Merge pull request #278 from costdev/add_capability_checks

Author: namithj

includes/class-admin-settings.php

@@ -84,7 +84,9 @@ private function get_default_settings() {
 	 * @return void
 	 */
 	public function reset_settings() {
+		$capability = is_multisite() ? 'manage_network_options' : 'manage_options';
 		if (
+			current_user_can( $capability ) &&
 			isset( $_GET['reset'] ) &&
 			( 'reset' === $_GET['reset'] ) &&
 			isset( $_GET['reset-nonce'] ) &&
@@ -123,6 +125,11 @@ public function delete_all_settings() {
 	 * @return void
 	 */
 	public function admin_notices() {
+		$capability = is_multisite() ? 'manage_network_options' : 'manage_options';
+		if ( ! current_user_can( $capability ) ) {
+			return;
+		}
+
 		/**
 		 * The Admin Notice to convey a Reset Operation has happened.
 		 */
@@ -259,7 +266,12 @@ private function get_settings_from_config_file() {
 	 */
 	public function update_settings() {
 		// Exit if improper privileges.
-		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['_wpnonce'] ) ), 'aspireupdate-settings' ) ) {
+		$capability = is_multisite() ? 'manage_network_options' : 'manage_options';
+		if (
+			! current_user_can( $capability ) ||
+			! isset( $_POST['_wpnonce'] ) ||
+			! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['_wpnonce'] ) ), 'aspireupdate-settings' )
+		) {
 			return;
 		}
 

includes/class-controller.php

@@ -60,7 +60,12 @@ private function api_rewrite() {
 	 * @return void
 	 */
 	public function clear_log() {
-		if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['nonce'] ), 'aspireupdate-ajax' ) ) {
+		$capability = is_multisite() ? 'manage_network_options' : 'manage_options';
+		if (
+			! current_user_can( $capability ) ||
+			! isset( $_POST['nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( $_POST['nonce'] ), 'aspireupdate-ajax' )
+		) {
 			wp_send_json_error(
 				[
 					'message' => __( 'Error: You are not authorized to access this resource.', 'aspireupdate' ),
@@ -92,7 +97,12 @@ public function clear_log() {
 	 * @return void
 	 */
 	public function read_log() {
-		if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['nonce'] ), 'aspireupdate-ajax' ) ) {
+		$capability = is_multisite() ? 'manage_network_options' : 'manage_options';
+		if (
+			! current_user_can( $capability ) ||
+			! isset( $_POST['nonce'] ) ||
+			! wp_verify_nonce( sanitize_key( $_POST['nonce'] ), 'aspireupdate-ajax' )
+		) {
 			wp_send_json_error(
 				[
 					'message' => __( 'Error: You are not authorized to access this resource.', 'aspireupdate' ),

tests/phpunit/includes/AdminSettings_UnitTestCase.php

@@ -5,6 +5,20 @@
  * All \AspireUpdate\Admin_Settings unit tests should inherit from this class.
  */
 abstract class AdminSettings_UnitTestCase extends WP_UnitTestCase {
+	/**
+	 * The user ID of an administrator.
+	 *
+	 * @var int
+	 */
+	protected static $admin_id;
+
+	/**
+	 * The user ID of an editor.
+	 *
+	 * @var int
+	 */
+	protected static $editor_id;
+
 	/**
 	 * The Name of the Option.
 	 *
@@ -20,13 +34,26 @@ abstract class AdminSettings_UnitTestCase extends WP_UnitTestCase {
 	protected static $options_page = 'aspireupdate-settings';
 
 	/**
-	 * Deletes settings before each test runs.
+	 * Creates administrator and editor users before any tests run.
+	 *
+	 * @return void
+	 */
+	public static function set_up_before_class() {
+		parent::set_up_before_class();
+
+		self::$admin_id  = self::factory()->user->create( [ 'role' => 'administrator' ] );
+		self::$editor_id = self::factory()->user->create( [ 'role' => 'editor' ] );
+	}
+
+	/**
+	 * Deletes settings and sets the current user before each test runs.
 	 *
 	 * @return void
 	 */
 	public function set_up() {
 		parent::set_up();
 
 		delete_site_option( self::$option_name );
+		wp_set_current_user( self::$admin_id );
 	}
 }

tests/phpunit/tests/AdminSettings/AdminSettings_AdminNoticesTest.php

@@ -11,6 +11,29 @@
  * @covers \AspireUpdate\Admin_Settings::admin_notices
  */
 class AdminSettings_AdminNoticesTest extends AdminSettings_UnitTestCase {
+	/**
+	 * Test that the reset notice is not output when the user does not have the required capability.
+	 */
+	public function test_should_not_output_reset_notice_when_the_user_does_not_have_the_required_capability() {
+		wp_set_current_user( self::$editor_id );
+
+		$this->assertFalse(
+			current_user_can( is_multisite() ? 'manage_network_options' : 'manage_options' ),
+			'The user has the required capability.'
+		);
+
+		update_site_option( 'aspireupdate-reset', 'true' );
+		$_GET['reset-success']       = 'success';
+		$_GET['reset-success-nonce'] = wp_create_nonce( 'aspireupdate-reset-success-nonce' );
+
+		$admin_settings = new \AspireUpdate\Admin_Settings();
+		$actual         = get_echo( [ $admin_settings, 'admin_notices' ] );
+
+		unset( $_GET['reset-success'], $_GET['reset-success-nonce'] );
+
+		$this->assertEmpty( $actual );
+	}
+
 	/**
 	 * Test that the reset notice is not output when the 'aspireupdate-reset' option is not set to (string) "true".
 	 */
@@ -104,6 +127,10 @@ public function test_should_output_reset_notice() {
 		$_GET['reset-success']       = 'success';
 		$_GET['reset-success-nonce'] = wp_create_nonce( 'aspireupdate-reset-success-nonce' );
 
+		if ( is_multisite() ) {
+			grant_super_admin( wp_get_current_user()->ID );
+		}
+
 		$admin_settings = new \AspireUpdate\Admin_Settings();
 		$actual         = get_echo( [ $admin_settings, 'admin_notices' ] );
 
@@ -123,6 +150,10 @@ public function test_should_delete_aspireupdatereset_option_after_output() {
 		$_GET['reset-success']       = 'success';
 		$_GET['reset-success-nonce'] = wp_create_nonce( 'aspireupdate-reset-success-nonce' );
 
+		if ( is_multisite() ) {
+			grant_super_admin( wp_get_current_user()->ID );
+		}
+
 		$admin_settings = new \AspireUpdate\Admin_Settings();
 		get_echo( [ $admin_settings, 'admin_notices' ] );
 
@@ -163,6 +194,10 @@ public function test_should_not_output_saved_notice_when_nonce_verification_fail
 	public function test_should_output_saved_notice() {
 		$_GET['settings-updated-wpnonce'] = wp_create_nonce( 'aspireupdate-settings-updated-nonce' );
 
+		if ( is_multisite() ) {
+			grant_super_admin( wp_get_current_user()->ID );
+		}
+
 		$admin_settings = new \AspireUpdate\Admin_Settings();
 		$actual         = get_echo( [ $admin_settings, 'admin_notices' ] );
 

tests/phpunit/tests/AdminSettings/AdminSettings_RegisterAdminMenuTest.php

@@ -17,21 +17,6 @@
  * @covers \AspireUpdate\Admin_Settings::register_admin_menu
  */
 class AdminSettings_RegisterAdminMenuTest extends AdminSettings_UnitTestCase {
-	/**
-	 * The user ID of an administrator.
-	 *
-	 * @var int
-	 */
-	private static $admin_id;
-
-	/**
-	 * Create an administrator before any tests run.
-	 *
-	 * @return void
-	 */
-	public static function set_up_before_class() {
-		self::$admin_id = self::factory()->user->create( [ 'role' => 'administrator' ] );
-	}
 
 	/**
 	 * Test that menu is not registered when AP_REMOVE_UI is enabled.
@@ -41,7 +26,6 @@ public function test_should_not_register_menu_when_ap_remove_ui_is_enabled() {
 		$original_submenu = $submenu;
 
 		define( 'AP_REMOVE_UI', true );
-		wp_set_current_user( self::$admin_id );
 
 		$admin_settings = new \AspireUpdate\Admin_Settings();
 		$admin_settings->register_admin_menu();
@@ -57,6 +41,7 @@ public function test_should_not_register_menu_when_user_lacks_appropriate_permis
 		$original_submenu = $submenu;
 
 		define( 'AP_REMOVE_UI', false );
+		wp_set_current_user( self::$editor_id );
 
 		$admin_settings = new \AspireUpdate\Admin_Settings();
 		$admin_settings->register_admin_menu();
@@ -71,7 +56,6 @@ public function test_should_register_menu_when_ap_remove_ui_is_disabled() {
 		global $submenu;
 
 		define( 'AP_REMOVE_UI', false );
-		wp_set_current_user( self::$admin_id );
 		grant_super_admin( self::$admin_id );
 
 		$admin_settings = new \AspireUpdate\Admin_Settings();

tests/phpunit/tests/AdminSettings/AdminSettings_ResetSettingsTest.php

@@ -11,6 +11,28 @@
  * @covers \AspireUpdate\Admin_Settings::reset_settings
  */
 class AdminSettings_ResetSettingsTest extends AdminSettings_UnitTestCase {
+	/**
+	 * Test that settings are not reset when the user does not have the required capability.
+	 *
+	 * @runInSeparateProcess
+	 * @preserveGlobalState disabled
+	 */
+	public function test_should_not_reset_settings_when_the_user_does_not_have_the_required_capability() {
+		wp_set_current_user( self::$editor_id );
+		$_GET['reset']       = 'reset';
+		$_GET['reset-nonce'] = wp_create_nonce( 'aspireupdate-reset-nonce' );
+
+		$settings = [ 'api_host' => 'the.option.value' ];
+		update_site_option( self::$option_name, $settings );
+
+		$admin_settings = new \AspireUpdate\Admin_Settings();
+		$admin_settings->reset_settings();
+
+		unset( $_GET['reset'], $_GET['reset-nonce'] );
+
+		$this->assertSame( $settings, get_site_option( self::$option_name ) );
+	}
+
 	/**
 	 * Test that settings are not reset when $_GET['reset'] is not set.
 	 */
@@ -146,6 +168,10 @@ public function test_should_reset_settings_when_reset_requirements_are_met() {
 		$_GET['reset']       = 'reset';
 		$_GET['reset-nonce'] = wp_create_nonce( 'aspireupdate-reset-nonce' );
 
+		if ( is_multisite() ) {
+			grant_super_admin( wp_get_current_user()->ID );
+		}
+
 		$settings = [ 'api_host' => 'the.option.value' ];
 		update_site_option( self::$option_name, $settings );
 
@@ -167,6 +193,10 @@ public function test_should_redirect_when_reset_requirements_are_met() {
 		$_GET['reset']       = 'reset';
 		$_GET['reset-nonce'] = wp_create_nonce( 'aspireupdate-reset-nonce' );
 
+		if ( is_multisite() ) {
+			grant_super_admin( wp_get_current_user()->ID );
+		}
+
 		$settings = [ 'api_host' => 'the.option.value' ];
 		update_site_option( self::$option_name, $settings );
 

tests/phpunit/tests/AdminSettings/AdminSettings_UpdateSettingsTest.php

@@ -11,6 +11,29 @@
  * @covers \AspireUpdate\Admin_Settings::update_settings
  */
 class AdminSettings_UpdateSettingsTest extends AdminSettings_UnitTestCase {
+	/**
+	 * Test that settings are not updated when the user does not have the required capability.
+	 *
+	 * @runInSeparateProcess
+	 * @preserveGlobalState disabled
+	 */
+	public function test_should_not_update_settings_when_the_user_does_not_have_the_required_capability() {
+		wp_set_current_user( self::$editor_id );
+		$_POST['_wpnonce']              = wp_create_nonce( self::$options_page );
+		$_POST['option_page']           = self::$option_name;
+		$_POST['aspireupdate_settings'] = [ 'api_host' => 'the.option.value' ];
+
+		$settings = get_site_option( self::$option_name, false );
+
+		$admin_settings = new AspireUpdate\Admin_Settings();
+		$admin_settings->update_settings();
+
+		$this->assertSame(
+			$settings,
+			get_site_option( self::$option_name, false )
+		);
+	}
+
 	/**
 	 * Test that settings are not updated when $_POST['_wpnonce'] is not set.
 	 */
@@ -202,6 +225,10 @@ public function test_should_update_settings_when_update_requirements_are_met() {
 		$_POST['option_page']           = self::$option_name;
 		$_POST['aspireupdate_settings'] = [ 'api_host' => 'the.option.value' ];
 
+		if ( is_multisite() ) {
+			grant_super_admin( wp_get_current_user()->ID );
+		}
+
 		delete_site_option( self::$option_name );
 
 		$admin_settings = new AspireUpdate\Admin_Settings();
@@ -238,6 +265,10 @@ public function test_should_redirect_when_update_requirements_are_met() {
 		$_POST['option_page']           = self::$option_name;
 		$_POST['aspireupdate_settings'] = [ 'api_host' => 'the.option.value' ];
 
+		if ( is_multisite() ) {
+			grant_super_admin( wp_get_current_user()->ID );
+		}
+
 		$redirect = new MockAction();
 		add_filter( 'wp_redirect', [ $redirect, 'filter' ] );