From 6c2be482cae87e85f0ee61520759f34eac913bc1 Mon Sep 17 00:00:00 2001
From: Justin Shreve <justin.shreve@gmail.com>
Date: Mon, 7 Mar 2016 13:54:28 -0800
Subject: [PATCH] Add a permissions check to the locations endpoints and fill
 out the tests for them.

---
 includes/api/wc-rest-settings-controller.php |  4 ++++
 tests/unit-tests/api/settings.php            | 17 +++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/includes/api/wc-rest-settings-controller.php b/includes/api/wc-rest-settings-controller.php
index 11c2c4d9c76..ae322bd30bb 100644
--- a/includes/api/wc-rest-settings-controller.php
+++ b/includes/api/wc-rest-settings-controller.php
@@ -53,6 +53,10 @@ class WC_Rest_Settings_Controller extends WP_Rest_Controller {
 	 * @return WP_Error|boolean
 	 */
 	public function permissions_check( $request ) {
+		if ( ! current_user_can( 'manage_options' ) ) {
+			return new WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot access settings.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
+		}
+
 		return true;
 	}
 
diff --git a/tests/unit-tests/api/settings.php b/tests/unit-tests/api/settings.php
index 44083f562de..15380336b99 100644
--- a/tests/unit-tests/api/settings.php
+++ b/tests/unit-tests/api/settings.php
@@ -12,6 +12,9 @@ class Settings extends \WP_Test_REST_Controller_Testcase {
 		parent::setUp();
 		$this->endpoint = new \WC_Rest_Settings_Controller();
 		\WC_Helper_Settings::register();
+		$this->user = $this->factory->user->create( array(
+			'role' => 'administrator',
+		) );
 	}
 
 	/**
@@ -28,6 +31,8 @@ class Settings extends \WP_Test_REST_Controller_Testcase {
 	 * @since 2.7.0
 	 */
 	public function test_get_locations() {
+		wp_set_current_user( $this->user );
+
 		$response = $this->server->dispatch( new \WP_REST_Request( 'GET', '/wc/v1/settings/locations' ) );
 		$data = $response->get_data();
 
@@ -54,7 +59,10 @@ class Settings extends \WP_Test_REST_Controller_Testcase {
 	 * @since 2.7.0
 	 */
 	public function test_get_locations_without_permission() {
+		wp_set_current_user( 0 );
 
+		$response = $this->server->dispatch( new \WP_REST_Request( 'GET', '/wc/v1/settings/locations' ) );
+		$this->assertEquals( 401, $response->get_status() );
 	}
 
 	/**
@@ -63,6 +71,8 @@ class Settings extends \WP_Test_REST_Controller_Testcase {
 	 * @since 2.7.0
 	 */
 	public function test_get_locations_correctly_filters_values() {
+		wp_set_current_user( $this->user );
+
 		$response = $this->server->dispatch( new \WP_REST_Request( 'GET', '/wc/v1/settings/locations' ) );
 		$data = $response->get_data();
 
@@ -75,6 +85,8 @@ class Settings extends \WP_Test_REST_Controller_Testcase {
 	 * @since 2.7.0
 	 */
 	public function test_get_locations_with_type() {
+		wp_set_current_user( $this->user );
+
 		$request = new \WP_REST_Request( 'GET', '/wc/v1/settings/locations' );
 		$request->set_param( 'type', 'not-a-real-type' );
 		$response = $this->server->dispatch( $request );
@@ -118,6 +130,8 @@ class Settings extends \WP_Test_REST_Controller_Testcase {
 	 * @since 2.7.0
 	 */
 	public function test_get_location() {
+		wp_set_current_user( $this->user );
+
 		// test getting a location that does not exist
 		$response = $this->server->dispatch( new \WP_REST_Request( 'GET', '/wc/v1/settings/locations/not-real' ) );
 		$data = $response->get_data();
@@ -147,7 +161,10 @@ class Settings extends \WP_Test_REST_Controller_Testcase {
 	 * @since 2.7.0
 	 */
 	public function test_get_location_without_permission() {
+		wp_set_current_user( 0 );
 
+		$response = $this->server->dispatch( new \WP_REST_Request( 'GET', '/wc/v1/settings/locations/coupon-data' ) );
+		$this->assertEquals( 401, $response->get_status() );
 	}
 
 	public function test_get_items() { }