Addressing CR suggestions

buddypress · May 30, 2024 · 3113a42 · 3113a42
1 parent db53a28
commit 3113a42
Show file tree

Hide file tree

Showing 2 changed files with 516 additions and 94 deletions.
diff --git a/includes/bp-groups/classes/class-bp-rest-group-membership-endpoint.php b/includes/bp-groups/classes/class-bp-rest-group-membership-endpoint.php
@@ -372,6 +372,15 @@ public function update_item( $request ) {
 
 		$bp_loggedin_user_id = bp_loggedin_user_id();
 
+		// Check if the user is a member of the group.
+		if ( 'unban' !== $action && ! groups_is_user_member( $user->ID, $group_id ) ) {
+			return new WP_Error(
+				'bp_rest_group_member_not_member',
+				__( 'Sorry, you are not allowed to perform this action.', 'buddypress' ),
+				array( 'status' => 500 )
+			);
+		}
+
 		if ( 'promote' === $action ) {
 			if ( ! groups_promote_member( $user->ID, $group_id, $role, $bp_loggedin_user_id ) ) {
 				return new WP_Error(
@@ -443,9 +452,13 @@ public function update_item_permissions_check( $request ) {
 		$error = new WP_Error(
 			'bp_rest_authorization_required',
 			__( 'Sorry, you are not allowed to perform this action.', 'buddypress' ),
-			array(
-				'status' => rest_authorization_required_code(),
-			)
+			array( 'status' => rest_authorization_required_code() )
+		);
+
+		$admin_error = new WP_Error(
+			'bp_rest_authorization_required',
+			__( 'Group needs 1 admin at least. Please promote a user before trying to remove this group admin.', 'buddypress' ),
+			array( 'status' => rest_authorization_required_code() )
 		);
 
 		$retval = $error;
@@ -461,9 +474,7 @@ public function update_item_permissions_check( $request ) {
 				$retval = new WP_Error(
 					'bp_rest_group_member_invalid_id',
 					__( 'Invalid group member ID.', 'buddypress' ),
-					array(
-						'status' => 404,
-					)
+					array( 'status' => 404 )
 				);
 			} else {
 				$group = $this->groups_endpoint->get_group_object( $request->get_param( 'group_id' ) );
@@ -474,14 +485,14 @@ public function update_item_permissions_check( $request ) {
 						__( 'Invalid group ID.', 'buddypress' ),
 						array( 'status' => 404 )
 					);
-				} elseif ( bp_current_user_can( 'bp_moderate' ) ) {
-					if ( 'demote' === $action ) {
+				} elseif ( bp_current_user_can( 'bp_moderate' ) && $loggedin_user_id !== $user->ID ) {
+					if ( 'demote' === $action && groups_is_user_admin( $user->ID, $group->id ) ) {
 						$group_admins = groups_get_group_admins( $group->id );
 
 						if ( 1 !== count( $group_admins ) ) {
 							$retval = true;
 						} else {
-							$retval = $error;
+							$retval = $admin_error;
 						}
 					} else {
 						$retval = true;
@@ -525,34 +536,33 @@ public function update_item_permissions_check( $request ) {
 	 * @return WP_REST_Response|WP_Error
 	 */
 	public function delete_item( $request ) {
-		// Setting context.
-		$request->set_param( 'context', 'edit' );
+		$group_id = $request->get_param( 'group_id' );
+		$user_id  = $request->get_param( 'user_id' );
 
 		// Get the Group member before it's removed.
-		$member   = new BP_Groups_Member( $request->get_param( 'user_id' ), $request->get_param( 'group_id' ) );
-		$previous = $this->prepare_item_for_response( $member, $request );
+		$member = new BP_Groups_Member( $user_id, $group_id );
 
 		if ( ! $member->remove() ) {
 			return new WP_Error(
 				'bp_rest_group_member_failed_to_remove',
 				__( 'Could not remove member from this group.', 'buddypress' ),
-				array(
-					'status' => 500,
-				)
+				array( 'status' => 500 )
 			);
 		}
 
+		$previous_member = $this->prepare_item_for_response( $member, $request );
+
 		// Build the response.
 		$response = new WP_REST_Response();
 		$response->set_data(
 			array(
 				'removed'  => true,
-				'previous' => $previous->get_data(),
+				'previous' => $previous_member->get_data(),
 			)
 		);
 
-		$user  = bp_rest_get_user( $request->get_param( 'user_id' ) );
-		$group = $this->groups_endpoint->get_group_object( $request->get_param( 'group_id' ) );
+		$user  = bp_rest_get_user( $user_id );
+		$group = $this->groups_endpoint->get_group_object( $group_id );
 
 		/**
 		 * Fires after a group member is deleted via the REST API.
@@ -579,22 +589,27 @@ public function delete_item( $request ) {
 	 * @return true|WP_Error
 	 */
 	public function delete_item_permissions_check( $request ) {
-		$error  = new WP_Error(
+		$authorization_code = rest_authorization_required_code();
+
+		$error = new WP_Error(
 			'bp_rest_authorization_required',
 			__( 'Sorry, you are not allowed to perform this action.', 'buddypress' ),
-			array(
-				'status' => rest_authorization_required_code(),
-			)
+			array( 'status' => $authorization_code )
 		);
+
+		$admin_error = new WP_Error(
+			'bp_rest_authorization_required',
+			__( 'Group needs 1 admin at least. Please promote a user before trying to remove this group admin.', 'buddypress' ),
+			array( 'status' => $authorization_code )
+		);
+
 		$retval = $error;
 
 		if ( ! is_user_logged_in() ) {
 			$retval = new WP_Error(
 				'bp_rest_authorization_required',
 				__( 'Sorry, you need to be logged in to view a group membership.', 'buddypress' ),
-				array(
-					'status' => rest_authorization_required_code(),
-				)
+				array( 'status' => $authorization_code )
 			);
 		} else {
 			$user             = bp_rest_get_user( $request->get_param( 'user_id' ) );
@@ -604,9 +619,7 @@ public function delete_item_permissions_check( $request ) {
 				return new WP_Error(
 					'bp_rest_group_member_invalid_id',
 					__( 'Invalid group member ID.', 'buddypress' ),
-					array(
-						'status' => 404,
-					)
+					array( 'status' => 404 )
 				);
 			} else {
 				$group = $this->groups_endpoint->get_group_object( $request->get_param( 'group_id' ) );
@@ -615,21 +628,28 @@ public function delete_item_permissions_check( $request ) {
 					$retval = new WP_Error(
 						'bp_rest_group_invalid_id',
 						__( 'Invalid group ID.', 'buddypress' ),
-						array(
-							'status' => 404,
-						)
+						array( 'status' => 404 )
 					);
-				} elseif ( bp_current_user_can( 'bp_moderate' ) || ( $user->ID !== $loggedin_user_id && groups_is_user_admin( $loggedin_user_id, $group->id ) ) ) {
-					$retval = true;
+				} elseif ( bp_current_user_can( 'bp_moderate' ) || ( groups_is_user_admin( $loggedin_user_id, $group->id ) && $loggedin_user_id !== $user->ID ) ) {
+					if ( groups_is_user_admin( $user->ID, $group->id ) ) {
+						$group_admins = groups_get_group_admins( $group->id );
+
+						if ( 1 !== count( $group_admins ) ) {
+							$retval = true;
+						} else {
+							$retval = $admin_error;
+						}
+					} else {
+						$retval = true;
+					}
 				} elseif ( $user->ID === $loggedin_user_id && ! groups_is_user_banned( $user->ID, $group->id ) ) {
-					$group_admins = groups_get_group_admins( $group->id );
+					if ( groups_is_user_admin( $loggedin_user_id, $group->id ) ) {
+						$group_admins = groups_get_group_admins( $group->id );
 
-					// Special case for self-removal: don't allow if it'd leave a group with no admins.
-					if ( in_array( $loggedin_user_id, wp_list_pluck( $group_admins, 'user_id' ), true ) ) {
 						if ( 1 !== count( $group_admins ) ) {
 							$retval = true;
 						} else {
-							$retval = $error;
+							$retval = $admin_error;
 						}
 					} else {
 						$retval = true;