open context edit #274
context edit was basicaluu only hiding entity permissions. No sensitive information. Removed cause needed in front-end If sensitive info is added, check shoud be done when building response
This commit is contained in:
parent
221e6b3ab8
commit
907d0df7b9
|
@ -252,10 +252,6 @@ class REST_Collections_Controller extends REST_Controller {
|
|||
* @throws \Exception
|
||||
*/
|
||||
public function get_items_permissions_check($request){
|
||||
if ( 'edit' === $request['context'] && ! current_user_can($this->collections_repository->get_capabilities()->edit_posts) ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -270,10 +266,6 @@ class REST_Collections_Controller extends REST_Controller {
|
|||
$collection = $this->collections_repository->fetch($request['collection_id']);
|
||||
|
||||
if(($collection instanceof Entities\Collection)) {
|
||||
if('edit' === $request['context'] && !$collection->can_edit()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $collection->can_read();
|
||||
}
|
||||
|
||||
|
|
|
@ -398,9 +398,6 @@ class REST_Filters_Controller extends REST_Controller {
|
|||
*/
|
||||
public function get_items_permissions_check( $request ) {
|
||||
if(!isset($request['collection_id'])) {
|
||||
if ( 'edit' === $request['context'] && ! $this->filter_repository->can_edit( new Entities\Filter() ) ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
@ -447,10 +444,6 @@ class REST_Filters_Controller extends REST_Controller {
|
|||
$filter = $this->filter_repository->fetch($request['filter_id']);
|
||||
|
||||
if(($filter instanceof Entities\Filter)) {
|
||||
if('edit' === $request['context'] && !$filter->can_edit()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $filter->can_read();
|
||||
}
|
||||
|
||||
|
|
|
@ -164,10 +164,6 @@ class REST_Item_Metadata_Controller extends REST_Controller {
|
|||
$item = $this->item_repository->fetch($request['item_id']);
|
||||
|
||||
if(($item instanceof Entities\Item)) {
|
||||
if('edit' === $request['context'] && !$item->can_edit()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $item->can_read();
|
||||
}
|
||||
|
||||
|
|
|
@ -413,10 +413,6 @@ class REST_Items_Controller extends REST_Controller {
|
|||
$item = $this->items_repository->fetch($request['item_id']);
|
||||
|
||||
if(($item instanceof Entities\Item)) {
|
||||
if('edit' === $request['context'] && !$item->can_edit()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $item->can_read();
|
||||
}
|
||||
|
||||
|
@ -431,10 +427,6 @@ class REST_Items_Controller extends REST_Controller {
|
|||
public function get_items_permissions_check( $request ) {
|
||||
$collection = $this->collections_repository->fetch($request['collection_id']);
|
||||
|
||||
if('edit' === $request['context'] && !is_user_logged_in()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( isset($request['taxquery']) && !$this->get_items_permissions_check_for_taxonomy($request['taxquery']) ) {
|
||||
return false;
|
||||
}
|
||||
|
|
|
@ -38,17 +38,6 @@ class REST_Logs_Controller extends REST_Controller {
|
|||
'methods' => \WP_REST_Server::READABLE,
|
||||
'callback' => array($this, 'get_item'),
|
||||
'permission_callback' => array($this, 'get_item_permissions_check'),
|
||||
'args' => array(
|
||||
'context' => array(
|
||||
'type' => 'string',
|
||||
'default' => 'view',
|
||||
'description' => 'The context in which the request is made.',
|
||||
'enum' => array(
|
||||
'view',
|
||||
'edit'
|
||||
)
|
||||
),
|
||||
),
|
||||
),
|
||||
'schema' => [$this, 'get_schema']
|
||||
)
|
||||
|
|
|
@ -180,10 +180,6 @@ class REST_Metadata_Controller extends REST_Controller {
|
|||
$metadatum = $this->metadatum_repository->fetch($request['metadatum_id']);
|
||||
|
||||
if ( $metadatum instanceof Entities\Metadatum ) {
|
||||
if ( $request['context'] === 'edit' && ! $metadatum->can_edit() ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $metadatum->can_read();
|
||||
}
|
||||
|
||||
|
@ -400,10 +396,6 @@ class REST_Metadata_Controller extends REST_Controller {
|
|||
|
||||
|
||||
if(!isset($request['collection_id'])) {
|
||||
if ( 'edit' === $request['context'] && ! $this->metadatum_repository->can_edit( new Entities\Filter() ) ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
|
@ -220,10 +220,6 @@ class REST_Taxonomies_Controller extends REST_Controller {
|
|||
$taxonomy = $this->taxonomy_repository->fetch($request['taxonomy_id']);
|
||||
|
||||
if(($taxonomy instanceof Entities\Taxonomy)) {
|
||||
if('edit' === $request['context'] && !$taxonomy->can_edit()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $taxonomy->can_read();
|
||||
}
|
||||
|
||||
|
@ -338,9 +334,7 @@ class REST_Taxonomies_Controller extends REST_Controller {
|
|||
* @return bool|\WP_Error
|
||||
*/
|
||||
public function get_items_permissions_check( $request ) {
|
||||
if('edit' === $request['context'] && !is_user_logged_in()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// if(!$this->taxonomy_repository->can_read($this->taxonomy)) {
|
||||
// return false;
|
||||
// }
|
||||
|
|
|
@ -358,10 +358,6 @@ class REST_Terms_Controller extends REST_Controller {
|
|||
$taxonomy = $this->taxonomy_repository->fetch($request['taxonomy_id']);
|
||||
|
||||
if(($taxonomy instanceof Entities\Taxonomy)) {
|
||||
if('edit' === $request['context'] && !$taxonomy->can_edit()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $taxonomy->can_read();
|
||||
}
|
||||
|
||||
|
|
|
@ -9,57 +9,20 @@ class TAINACAN_REST_Visibilility_Controller extends TAINACAN_UnitApiTestCase {
|
|||
|
||||
|
||||
/*
|
||||
setup initail:
|
||||
initial setup:
|
||||
create taxonomy_public
|
||||
create term-a-public
|
||||
create term-b-public
|
||||
create taxonomy_private
|
||||
create term-a-private
|
||||
create term-b-private
|
||||
|
||||
|
||||
create collection
|
||||
create a metadata-public (taxonomy_public)
|
||||
create a metadata-private (taxonomy_private)
|
||||
create item-a
|
||||
create item-b
|
||||
|
||||
first-test:
|
||||
user not logged
|
||||
get terms of taxonomy_public = 200
|
||||
get terms of taxonomy_private = 401
|
||||
get terms on context=edit of taxonomy_public = 401
|
||||
get terms on context=edit of taxonomy_private = 401
|
||||
|
||||
second-test:
|
||||
user logged
|
||||
get terms of taxonomy_public = 200
|
||||
get terms of taxonomy_private = 200
|
||||
get terms on context=edit of taxonomy_public = 200
|
||||
get terms on context=edit of taxonomy_private = 200
|
||||
|
||||
third-test:
|
||||
user not logged
|
||||
get taxonomies = 200 - 1 taxonomy
|
||||
get taxonomies on context=edit of taxonomy_public = 401
|
||||
|
||||
fourth-test:
|
||||
user logged
|
||||
get taxonomies = 200 - 2 taxonomies
|
||||
get taxonomies on context=edit = 200 - 2 taxonomies
|
||||
|
||||
fifth-test:
|
||||
user logged
|
||||
get items filter by taxonomy_public = 200
|
||||
get items filter by taxonomy_private = 200
|
||||
get items on context=edit filter by taxonomy_public = 200
|
||||
get items on context=edit filter by taxonomy_private = 200
|
||||
|
||||
fifth-test:
|
||||
user not logged
|
||||
get items filter by taxonomy_public = 200
|
||||
get items filter by taxonomy_private = 401
|
||||
get items on context=edit filter by taxonomy_public = 401
|
||||
get items on context=edit filter by taxonomy_private = 401
|
||||
*/
|
||||
|
||||
public $collection;
|
||||
|
@ -195,7 +158,7 @@ class TAINACAN_REST_Visibilility_Controller extends TAINACAN_UnitApiTestCase {
|
|||
|
||||
wp_set_post_terms($item_a->get_id(), [$term_a_public->get_id(), $term_b_public->get_id()], $taxonomy_public->get_db_identifier());
|
||||
wp_set_post_terms($item_b->get_id(), [$term_a_private->get_id(), $term_b_private->get_id()], $taxonomy_private->get_db_identifier());
|
||||
|
||||
|
||||
}
|
||||
|
||||
public function test_get_terms_of_taxonomy_logged() {
|
||||
|
@ -275,7 +238,7 @@ class TAINACAN_REST_Visibilility_Controller extends TAINACAN_UnitApiTestCase {
|
|||
$response = $this->server->dispatch($request_public_edit);
|
||||
$status = $response->status;
|
||||
$data = $response->get_data();
|
||||
$this->assertEquals(401, $status);
|
||||
$this->assertEquals(200, $status);
|
||||
|
||||
//tax private - context=edit:
|
||||
$request_private_edit = new \WP_REST_Request(
|
||||
|
@ -289,7 +252,7 @@ class TAINACAN_REST_Visibilility_Controller extends TAINACAN_UnitApiTestCase {
|
|||
}
|
||||
|
||||
public function test_get_taxonomies_logged() {
|
||||
|
||||
|
||||
$request_public = new \WP_REST_Request(
|
||||
'GET', $this->namespace . '/taxonomies'
|
||||
);
|
||||
|
@ -299,7 +262,7 @@ class TAINACAN_REST_Visibilility_Controller extends TAINACAN_UnitApiTestCase {
|
|||
$this->assertEquals(200, $status);
|
||||
$this->assertEquals(2, sizeof($data));
|
||||
|
||||
|
||||
|
||||
$request_public_edit = new \WP_REST_Request(
|
||||
'GET', $this->namespace . '/taxonomies'
|
||||
);
|
||||
|
@ -324,14 +287,6 @@ class TAINACAN_REST_Visibilility_Controller extends TAINACAN_UnitApiTestCase {
|
|||
$this->assertEquals(200, $status);
|
||||
$this->assertEquals(1, sizeof($data));
|
||||
|
||||
$request_public_edit = new \WP_REST_Request(
|
||||
'GET', $this->namespace . '/taxonomies'
|
||||
);
|
||||
$request_public_edit->set_query_params(['context' => 'edit']);
|
||||
$response = $this->server->dispatch($request_public_edit);
|
||||
$status = $response->status;
|
||||
$data = $response->get_data();
|
||||
$this->assertEquals(401, $status);
|
||||
}
|
||||
|
||||
public function test_get_items_logged() {
|
||||
|
@ -426,7 +381,7 @@ class TAINACAN_REST_Visibilility_Controller extends TAINACAN_UnitApiTestCase {
|
|||
$response = $this->server->dispatch($request_public_edit);
|
||||
$status = $response->status;
|
||||
$data = $response->get_data();
|
||||
$this->assertEquals(401, $status);
|
||||
$this->assertEquals(200, $status);
|
||||
|
||||
//tax private:
|
||||
$request_private = new \WP_REST_Request(
|
||||
|
@ -456,6 +411,7 @@ class TAINACAN_REST_Visibilility_Controller extends TAINACAN_UnitApiTestCase {
|
|||
$data = $response->get_data();
|
||||
$this->assertEquals(401, $status);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
?>
|
||||
?>
|
||||
|
|
Loading…
Reference in New Issue