From d00e667b96c61291d1eb449e56fea80cc32d23fe Mon Sep 17 00:00:00 2001
From: Rostislav Wolny <rosta@mailpoet.com>
Date: Wed, 10 Feb 2021 16:01:59 +0100
Subject: [PATCH] Check Custom HTML in form on save

[MAILPOET-3415]
---
 lib/API/JSON/v1/Forms.php                   | 10 +++++++++
 tests/integration/API/JSON/v1/FormsTest.php | 23 +++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/lib/API/JSON/v1/Forms.php b/lib/API/JSON/v1/Forms.php
index fec24d27a4..81e3e4d675 100644
--- a/lib/API/JSON/v1/Forms.php
+++ b/lib/API/JSON/v1/Forms.php
@@ -3,7 +3,9 @@
 namespace MailPoet\API\JSON\v1;
 
 use MailPoet\API\JSON\Endpoint as APIEndpoint;
+use MailPoet\API\JSON\Error;
 use MailPoet\API\JSON\Error as APIError;
+use MailPoet\API\JSON\Response;
 use MailPoet\API\JSON\ResponseBuilders\FormsResponseBuilder;
 use MailPoet\Config\AccessControl;
 use MailPoet\Entities\FormEntity;
@@ -228,6 +230,14 @@ class Forms extends APIEndpoint {
       $settings['segments_selected_by'] = 'admin';
     }
 
+    // Check Custom HTML block permissions
+    $customHtmlBlocks = $formEntity->getBlocksByType(FormEntity::HTML_BLOCK_TYPE);
+    if (count($customHtmlBlocks) && !$this->wp->currentUserCan('administrator')) {
+      return $this->errorResponse([
+        Error::FORBIDDEN => __('Only administrator can edit forms containing Custom HTML block.', 'mailpoet'),
+      ], [], Response::STATUS_FORBIDDEN);
+    }
+
     if ($body !== null) {
       $body = $this->emoji->sanitizeEmojisInFormBody($body);
     }
diff --git a/tests/integration/API/JSON/v1/FormsTest.php b/tests/integration/API/JSON/v1/FormsTest.php
index ea55ad9f91..6d91737063 100644
--- a/tests/integration/API/JSON/v1/FormsTest.php
+++ b/tests/integration/API/JSON/v1/FormsTest.php
@@ -115,6 +115,29 @@ class FormsTest extends \MailPoetTest {
     expect($response->data['settings']['segments_selected_by'])->equals('admin');
   }
 
+  public function testItOnlyAdminCanSaveCustomHtml() {
+    // Administrator
+    wp_set_current_user(1);
+    $response = $this->endpoint->create();
+    expect($response->status)->equals(APIResponse::STATUS_OK);
+
+    $form = $this->reloadForm((int)$response->data['id'])->asArray();
+    $form['body'][] = [
+      'type' => FormEntity::HTML_BLOCK_TYPE,
+      'params' => [
+        'content' => 'Hello',
+      ],
+    ] ;
+    $response = $this->endpoint->saveEditor($form);
+    expect($response->status)->equals(APIResponse::STATUS_OK);
+    // Non Admin
+    wp_set_current_user(0);
+    $response = $this->endpoint->saveEditor($form);
+    expect($response->status)->equals(APIResponse::STATUS_FORBIDDEN);
+    codecept_debug($response);
+    expect($response->errors[0]['message'])->startsWith('Only administrator can');
+  }
+
   public function testItCanExtractListsFromListSelectionBlock() {
     $response = $this->endpoint->create();
     expect($response->status)->equals(APIResponse::STATUS_OK);