diff --git a/includes/bp-messages/classes/class-bp-rest-messages-endpoint.php b/includes/bp-messages/classes/class-bp-rest-messages-endpoint.php index aad0efd8..2946bb71 100644 --- a/includes/bp-messages/classes/class-bp-rest-messages-endpoint.php +++ b/includes/bp-messages/classes/class-bp-rest-messages-endpoint.php @@ -568,17 +568,6 @@ public function update_item_permissions_check( $request ) { */ public function update_starred( $request ) { $message = $this->get_message_object( $request->get_param( 'id' ) ); - - if ( empty( $message->id ) ) { - return new WP_Error( - 'bp_rest_invalid_id', - __( 'Sorry, this message does not exist.', 'buddypress' ), - array( - 'status' => 404, - ) - ); - } - $user_id = bp_loggedin_user_id(); $result = false; $action = 'star'; @@ -649,8 +638,24 @@ public function update_starred_permissions_check( $request ) { ) ); - if ( is_user_logged_in() ) { - $thread_id = messages_get_message_thread_id( $request->get_param( 'id' ) ); + if ( ! is_user_logged_in() ) { + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you need to be logged in to star/unstar a message.', 'buddypress' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + } else { + $thread_id = messages_get_message_thread_id( $request->get_param( 'id' ) ); // This is a message id. + + if ( empty( $thread_id ) ) { + return new WP_Error( + 'bp_rest_invalid_id', + __( 'Sorry, the thread of this message does not exist.', 'buddypress' ), + array( 'status' => 404 ) + ); + } if ( messages_check_thread_access( $thread_id ) ) { $retval = true; diff --git a/tests/testcases/messages/test-controller.php b/tests/testcases/messages/test-controller.php index ac29af4c..cdaef713 100644 --- a/tests/testcases/messages/test-controller.php +++ b/tests/testcases/messages/test-controller.php @@ -1,4 +1,5 @@ bp->set_current_user( $u2 ); $request = new WP_REST_Request( 'PUT', $this->endpoint_url . '/' . bp_get_messages_starred_slug() . '/' . $m->id ); - $request->add_header( 'content-type', 'application/json' ); $response = $this->server->dispatch( $request ); - $data = $response->get_data(); - $data = reset( $data ); + $data = current( $response->get_data() ); $this->assertFalse( $data['is_starred'] ); } + /** + * @group starred + */ + public function test_update_starred_user_is_not_logged_in() { + $u1 = $this->factory->user->create(); + $u2 = $this->factory->user->create(); + + // Init a thread. + $m = $this->bp_factory->message->create_and_get( array( + 'sender_id' => $u1, + 'recipients' => array( $u2 ), + 'subject' => 'Foo', + ) ); + + $request = new WP_REST_Request( 'PUT', $this->endpoint_url . '/' . bp_get_messages_starred_slug() . '/' . $m->id ); + + $this->assertErrorResponse( + 'bp_rest_authorization_required', + $this->server->dispatch( $request ), + rest_authorization_required_code() + ); + } + + /** + * @group starred + */ + public function test_update_starred_user_with_no_access() { + $u1 = $this->factory->user->create(); + $u2 = $this->factory->user->create(); + $u3 = $this->factory->user->create(); + + // Init a thread. + $m = $this->bp_factory->message->create_and_get( array( + 'sender_id' => $u1, + 'recipients' => array( $u2 ), + 'subject' => 'Foo', + ) ); + + $this->bp->set_current_user( $u3 ); + + $request = new WP_REST_Request( 'PUT', $this->endpoint_url . '/' . bp_get_messages_starred_slug() . '/' . $m->id ); + + $this->assertErrorResponse( + 'bp_rest_authorization_required', + $this->server->dispatch( $request ), + rest_authorization_required_code() + ); + } + + /** + * @group starred + */ + public function test_update_starred_using_invalid_id() { + $this->bp->set_current_user( $this->user ); + + $request = new WP_REST_Request( 'PUT', $this->endpoint_url . '/' . bp_get_messages_starred_slug() . '/' . REST_TESTS_IMPOSSIBLY_HIGH_NUMBER ); + $response = $this->server->dispatch( $request ); + + $this->assertErrorResponse( 'bp_rest_invalid_id', $response, 404 ); + } + public function update_additional_field( $value, $data, $attribute ) { return bp_messages_update_meta( $data->id, '_' . $attribute, $value ); }