Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Protect REST API v1 and v2 from a category of accidental deletion, where the supplied product ID is invalid.

This commit is contained in:
barryhughes 2022-02-17 08:51:21 -08:00
parent efac1bad3c
commit a6fb397a1a
2 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller.php
View File

@ -365,9 +365,14 @@ class WC_REST_Product_Reviews_V1_Controller extends WC_REST_Controller {
* @return bool|WP_Error|WP_REST_Response
*/
public function delete_item( $request ) {
$product_id = (int) $request['product_id'];
$product_review_id = (int) $request['id'];
$force = isset( $request['force'] ) ? (bool) $request['force'] : false;
if ( 'product' !== get_post_type( $product_id ) ) {
return new WP_Error( 'woocommerce_rest_product_invalid_id', __( 'Invalid product ID.', 'woocommerce' ), array( 'status' => 404 ) );
}
$product_review = get_comment( $product_review_id );
if ( empty( $product_review_id ) || empty( $product_review->comment_ID ) || empty( $product_review->comment_post_ID ) ) {
return new WP_Error( 'woocommerce_rest_product_review_invalid_id', __( 'Invalid product review ID.', 'woocommerce' ), array( 'status' => 404 ) );

20
plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller-tests.php
View File

@ -105,21 +105,33 @@ class WC_REST_Product_Reviews_V1_Controller_Tests extends WC_Unit_Test_Case {
* @testdox Ensure attempts to delete product reviews are checked for user permissions.
*/
public function test_permissions_for_deleting_product_reviews() {
$request = new WP_REST_Request( 'DELETE', '/wc/v1/products/123456789/reviews/' . $this->review_id );
$request->set_param( 'id', $this->review_id );
$api_request = new WP_REST_Request( 'DELETE', '/wc/v1/products/' . $this->product_id . '/reviews/' . $this->review_id );
$api_request->set_param( 'product_id', $this->product_id );
$api_request->set_param( 'id', $this->review_id );
wp_set_current_user( $this->editor_id );
$this->assertEquals(
'woocommerce_rest_cannot_delete',
$this->sut->delete_item_permissions_check( $request )->get_error_code(),
$this->sut->delete_item_permissions_check( $api_request )->get_error_code(),
'A user lacking edit_comment permissions (such as an editor) cannot delete a product review.'
);
wp_set_current_user( $this->shop_manager_id );
$this->assertTrue(
$this->sut->delete_item_permissions_check( $request ),
$this->sut->delete_item_permissions_check( $api_request ),
'A user (such as a shop manager) who has the edit_comment permission can delete a product review.'
);
$nonexistent_product_id = $this->product_id * 10;
$api_request = new WP_REST_Request( 'DELETE', '/wc/v1/products/' . $nonexistent_product_id . '/reviews/' . $this->review_id );
$api_request->set_param( 'product_id', $nonexistent_product_id );
$api_request->set_param( 'id', $this->review_id );
$this->assertEquals(
'woocommerce_rest_product_invalid_id',
$this->sut->delete_item( $api_request )->get_error_code(),
'Attempts to delete reviews for non-existent products are rejected, even if the review ID is valid.'
);
}
/**