Merge pull request #883 from Automattic/change_cap_for_get_coauthors_…

…search_results

Change permission callback for coauthors/v1/authors and coauthors/v1/search endpoint

co-authors-plus.php

@@ -909,7 +909,7 @@ function coauthors_update_post( $post_id, $post ) {
 			return;
 		}
 
-		if ( $this->current_user_can_set_authors( $post ) ) {
+		if ( $this->current_user_can_set_authors() ) {
 			// if current_user_can_set_authors and nonce valid
 			if ( isset( $_POST['coauthors-nonce'] ) && isset( $_POST['coauthors'] ) ) {
 				check_admin_referer( 'coauthors-edit', 'coauthors-nonce' );
@@ -1133,29 +1133,8 @@ function filter_count_user_posts( $count, $user_id ) {
 	/**
 	 * Checks to see if the current user can set co-authors or not
 	 */
-	function current_user_can_set_authors( $post = null ) {
-		global $typenow;
-
-		if ( ! $post ) {
-			$post = get_post();
-			if ( ! $post ) {
-				// if user is on pages, you need to grab post type another way
-				$current_screen = get_current_screen();
-				$post_type      = ( ! empty( $current_screen->post_type ) ) ? $current_screen->post_type : '';
-			} else {
-				$post_type = $post->post_type;
-			}
-		} else {
-			$post_type = $post->post_type;
-		}
-
-		// TODO: need to fix this; shouldn't just say no if don't have post_type
-		if ( ! $post_type ) {
-			return false;
-		}
-
-		$post_type_object = get_post_type_object( $post_type );
-		$current_user     = wp_get_current_user();
+	function current_user_can_set_authors() {
+		$current_user = wp_get_current_user();
 		if ( ! $current_user ) {
 			return false;
 		}
@@ -1164,6 +1143,7 @@ function current_user_can_set_authors( $post = null ) {
 			return true;
 		}
 
+		// Instead of using current_user_can(), we need to manually check the allcaps because of filter_user_has_cap
 		$can_set_authors = isset( $current_user->allcaps['edit_others_posts'] ) ? $current_user->allcaps['edit_others_posts'] : false;
 
 		return apply_filters( 'coauthors_plus_edit_authors', $can_set_authors );

php/class-coauthors-endpoint.php

@@ -59,7 +59,7 @@ public function add_endpoints() {
 				array(
 					'methods'             => 'GET',
 					'callback'            => array( $this, 'get_coauthors_search_results' ),
-					'permission_callback' => array( $this, 'can_edit_posts' ),
+					'permission_callback' => array( $this, 'can_edit_coauthors' ),
 					'args'                => array(
 						'q'                => array(
 							'description' => __( 'Text to search.' ),
@@ -83,7 +83,7 @@ public function add_endpoints() {
 				array(
 					'methods'             => 'GET',
 					'callback'            => array( $this, 'get_coauthors' ),
-					'permission_callback' => array( $this, 'can_edit_posts' ),
+					'permission_callback' => array( $this, 'can_edit_coauthors' ),
 					'args'                => array(
 						'post_id' => array(
 							'required'          => true,
@@ -188,29 +188,13 @@ public function validate_numeric( $param ) {
 		return is_numeric( $param );
 	}
 
-	/**
-	 * Limit read endpoints to users that can edit posts.
-	 *
-	 * @return bool
-	 */
-	public function can_edit_posts() {
-		return current_user_can( 'edit_posts' );
-	}
-
 	/**
 	 * Permissions for updating coauthors.
 	 *
-	 * @param WP_REST_Request $request Request object.
 	 * @return bool
 	 */
-	public function can_edit_coauthors( $request ) {
-		$post = get_post( $request->get_param( 'post_id' ) );
-
-		if ( ! $post instanceof WP_Post ) {
-			return false;
-		}
-
-		return $this->coauthors->current_user_can_set_authors( $post );
+	public function can_edit_coauthors() {
+		return $this->coauthors->current_user_can_set_authors();
 	}
 
 	/**

tests/test-coauthors-endpoint.php

@@ -34,6 +34,20 @@ public function setUp() {
 			)
 		);
 
+		$this->contributor1 = $this->factory->user->create_and_get(
+			array(
+				'role'       => 'contributor',
+				'user_login' => 'contributor1',
+			)
+		);
+
+		$this->subscriber1 = $this->factory->user->create_and_get(
+			array(
+				'role'       => 'subscriber',
+				'user_login' => 'subscriber1',
+			)
+		);
+
 		$this->coauthor1 = $coauthors_plus->guest_authors->create(
 			array(
 				'user_login'   => 'coauthor1',
@@ -259,6 +273,35 @@ public function test_can_edit_coauthors() {
 			)
 		);
 
+		$request = new WP_REST_Request(
+			'GET',
+			''
+		);
+
+		wp_set_current_user( $this->editor1->ID );
+
+		$this->assertTrue( $this->_api->can_edit_coauthors( $request ) );
+
+		wp_set_current_user( $this->author1->ID );
+
+		$this->assertFalse( $this->_api->can_edit_coauthors( $request ) );
+
+		wp_set_current_user( $this->contributor1->ID );
+
+		$this->assertFalse( $this->_api->can_edit_coauthors( $request ) );
+
+		wp_set_current_user( $this->subscriber1->ID );
+
+		$this->assertFalse( $this->_api->can_edit_coauthors( $request ) );
+	}
+
+	public function test_can_edit_coauthors__with_post_param() {
+		$post_id = $this->factory->post->create(
+			array(
+				'post_author' => $this->editor1->ID,
+			)
+		);
+
 		$request = new WP_REST_Request(
 			'GET',
 			''
@@ -276,6 +319,14 @@ public function test_can_edit_coauthors() {
 		wp_set_current_user( $this->author1->ID );
 
 		$this->assertFalse( $this->_api->can_edit_coauthors( $request ) );
+
+		wp_set_current_user( $this->contributor1->ID );
+
+		$this->assertFalse( $this->_api->can_edit_coauthors( $request ) );
+
+		wp_set_current_user( $this->subscriber1->ID );
+
+		$this->assertFalse( $this->_api->can_edit_coauthors( $request ) );
 	}
 
 	/**