From f762037e6150f3bfc9a25bdca70cf6ab16da824c Mon Sep 17 00:00:00 2001 From: barryhughes <3594411+barryhughes@users.noreply.github.com> Date: Mon, 7 Feb 2022 12:58:29 -0800 Subject: [PATCH] Update permission checks for V1/V2 product review endpoints. --- ...-wc-rest-product-reviews-v1-controller.php | 6 +- ...st-product-reviews-v1-controller-tests.php | 123 ++++++++++++++++++ 2 files changed, 126 insertions(+), 3 deletions(-) create mode 100644 plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller-tests.php diff --git a/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller.php b/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller.php index d5969bea569..9007aee7ae4 100644 --- a/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller.php +++ b/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller.php @@ -195,11 +195,11 @@ class WC_REST_Product_Reviews_V1_Controller extends WC_REST_Controller { $id = (int) $request['id']; $review = get_comment( $id ); - if ( $review && ! wc_rest_check_product_reviews_permissions( 'delete', $review->comment_ID ) ) { - return new WP_Error( 'woocommerce_rest_cannot_delete', __( 'Sorry, you cannot delete this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) ); + if ( $review && get_comment_type( $id ) === 'review' && wc_rest_check_product_reviews_permissions( 'delete', $review->comment_ID ) ) { + return true; } - return true; + return new WP_Error( 'woocommerce_rest_cannot_delete', __( 'Sorry, you cannot delete this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) ); } /** diff --git a/plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller-tests.php b/plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller-tests.php new file mode 100644 index 00000000000..13029cff269 --- /dev/null +++ b/plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version1/class-wc-rest-product-reviews-v1-controller-tests.php @@ -0,0 +1,123 @@ + "test_editor_$password", + 'user_pass' => $password, + 'user_email' => "editor_$password@example.com", + 'role' => 'editor', + ) + ); + self::$author_id = wp_insert_user( + array( + 'user_login' => "test_author_$password", + 'user_pass' => $password, + 'user_email' => "author_$password@example.com", + 'role' => 'author', + ) + ); + + self::$sut = new WC_REST_Product_Reviews_V1_Controller(); + } + + /** + * @testdox Ensure attempts to create product reviews are checked for user permissions. + */ + public function test_permissions_for_updating_product_reviews() { + $product = WC_Helper_Product::create_simple_product(); + $review_id = WC_Helper_Product::create_product_review( + $product->get_id(), + 'Arrived on schedule but I had to turn it on manually.' + ); + + $request = new WP_REST_Request( 'PUT', '/wc/v2/products/' . $product->get_id() . '/reviews/' . $review_id ); + $request->set_param( 'id', $review_id ); + $request->set_body( '{ "review": "Modified automatically." }' ); + + wp_set_current_user( self::$author_id ); + $this->assertEquals( + 'woocommerce_rest_cannot_edit', + self::$sut->update_item_permissions_check( $request )->get_error_code(), + 'An author cannot update a product review.' + ); + + wp_set_current_user( self::$editor_id ); + $this->assertTrue( + self::$sut->update_item_permissions_check( $request ), + 'An editor (or any user with the moderate_comments capability) can update a product review.' + ); + + $request->set_route( '/wc/v2/products/' . ( $product->get_id() * 10 ) . '/reviews/' . $review_id ); + $this->assertEquals( + 'woocommerce_rest_product_invalid_id', + self::$sut->update_item( $request )->get_error_code(), + 'Attempts to edit reviews for non-existent products are rejected.' + ); + } + + /** + * @testdox Ensure attempts to delete product reviews are checked for user permissions. + */ + public function test_permissions_for_deleting_product_reviews() { + $product = WC_Helper_Product::create_simple_product(); + $review_id = WC_Helper_Product::create_product_review( + $product->get_id(), + 'Supposed to be made from real unicorn horn but was actually cheap cardboard. OK for the price.' + ); + + $request = new WP_REST_Request( 'DELETE', '/wc/v2/products/123456789/reviews/' . $review_id ); + $request->set_param( 'id', $review_id ); + + wp_set_current_user( self::$author_id ); + $this->assertEquals( + 'woocommerce_rest_cannot_delete', + self::$sut->delete_item_permissions_check( $request )->get_error_code(), + 'An author (or other user lacking the moderate_comments capability) cannot delete a product review.' + ); + + wp_set_current_user( self::$editor_id ); + $this->assertTrue( + self::$sut->delete_item_permissions_check( $request ), + 'An editor (or any user with the moderate_comments capability) can delete a product review.' + ); + + $order = WC_Helper_Order::create_order(); + $order_note_id = $order->add_order_note( 'Dispatched with all due haste.' ); + + $request = new WP_REST_Request( 'DELETE', '/wc/v2/products/123456789/reviews/' . $order_note_id ); + $request->set_param( 'id', $order_note_id ); + + $this->assertEquals( + 'woocommerce_rest_cannot_delete', + self::$sut->delete_item_permissions_check( $request )->get_error_code(), + 'Comments that are not product reviews cannot be deleted via this endpoint.' + ); + } +} +