Skip to content
This repository has been archived by the owner on Dec 27, 2022. It is now read-only.

Only user with customize_publish cap can publish snapshot #74

Merged
merged 6 commits into from
Aug 22, 2016
Merged

Only user with customize_publish cap can publish snapshot #74

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d6885ff
Only user with customize_publish cap can publish snapshot
PatelUtkarsh Aug 16, 2016
7aee799
Hide schedule icon if user can not publish snapshot
PatelUtkarsh Aug 17, 2016
bcc515f
Allow non customize_publish cap user to save draft snapshot and fix s…
PatelUtkarsh Aug 19, 2016
b542128
Merge branch 'develop' into bugfix/customize-publish
PatelUtkarsh Aug 22, 2016
f7868e5
Add test for customize_not_allowed when post_status=future
westonruter Aug 22, 2016
f5afffa
Make sure publish_customize_snapshots cap is checked
westonruter Aug 22, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 24 additions & 16 deletions js/customize-snapshots.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
editLink: '',
publishDate: '',
postStatus: '',
currentUserCanPublish: '',
currentUserCanPublish: true,
initialServerDate: '',
initialServerTimestamp: 0,
initialClientTimestamp: 0,
Expand Down Expand Up @@ -56,7 +56,9 @@

component.extendPreviewerQuery();
component.addButtons();
component.addSchedule();
if ( component.data.currentUserCanPublish ) {
component.addSchedule();
}

$( '#snapshot-save' ).on( 'click', function( event ) {
var scheduleDate;
Expand Down Expand Up @@ -209,21 +211,23 @@
snapshotButton.insertAfter( publishButton );

// Schedule button.
scheduleButton = wp.template( 'snapshot-schedule-button' );
scheduleButton = $( $.trim( scheduleButton( {} ) ) );
scheduleButton.insertAfter( snapshotButton );
if ( component.data.currentUserCanPublish ) {
scheduleButton = wp.template( 'snapshot-schedule-button' );
scheduleButton = $( $.trim( scheduleButton( {} ) ) );
scheduleButton.insertAfter( snapshotButton );

if ( ! component.data.editLink ) {
scheduleButton.hide();
}
if ( ! component.data.editLink ) {
scheduleButton.hide();
}

api.state( 'change', function() {
scheduleButton.toggle( api.state( 'snapshot-saved' ).get() && api.state( 'snapshot-exists' ).get() );
} );
api.state( 'change', function() {
scheduleButton.toggle( api.state( 'snapshot-saved' ).get() && api.state( 'snapshot-exists' ).get() );
} );

api.state( 'snapshot-exists' ).bind( function( exist ) {
scheduleButton.toggle( exist );
} );
api.state( 'snapshot-exists' ).bind( function( exist ) {
scheduleButton.toggle( exist );
} );
}

api.state( 'snapshot-saved' ).bind( function( saved ) {
snapshotButton.prop( 'disabled', saved );
Expand Down Expand Up @@ -281,7 +285,7 @@
submitButton = $( $.trim( submitButton( {
buttonText: component.data.i18n.submit
} ) ) );
submitButton.prop( 'disabled', true );
submitButton.prop( 'disabled', ! api.state( 'snapshot-exists' ).get() );
submitButton.insertBefore( snapshotButton );
api.state( 'snapshot-submitted' ).bind( function( submitted ) {
submitButton.prop( 'disabled', submitted );
Expand All @@ -303,6 +307,10 @@

component.scheduleContainerDisplayed = new api.Value();

if ( ! component.data.currentUserCanPublish ) {
return;
}

// Inject the UI.
if ( _.isEmpty( component.schedule.container ) ) {
if ( '0000-00-00 00:00:00' === component.data.publishDate ) {
Expand Down Expand Up @@ -425,7 +433,7 @@
sliceBegin = 0,
sliceEnd = -2;

if ( _.isEmpty( component.schedule.container ) ) {
if ( _.isEmpty( component.schedule.container ) || ! component.data.currentUserCanPublish ) {
return;
}

Expand Down
4 changes: 4 additions & 0 deletions php/class-customize-snapshot-manager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1079,6 +1079,10 @@ public function handle_update_snapshot_request() {
status_header( 400 );
wp_send_json_error( 'bad_status' );
}
if ( 'future' === $status && ! current_user_can( 'customize_publish' ) ) {
status_header( 400 );
wp_send_json_error( 'customize_not_allowed' );
}
$publish_date = isset( $_POST['publish_date'] ) ? $_POST['publish_date'] : '';
if ( 'future' === $status ) {
$publish_date_obj = new \DateTime( $publish_date );
Expand Down
3 changes: 3 additions & 0 deletions php/class-post-type.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -585,6 +585,9 @@ public function filter_user_has_cap( $allcaps, $caps ) {
$allcaps[ $granted_cap ] = current_user_can( 'customize' );
}

if ( ! current_user_can( 'customize_publish' ) || empty( $allcaps['customize_publish'] ) ) {
$allcaps[ $post_type_obj->cap->publish_posts ] = false;
}
if ( ! current_user_can( 'edit_others_posts' ) ) {
$allcaps[ $post_type_obj->cap->edit_others_posts ] = false;
}
Expand Down
61 changes: 61 additions & 0 deletions tests/php/test-class-ajax-customize-snapshot-manager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -430,6 +430,7 @@ function test_ajax_update_snapshot_schedule() {
$setting_key = 'anyonecanedit';
$tomorrow = date( 'Y-m-d H:i:s', time() + 86400 );
$this->set_current_user( 'administrator' );
$this->assertTrue( current_user_can( 'publish_customize_snapshots' ) );
$this->set_input_vars( array(
'action' => Customize_Snapshot_Manager::AJAX_ACTION,
'nonce' => wp_create_nonce( Customize_Snapshot_Manager::AJAX_ACTION ),
Expand Down Expand Up @@ -463,4 +464,64 @@ function test_ajax_update_snapshot_schedule() {
$this->assertSame( $expected_results, $response );
$this->assertEquals( 'future', get_post_status( $post_id ) );
}

/**
* Test updating a snapshot when the user does not have the customize_publish capability.
*
* @covers \CustomizeSnapshots\Customize_Snapshot_Manager::handle_update_snapshot_request()
*/
function test_ajax_update_snapshot_ok_for_draft_and_pending_but_not_future() {
unset( $GLOBALS['wp_customize'] );
remove_all_actions( 'wp_ajax_' . Customize_Snapshot_Manager::AJAX_ACTION );

$setting_key = 'anyonecanedit';
add_filter( 'user_has_cap', function( $allcaps, $caps, $args ) {
$allcaps['customize'] = true;
if ( ! empty( $allcaps['edit_posts'] ) && ! empty( $args ) && 'customize' === $args[0] ) {
$allcaps = array_merge( $allcaps, array_fill_keys( $caps, true ) );
}
return $allcaps;
}, 10, 3 );
$tomorrow = date( 'Y-m-d H:i:s', time() + 86400 );
$this->set_current_user( 'contributor' );
$this->assertFalse( current_user_can( 'publish_customize_snapshots' ) );
$post_vars = array(
'action' => Customize_Snapshot_Manager::AJAX_ACTION,
'nonce' => wp_create_nonce( Customize_Snapshot_Manager::AJAX_ACTION ),
'customize_snapshot_uuid' => self::UUID,
'customized' => wp_json_encode( array( $setting_key => 'Hello' ) ),
'publish_date' => $tomorrow, // Tomorrow.
);

$this->plugin = new Plugin();
$this->plugin->init();
$this->add_setting();

// Draft pass.
$post_vars['status'] = 'draft';
$this->set_input_vars( $post_vars );
$this->make_ajax_call( Customize_Snapshot_Manager::AJAX_ACTION );
$response = json_decode( $this->_last_response, true );
$this->_last_response = '';
$this->assertTrue( $response['success'] );

// Pending pass.
$post_vars['status'] = 'pending';
$this->set_input_vars( $post_vars );
$this->make_ajax_call( Customize_Snapshot_Manager::AJAX_ACTION );
$response = json_decode( $this->_last_response, true );
$this->_last_response = '';
$this->assertTrue( $response['success'] );

// Future fail.
$post_vars['status'] = 'future';
$this->set_input_vars( $post_vars );
$this->make_ajax_call( Customize_Snapshot_Manager::AJAX_ACTION );
$response = json_decode( $this->_last_response, true );
$expected_results = array(
'success' => false,
'data' => 'customize_not_allowed',
);
$this->assertSame( $expected_results, $response );
}
}