Switch to using current_user_can function to check capabilities
This commit is contained in:
Tautvidas Sipavičius
@ -22,8 +22,6 @@ class AccessControl {
|
||||
|
||||
function __construct() {
|
||||
$this->permissions = self::getDefaultPermissions();
|
||||
$this->user_roles = $this->getUserRoles();
|
||||
$this->user_capabilities = $this->getUserCapabilities();
|
||||
}
|
||||
|
||||
static function getDefaultPermissions() {
|
||||
@ -80,30 +78,8 @@ class AccessControl {
|
||||
);
|
||||
}
|
||||
|
||||
function getUserRoles() {
|
||||
$user = wp_get_current_user();
|
||||
return $user->roles;
|
||||
}
|
||||
|
||||
function getUserCapabilities() {
|
||||
$user = wp_get_current_user();
|
||||
return array_keys($user->allcaps);
|
||||
}
|
||||
|
||||
function getUserFirstCapability() {
|
||||
return (!empty($this->user_capabilities)) ?
|
||||
$this->user_capabilities[0] :
|
||||
null;
|
||||
}
|
||||
|
||||
function validatePermission($permission) {
|
||||
if($permission === self::NO_ACCESS_RESTRICTION) return true;
|
||||
foreach($this->user_roles as $role) {
|
||||
$role_object = get_role($role);
|
||||
if($role_object && $role_object->has_cap($permission)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
return current_user_can($permission);
|
||||
}
|
||||
}
|
||||
|
||||
@ -143,7 +143,6 @@ class APITest extends \MailPoetTest {
|
||||
'data' => array('test' => 'data')
|
||||
);
|
||||
$access_control = new AccessControl();
|
||||
$access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
|
||||
$api = Stub::make(
|
||||
new \MailPoet\API\JSON\API($access_control),
|
||||
array(
|
||||
@ -179,8 +178,10 @@ class APITest extends \MailPoetTest {
|
||||
'api_version' => 'v1',
|
||||
'data' => array('test' => 'data')
|
||||
);
|
||||
$access_control = new AccessControl();
|
||||
$access_control->user_roles = array();
|
||||
$access_control = Stub::make(
|
||||
new AccessControl(),
|
||||
array('validatePermission' => false)
|
||||
);
|
||||
$api = new \MailPoet\API\JSON\API($access_control);
|
||||
$api->addEndpointNamespace($namespace['name'], $namespace['version']);
|
||||
$api->setRequestData($data);
|
||||
@ -189,22 +190,36 @@ class APITest extends \MailPoetTest {
|
||||
}
|
||||
|
||||
function testItValidatesGlobalPermission() {
|
||||
$access_control = new AccessControl();
|
||||
$permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS,
|
||||
);
|
||||
|
||||
$access_control->user_roles = array();
|
||||
$access_control = Stub::make(
|
||||
new AccessControl(),
|
||||
array(
|
||||
'validatePermission' => Stub::once(function($cap) {
|
||||
expect($cap)->equals(AccessControl::PERMISSION_MANAGE_SETTINGS);
|
||||
return false;
|
||||
})
|
||||
)
|
||||
);
|
||||
$api = new JSONAPI($access_control);
|
||||
expect($api->validatePermissions(null, $permissions))->false();
|
||||
|
||||
$access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
|
||||
$access_control = Stub::make(
|
||||
new AccessControl(),
|
||||
array(
|
||||
'validatePermission' => Stub::once(function($cap) {
|
||||
expect($cap)->equals(AccessControl::PERMISSION_MANAGE_SETTINGS);
|
||||
return true;
|
||||
})
|
||||
)
|
||||
);
|
||||
$api = new JSONAPI($access_control);
|
||||
expect($api->validatePermissions(null, $permissions))->true();
|
||||
}
|
||||
|
||||
function testItValidatesEndpointMethodPermission() {
|
||||
$access_control = new AccessControl();
|
||||
$permissions = array(
|
||||
'global' => null,
|
||||
'methods' => array(
|
||||
@ -212,11 +227,27 @@ class APITest extends \MailPoetTest {
|
||||
)
|
||||
);
|
||||
|
||||
$access_control->user_roles = array();
|
||||
$access_control = Stub::make(
|
||||
new AccessControl(),
|
||||
array(
|
||||
'validatePermission' => Stub::once(function($cap) {
|
||||
expect($cap)->equals(AccessControl::PERMISSION_MANAGE_SETTINGS);
|
||||
return false;
|
||||
})
|
||||
)
|
||||
);
|
||||
$api = new JSONAPI($access_control);
|
||||
expect($api->validatePermissions('test', $permissions))->false();
|
||||
|
||||
$access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
|
||||
$access_control = Stub::make(
|
||||
new AccessControl(),
|
||||
array(
|
||||
'validatePermission' => Stub::once(function($cap) {
|
||||
expect($cap)->equals(AccessControl::PERMISSION_MANAGE_SETTINGS);
|
||||
return true;
|
||||
})
|
||||
)
|
||||
);
|
||||
$api = new JSONAPI($access_control);
|
||||
expect($api->validatePermissions('test', $permissions))->true();
|
||||
}
|
||||
|
||||
@ -2,6 +2,9 @@
|
||||
|
||||
namespace MailPoet\Test\Config;
|
||||
|
||||
use AspectMock\Test as Mock;
|
||||
use Codeception\Util\Stub;
|
||||
use Helper\WordPress as WPHelper;
|
||||
use Helper\WordPressHooks as WPHooksHelper;
|
||||
use MailPoet\Config\AccessControl;
|
||||
use MailPoet\WP\Hooks;
|
||||
@ -103,7 +106,18 @@ class AccessControlTest extends \MailPoetTest {
|
||||
expect(count($permissions))->equals(count($labels));
|
||||
}
|
||||
|
||||
function testItValidatesIfUserHasCapability() {
|
||||
$capability = 'some_capability';
|
||||
$access_control = new AccessControl();
|
||||
|
||||
$func = Mock::func('MailPoet\Config', 'current_user_can', true);
|
||||
|
||||
expect($access_control->validatePermission($capability))->true();
|
||||
$func->verifyInvoked([$capability]);
|
||||
}
|
||||
|
||||
function _after() {
|
||||
WPHooksHelper::releaseAllHooks();
|
||||
Mock::clean();
|
||||
WPHelper::releaseAllFunctions();
|
||||
}
|
||||
}
|
||||
@ -95,23 +95,37 @@ class RouterTest extends \MailPoetTest {
|
||||
}
|
||||
|
||||
function testItValidatesGlobalPermission() {
|
||||
$access_control = new AccessControl();
|
||||
$router = $this->router;
|
||||
|
||||
$permissions = array(
|
||||
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS,
|
||||
);
|
||||
$access_control->user_roles = array();
|
||||
$access_control = Stub::make(
|
||||
new AccessControl(),
|
||||
array(
|
||||
'validatePermission' => Stub::once(function($cap) {
|
||||
expect($cap)->equals(AccessControl::PERMISSION_MANAGE_SETTINGS);
|
||||
return false;
|
||||
})
|
||||
)
|
||||
);
|
||||
$router->access_control = $access_control;
|
||||
expect($router->validatePermissions(null, $permissions))->false();
|
||||
|
||||
$access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
|
||||
$access_control = Stub::make(
|
||||
new AccessControl(),
|
||||
array(
|
||||
'validatePermission' => Stub::once(function($cap) {
|
||||
expect($cap)->equals(AccessControl::PERMISSION_MANAGE_SETTINGS);
|
||||
return true;
|
||||
})
|
||||
)
|
||||
);
|
||||
$router->access_control = $access_control;
|
||||
expect($router->validatePermissions(null, $permissions))->true();
|
||||
}
|
||||
|
||||
function testItValidatesEndpointActionPermission() {
|
||||
$access_control = new AccessControl();
|
||||
$router = $this->router;
|
||||
|
||||
$permissions = array(
|
||||
@ -121,11 +135,27 @@ class RouterTest extends \MailPoetTest {
|
||||
)
|
||||
);
|
||||
|
||||
$access_control->user_roles = array();
|
||||
$access_control = Stub::make(
|
||||
new AccessControl(),
|
||||
array(
|
||||
'validatePermission' => Stub::once(function($cap) {
|
||||
expect($cap)->equals(AccessControl::PERMISSION_MANAGE_SETTINGS);
|
||||
return false;
|
||||
})
|
||||
)
|
||||
);
|
||||
$router->access_control = $access_control;
|
||||
expect($router->validatePermissions('test', $permissions))->false();
|
||||
|
||||
$access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
|
||||
$access_control = Stub::make(
|
||||
new AccessControl(),
|
||||
array(
|
||||
'validatePermission' => Stub::once(function($cap) {
|
||||
expect($cap)->equals(AccessControl::PERMISSION_MANAGE_SETTINGS);
|
||||
return true;
|
||||
})
|
||||
)
|
||||
);
|
||||
$router->access_control = $access_control;
|
||||
expect($router->validatePermissions('test', $permissions))->true();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user