Adds verification of capabilities to fetch all field values and modifies the response of invalid attributes on updates and posts

2018-03-07 12:57:12 -03:00 · 2018-03-07 12:57:12 -03:00 · f9f5e831f3
parent a56e677d98
commit f9f5e831f3
3 changed files with 86 additions and 28 deletions
--- a/src/classes/entities/class-tainacan-entity.php
+++ b/src/classes/entities/class-tainacan-entity.php
@ -203,7 +203,10 @@ class Entity {
        ) {
            $validation = $mapped['validation'];
            $prop_value = $this->get_mapped_property($prop);
-            $message = ( isset( $mapped['on_error'] ) ) ? $mapped['on_error'] : $prop. __(' is invalid', 'tainacan');
+            $message = [
+            	'error_message'   => ( isset( $mapped['on_error'] ) ) ? $mapped['on_error'] : $prop. __(' is invalid', 'tainacan'),
+	            'attribute' => $prop
+            ];

            if (is_array($prop_value)) {
                foreach ($prop_value as $val) {
--- a/src/classes/repositories/class-tainacan-fields.php
+++ b/src/classes/repositories/class-tainacan-fields.php
@ -600,35 +600,78 @@ class Fields extends Repository {
 		// Clear the result cache
 		$wpdb->flush();

-		$item_post_type = "%{$collection_id}_item";
+		$item_post_type = "%%{$collection_id}_item";

-		$sql_string = (current_user_can( "read_private_tnc_col_{$collection_id}_items" ) && current_user_can( 'read_private_tainacan-collections' )) ? $wpdb->prepare(
-			"SELECT item_id, field_id, mvalue 
-				FROM (
-					SELECT ID as item_id
-					FROM $wpdb->posts
-					WHERE post_type LIKE %s
-				) items
-				JOIN (
-					SELECT meta_key as field_id, meta_value as mvalue, post_id
-					FROM $wpdb->postmeta
-				) metas
-				ON items.item_id = metas.post_id AND metas.field_id = %s", $item_post_type, $field_id
-		) : $wpdb->prepare(
-			"SELECT item_id, field_id, mvalue 
-				FROM (
-					SELECT ID as item_id
-					FROM $wpdb->posts
-					WHERE post_type LIKE %s AND post_status <> 'private'
-				) items
-				JOIN (
-					SELECT meta_key as field_id, meta_value as mvalue, post_id
-					FROM $wpdb->postmeta
-				) metas
-				ON items.item_id = metas.post_id AND metas.field_id = %s", $item_post_type, $field_id
-		);
+		$collection = new Entities\Collection($collection_id);
+		$capabilities = $collection->get_capabilities();

-		$results = $wpdb->get_results($sql_string, ARRAY_A);
+		$results = [];
+
+		// If no has logged user or actual user can not read private posts
+		if(get_current_user_id() === 0 || !current_user_can( $capabilities->read_private_posts)) {
+			$args = [
+				'exclude_from_search' => false,
+				'public'              => true,
+				'private'             => false,
+				'internal'            => false,
+			];
+
+			$post_statuses = get_post_stati( $args, 'names', 'and' );
+
+			foreach ($post_statuses as $post_status) {
+				$sql_string = $wpdb->prepare(
+					"SELECT item_id, field_id, mvalue 
+				  		FROM (
+			  				SELECT ID as item_id
+		  					FROM $wpdb->posts
+	  						WHERE post_type LIKE %s AND post_status = %s
+  						) items
+							JOIN (
+						  	SELECT meta_key as field_id, meta_value as mvalue, post_id
+					  		FROM $wpdb->postmeta
+				  		) metas
+			  			ON items.item_id = metas.post_id AND metas.field_id = %d",
+					$item_post_type, $post_status, $field_id
+				);
+
+				$pre_result = $wpdb->get_results( $sql_string, ARRAY_A );
+
+				if (!empty($pre_result)) {
+					$results[] = $pre_result[0];
+				}
+			}
+		} else {
+			if ( current_user_can( $capabilities->read_private_posts) ) {
+				$args = [
+					'exclude_from_search' => false,
+				];
+
+				$post_statuses = get_post_stati( $args, 'names', 'and' );
+
+				foreach ($post_statuses as $post_status) {
+					$sql_string = $wpdb->prepare(
+						"SELECT item_id, field_id, mvalue 
+					        FROM (
+						        SELECT ID as item_id
+					            FROM $wpdb->posts
+					            WHERE post_type LIKE %s AND post_status = %s
+					        ) items
+						    JOIN (
+						        SELECT meta_key as field_id, meta_value as mvalue, post_id
+						        FROM $wpdb->postmeta
+						    ) metas
+						    ON items.item_id = metas.post_id AND metas.field_id = %d",
+						$item_post_type, $post_status, $field_id
+					);
+
+					$pre_result = $wpdb->get_results( $sql_string, ARRAY_A );
+
+					if (!empty($pre_result)) {
+						$results[] = $pre_result[0];
+					}
+				}
+			}
+		}

 		return $results;
 	}
--- a/tests/test-api-metadata.php
+++ b/tests/test-api-metadata.php
@ -477,6 +477,18 @@ class TAINACAN_REST_Metadata_Controller extends TAINACAN_UnitApiTestCase {

 		//=======================

+		// Set no one user
+		wp_set_current_user(0);
+
+		$response1 = $this->server->dispatch($request);
+
+		$data1 = $response1->get_data();
+
+		$this->assertCount(1, $data1);
+		$this->assertEquals('12/12/2017', $data1[0]['mvalue']);
+
+		//=======================
+
 		$new_user1 = $this->factory()->user->create(array( 'role' => 'subscriber' ));
 		wp_set_current_user($new_user1);