Cavemanon/piratepoet
7
Fork 0
Code Pull Requests Actions Releases 16 Activity

Check Custom HTML in form on save

Browse Source 
[MAILPOET-3415]
This commit is contained in:
Rostislav Wolny
2021-02-10 16:01:59 +01:00
committed by Veljko V
parent 08b5fae173
commit d00e667b96
2 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/API/JSON/v1/Forms.php
View File

@ -3,7 +3,9 @@
namespace MailPoet\API\JSON\v1; namespace MailPoet\API\JSON\v1;
use MailPoet\API\JSON\Endpoint as APIEndpoint; use MailPoet\API\JSON\Endpoint as APIEndpoint;
use MailPoet\API\JSON\Error;
use MailPoet\API\JSON\Error as APIError; use MailPoet\API\JSON\Error as APIError;
use MailPoet\API\JSON\Response;
use MailPoet\API\JSON\ResponseBuilders\FormsResponseBuilder; use MailPoet\API\JSON\ResponseBuilders\FormsResponseBuilder;
use MailPoet\Config\AccessControl; use MailPoet\Config\AccessControl;
use MailPoet\Entities\FormEntity; use MailPoet\Entities\FormEntity;
@ -228,6 +230,14 @@ class Forms extends APIEndpoint {
$settings['segments_selected_by'] = 'admin'; $settings['segments_selected_by'] = 'admin';
} }
// Check Custom HTML block permissions
$customHtmlBlocks = $formEntity->getBlocksByType(FormEntity::HTML_BLOCK_TYPE);
if (count($customHtmlBlocks) && !$this->wp->currentUserCan('administrator')) {
return $this->errorResponse([
Error::FORBIDDEN => __('Only administrator can edit forms containing Custom HTML block.', 'mailpoet'),
], [], Response::STATUS_FORBIDDEN);
}
if ($body !== null) { if ($body !== null) {
$body = $this->emoji->sanitizeEmojisInFormBody($body); $body = $this->emoji->sanitizeEmojisInFormBody($body);
} }

23
tests/integration/API/JSON/v1/FormsTest.php
View File

@ -115,6 +115,29 @@ class FormsTest extends \MailPoetTest {
expect($response->data['settings']['segments_selected_by'])->equals('admin'); expect($response->data['settings']['segments_selected_by'])->equals('admin');
} }
public function testItOnlyAdminCanSaveCustomHtml() {
// Administrator
wp_set_current_user(1);
$response = $this->endpoint->create();
expect($response->status)->equals(APIResponse::STATUS_OK);
$form = $this->reloadForm((int)$response->data['id'])->asArray();
$form['body'][] = [
'type' => FormEntity::HTML_BLOCK_TYPE,
'params' => [
'content' => 'Hello',
],
] ;
$response = $this->endpoint->saveEditor($form);
expect($response->status)->equals(APIResponse::STATUS_OK);
// Non Admin
wp_set_current_user(0);
$response = $this->endpoint->saveEditor($form);
expect($response->status)->equals(APIResponse::STATUS_FORBIDDEN);
codecept_debug($response);
expect($response->errors[0]['message'])->startsWith('Only administrator can');
}
public function testItCanExtractListsFromListSelectionBlock() { public function testItCanExtractListsFromListSelectionBlock() {
$response = $this->endpoint->create(); $response = $this->endpoint->create();
expect($response->status)->equals(APIResponse::STATUS_OK); expect($response->status)->equals(APIResponse::STATUS_OK);