; + } /** * Filter the XProfile fields groups `get_item` permissions check. diff --git a/tests/bootstrap.php b/tests/bootstrap.php index e455a6d2..8ea6a8ec 100644 --- a/tests/bootstrap.php +++ b/tests/bootstrap.php @@ -44,3 +44,23 @@ function _manually_load_plugins() { echo "Loading BuddyPress testcases...\n"; require_once BP_TESTS_DIR . '/includes/testcase.php'; require_once BP_TESTS_DIR . '/includes/testcase-emails.php'; + +/** + * Set component visibility. + * + * @param bool $visibility Visibility. + */ +function toggle_component_visibility( $visibility = true ) { + $visibility = $visibility ? 'members' : 'anyone'; + + update_option( + '_bp_community_visibility', + array( + 'global' => $visibility, + 'activity' => $visibility, + 'members' => $visibility, + 'groups' => $visibility, + 'blogs' => $visibility, + ) + ); +} diff --git a/tests/testcases/activity/test-controller.php b/tests/testcases/activity/test-controller.php index 116b2721..04ae0ef0 100644 --- a/tests/testcases/activity/test-controller.php +++ b/tests/testcases/activity/test-controller.php @@ -74,6 +74,21 @@ public function test_get_items() { $this->assertContains( $this->activity_id, $a_ids ); } + /** + * @group get_items + */ + public function test_get_items_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $this->bp_factory->activity->create_many( 3 ); + + $request = new WP_REST_Request( 'GET', $this->endpoint_url ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_items */ @@ -629,6 +644,22 @@ public function test_get_item() { $this->check_activity_data( $activity, $all_data[0], 'view' ); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $activity = $this->endpoint->get_activity_object( $this->activity_id ); + $this->assertEquals( $this->activity_id, $activity->id ); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $activity->id ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/attachments/test-blog-avatar-controller.php b/tests/testcases/attachments/test-blog-avatar-controller.php index 03cebb18..f4cd47b0 100644 --- a/tests/testcases/attachments/test-blog-avatar-controller.php +++ b/tests/testcases/attachments/test-blog-avatar-controller.php @@ -73,6 +73,20 @@ public function test_get_item() { $this->assertSame( $all_data[0], $expected ); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $blog_id = $this->bp_factory->blog->create(); + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '%d/avatar', $blog_id ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/attachments/test-group-avatar-controller.php b/tests/testcases/attachments/test-group-avatar-controller.php index 7fb4c055..79d3c87c 100644 --- a/tests/testcases/attachments/test-group-avatar-controller.php +++ b/tests/testcases/attachments/test-group-avatar-controller.php @@ -82,6 +82,19 @@ public function test_get_item() { $this->assertTrue( isset( $all_data[0]['full'] ) && isset( $all_data[0]['thumb'] ) ); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '%d/avatar', $this->group_id ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/attachments/test-group-cover-controller.php b/tests/testcases/attachments/test-group-cover-controller.php index 3525a80e..8b6157b7 100644 --- a/tests/testcases/attachments/test-group-cover-controller.php +++ b/tests/testcases/attachments/test-group-cover-controller.php @@ -63,12 +63,26 @@ public function test_get_item() { $this->markTestSkipped(); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '%d/cover', $this->group_id ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ public function test_get_item_with_no_image() { $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '%d/cover', $this->group_id ) ); $response = $this->server->dispatch( $request ); + $this->assertErrorResponse( 'bp_rest_attachments_group_cover_no_image', $response, 500 ); } diff --git a/tests/testcases/attachments/test-member-avatar-controller.php b/tests/testcases/attachments/test-member-avatar-controller.php index 254fa186..d6117fa6 100644 --- a/tests/testcases/attachments/test-member-avatar-controller.php +++ b/tests/testcases/attachments/test-member-avatar-controller.php @@ -77,6 +77,19 @@ public function test_get_item() { $this->assertTrue( isset( $all_data[0]['full'] ) && isset( $all_data[0]['thumb'] ) ); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '%d/avatar', $this->user_id ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/attachments/test-member-cover-controller.php b/tests/testcases/attachments/test-member-cover-controller.php index b5433cc7..b839e685 100644 --- a/tests/testcases/attachments/test-member-cover-controller.php +++ b/tests/testcases/attachments/test-member-cover-controller.php @@ -54,6 +54,19 @@ public function test_get_item() { $this->markTestSkipped(); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '%d/cover', $this->user_id ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/blogs/test-controller.php b/tests/testcases/blogs/test-controller.php index ffca4f8f..416abc55 100644 --- a/tests/testcases/blogs/test-controller.php +++ b/tests/testcases/blogs/test-controller.php @@ -101,6 +101,26 @@ public function test_get_item() { $this->assertSame( $blogs[0]['user_id'], $this->admin ); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + $this->skipWithoutMultisite(); + + toggle_component_visibility(); + + $blog_id = $this->bp_factory->blog->create( + array( 'title' => 'The Foo Bar Blog' ) + ); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $blog_id ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/groups/test-controller.php b/tests/testcases/groups/test-controller.php index aa4ae019..1fc9dadf 100644 --- a/tests/testcases/groups/test-controller.php +++ b/tests/testcases/groups/test-controller.php @@ -67,6 +67,21 @@ public function test_get_items() { $this->assertCount( 4, wp_list_pluck( $response->get_data(), 'id' ) ); } + /** + * @group get_items + */ + public function test_get_items_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $this->bp_factory->group->create_many( 3 ); + + $request = new WP_REST_Request( 'GET', $this->endpoint_url ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_items */ @@ -381,6 +396,21 @@ public function test_get_item() { $this->check_group_data( $group, $all_data[0], 'view' ); } + /** + * @group get_item + */ + public function test_get_item_unauthenticated_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $group = $this->endpoint->get_group_object( $this->group_id ); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $group->id ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/groups/test-group-invites-controller.php b/tests/testcases/groups/test-group-invites-controller.php index 28b9f2a0..fd113df9 100644 --- a/tests/testcases/groups/test-group-invites-controller.php +++ b/tests/testcases/groups/test-group-invites-controller.php @@ -99,6 +99,29 @@ public function test_get_items() { $this->assertEqualSets( [ $u1, $u2, $u3, $u4 ], $u_ids ); } + /** + * @group get_items + */ + public function test_get_items_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $u1 = $this->factory->user->create(); + $u2 = $this->factory->user->create(); + $u3 = $this->factory->user->create(); + $u4 = $this->factory->user->create(); + + $this->populate_group_with_invites( [ $u1, $u2, $u3, $u4 ], $this->group_id ); + + $request = new WP_REST_Request( 'GET', $this->endpoint_url ); + $request->set_query_params( array( + 'group_id' => $this->group_id, + ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_group_invites_cannot_get_items', $response, rest_authorization_required_code() ); + } + /** * @group get_items */ @@ -281,6 +304,28 @@ public function test_get_item() { $this->assertEquals( $u1, $all_data['user_id'] ); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $u1 = $this->factory->user->create(); + + $invite_id = groups_invite_user( array( + 'user_id' => $u1, + 'group_id' => $this->group_id, + 'inviter_id' => $this->user, + 'send_invite' => 1, + ) ); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $invite_id ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/members/test-controller.php b/tests/testcases/members/test-controller.php index cd8d6832..9921050b 100644 --- a/tests/testcases/members/test-controller.php +++ b/tests/testcases/members/test-controller.php @@ -97,6 +97,26 @@ public function test_get_items() { } } + /** + * @group get_items + */ + public function test_get_items_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $u1 = $this->factory->user->create(); + $u2 = $this->factory->user->create(); + $u3 = $this->factory->user->create(); + + $request = new WP_REST_Request( 'GET', $this->endpoint_url ); + $request->set_query_params( array( + 'user_ids' => [ $u1, $u2, $u3 ], + ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_items */ @@ -400,6 +420,26 @@ public function test_get_item() { $this->check_get_user_response( $response ); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $u = $this->factory->user->create(); + + // Register and set member types. + bp_register_member_type( 'foo' ); + bp_register_member_type( 'bar' ); + bp_set_member_type( $u, 'foo' ); + bp_set_member_type( $u, 'bar', true ); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $u ) ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/membership/test-group-membership-controller.php b/tests/testcases/membership/test-group-membership-controller.php index 2fd318b3..bbda90d2 100644 --- a/tests/testcases/membership/test-group-membership-controller.php +++ b/tests/testcases/membership/test-group-membership-controller.php @@ -153,6 +153,28 @@ public function test_get_items_by_specific_group_role() { } } + /** + * @group get_items + */ + public function test_get_items_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $u1 = $this->factory->user->create(); + $u2 = $this->factory->user->create(); + + $g1 = $this->bp_factory->group->create( array( + 'creator' => $u1, + ) ); + + $this->populate_group_with_members( [ $u1, $u2 ], $g1 ); + + $request = new WP_REST_Request( 'GET', $this->endpoint_url . $g1 . '/members' ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_items */ diff --git a/tests/testcases/membership/test-group-membership-request-controller.php b/tests/testcases/membership/test-group-membership-request-controller.php index 2751c345..682dc4b4 100644 --- a/tests/testcases/membership/test-group-membership-request-controller.php +++ b/tests/testcases/membership/test-group-membership-request-controller.php @@ -102,6 +102,30 @@ public function test_get_items() { $this->assertTrue( 3 === count( $all_data ) ); } + /** + * @group get_items + */ + public function test_get_items_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $u = $this->factory->user->create( array( 'role' => 'subscriber' ) ); + $u2 = $this->factory->user->create( array( 'role' => 'subscriber' ) ); + $u3 = $this->factory->user->create( array( 'role' => 'subscriber' ) ); + + groups_send_membership_request( array( 'group_id' => $this->group_id, 'user_id' => $u ) ); + groups_send_membership_request( array( 'group_id' => $this->group_id, 'user_id' => $u2 ) ); + groups_send_membership_request( array( 'group_id' => $this->group_id, 'user_id' => $u3 ) ); + + $request = new WP_REST_Request( 'GET', $this->endpoint_url ); + $request->set_query_params( array( + 'group_id' => $this->group_id, + ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_items */ @@ -245,6 +269,22 @@ public function test_get_item() { $this->assertFalse( $accepted ); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $u = $this->factory->user->create( array( 'role' => 'subscriber' ) ); + $request_id = groups_send_membership_request( array( 'group_id' => $this->group_id, 'user_id' => $u ) ); + + $request = new WP_REST_Request( 'GET', $this->endpoint_url . '/'. $request_id ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/xprofile/test-data-controller.php b/tests/testcases/xprofile/test-data-controller.php index 0c3a8c8a..56968332 100644 --- a/tests/testcases/xprofile/test-data-controller.php +++ b/tests/testcases/xprofile/test-data-controller.php @@ -73,6 +73,20 @@ public function test_get_item() { $this->assertEquals( $all_data[0]['value']['unserialized'], array( 'foo' ) ); } + /** + * @group get_item + */ + public function test_get_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + xprofile_set_field_data( $this->field_id, $this->user, 'foo' ); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '%d/data/%d', $this->field_id, $this->user ) ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/xprofile/test-field-controller.php b/tests/testcases/xprofile/test-field-controller.php index abcd6773..b71c3619 100644 --- a/tests/testcases/xprofile/test-field-controller.php +++ b/tests/testcases/xprofile/test-field-controller.php @@ -92,6 +92,20 @@ public function test_public_get_items() { ); } + /** + * @group get_items + */ + public function test_public_get_items_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $this->bp_factory->xprofile_field->create_many( 5, [ 'field_group_id' => $this->group_id ] ); + + $request = new WP_REST_Request( 'GET', $this->endpoint_url ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_items */ @@ -160,6 +174,21 @@ public function test_get_public_item() { $this->check_field_data( $field, $all_data[0] ); } + /** + * @group get_item + */ + public function test_get_public_item_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $field = $this->endpoint->get_xprofile_field_object( $this->field_id ); + $this->assertEquals( $this->field_id, $field->id ); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $field->id ) ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ diff --git a/tests/testcases/xprofile/test-group-controller.php b/tests/testcases/xprofile/test-group-controller.php index 8a11f6c4..4f19986a 100644 --- a/tests/testcases/xprofile/test-group-controller.php +++ b/tests/testcases/xprofile/test-group-controller.php @@ -70,6 +70,21 @@ public function test_get_items() { } } + /** + * @group get_items + */ + public function test_get_items_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $this->bp_factory->xprofile_group->create_many( 5 ); + + $request = new WP_REST_Request( 'GET', $this->endpoint_url ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_items */ @@ -144,6 +159,22 @@ public function test_get_item() { $this->check_group_data( $field_group, $all_data[0], 'view', $response->get_links() ); } + /** + * @group get_item + */ + public function test_get_item_publicly_with_support_for_the_community_visibility() { + toggle_component_visibility(); + + $field_group = $this->endpoint->get_xprofile_field_group_object( $this->group_id ); + $this->assertEquals( $this->group_id, $field_group->id ); + + $request = new WP_REST_Request( 'GET', sprintf( $this->endpoint_url . '/%d', $field_group->id ) ); + $request->set_param( 'context', 'view' ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_authorization_required', $response, rest_authorization_required_code() ); + } + /** * @group get_item */ From 06ea906c5dec6aa2115c6e27e5bc7e9279603314 Mon Sep 17 00:00:00 2001 From: Renato Alves <19148962+renatonascalves@users.noreply.github.com> Date: Tue, 21 May 2024 22:06:18 -0300 Subject: [PATCH 2/2] Remove `bp_view` from the signup endpoint --- .../classes/class-bp-rest-signup-endpoint.php | 58 +++++++++---------- 1 file changed, 27 insertions(+), 31 deletions(-) diff --git a/includes/bp-members/classes/class-bp-rest-signup-endpoint.php b/includes/bp-members/classes/class-bp-rest-signup-endpoint.php index 26ee5820..aabca216 100644 --- a/includes/bp-members/classes/class-bp-rest-signup-endpoint.php +++ b/includes/bp-members/classes/class-bp-rest-signup-endpoint.php @@ -203,18 +203,16 @@ public function get_items_permissions_check( $request ) { array( 'status' => rest_authorization_required_code() ) ); - if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'members' ) ) ) { - $capability = is_multisite() ? 'manage_network_users' : 'edit_users'; + $capability = is_multisite() ? 'manage_network_users' : 'edit_users'; - if ( ! is_user_logged_in() ) { - $retval = new WP_Error( - 'bp_rest_authorization_required', - __( 'Sorry, you need to be logged in to perform this action.', 'buddypress' ), - array( 'status' => rest_authorization_required_code() ) - ); - } elseif ( bp_current_user_can( $capability ) ) { - $retval = true; - } + if ( ! is_user_logged_in() ) { + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you need to be logged in to perform this action.', 'buddypress' ), + array( 'status' => rest_authorization_required_code() ) + ); + } elseif ( bp_current_user_can( $capability ) ) { + $retval = true; } /** @@ -276,29 +274,27 @@ public function get_item_permissions_check( $request ) { array( 'status' => rest_authorization_required_code() ) ); - if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'members' ) ) ) { - $capability = is_multisite() ? 'manage_network_users' : 'edit_users'; + $capability = is_multisite() ? 'manage_network_users' : 'edit_users'; - if ( ! is_user_logged_in() ) { - $retval = new WP_Error( - 'bp_rest_authorization_required', - __( 'Sorry, you need to be logged in to perform this action.', 'buddypress' ), - array( 'status' => rest_authorization_required_code() ) - ); - } elseif ( bp_current_user_can( $capability ) ) { - $retval = true; - } + if ( ! is_user_logged_in() ) { + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you need to be logged in to perform this action.', 'buddypress' ), + array( 'status' => rest_authorization_required_code() ) + ); + } elseif ( bp_current_user_can( $capability ) ) { + $retval = true; + } - if ( ! is_wp_error( $retval ) ) { - $signup = $this->get_signup_object( $request->get_param( 'id' ) ); + if ( ! is_wp_error( $retval ) ) { + $signup = $this->get_signup_object( $request->get_param( 'id' ) ); - if ( empty( $signup ) ) { - $retval = new WP_Error( - 'bp_rest_invalid_id', - __( 'Invalid signup id.', 'buddypress' ), - array( 'status' => 404 ) - ); - } + if ( empty( $signup ) ) { + $retval = new WP_Error( + 'bp_rest_invalid_id', + __( 'Invalid signup id.', 'buddypress' ), + array( 'status' => 404 ) + ); } }