[Sidebars endpoint] Add permissions PHPUnit tests

phpunit/bootstrap.php

@@ -70,8 +70,15 @@ function fail_if_died( $message ) {
 }
 tests_add_filter( 'wp_die_handler', 'fail_if_died' );
 
+$GLOBALS['wp_tests_options'] = array(
+	'gutenberg-experiments' => array(
+		'gutenberg-widget-experiments' => '1',
+	),
+);
+
 // Start up the WP testing environment.
 require $_tests_dir . '/includes/bootstrap.php';
 
 // Use existing behavior for wp_die during actual test execution.
 remove_filter( 'wp_die_handler', 'fail_if_died' );
+

phpunit/class-rest-sidebars-controller-test.php

@@ -35,22 +35,12 @@ class REST_Sidebars_Controller_Test extends WP_Test_REST_Controller_Testcase {
 	/**
 	 * @var int
 	 */
-	protected static $per_page = 50;
+	protected static $author_id;
 
 	/**
-	 * REST_Sidebars_Controller_Test constructor.
+	 * @var int
 	 */
-	public function __construct() {
-		parent::__construct();
-		require_once dirname( __FILE__ ) . '/../lib/class-wp-rest-sidebars-controller.php';
-		add_filter(
-			'rest_api_init',
-			function () {
-				$sidebars = new WP_REST_Sidebars_Controller();
-				$sidebars->register_routes();
-			}
-		);
-	}
+	protected static $per_page = 50;
 
 	/**
 	 * Create fake data before our tests run.
@@ -68,6 +58,11 @@ public static function wpSetUpBeforeClass( $factory ) {
 				'role' => 'editor',
 			)
 		);
+		self::$author_id     = $factory->user->create(
+			array(
+				'role' => 'author',
+			)
+		);
 		self::$subscriber_id = $factory->user->create(
 			array(
 				'role' => 'subscriber',
@@ -152,6 +147,36 @@ public function test_get_items() {
 		$this->assertEquals( array(), $data );
 	}
 
+	/**
+	 *
+	 */
+	public function test_get_items_no_permission() {
+		wp_set_current_user( 0 );
+		$request  = new WP_REST_Request( 'GET', '/__experimental/sidebars' );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'widgets_cannot_access', $response, 401 );
+	}
+
+	/**
+	 *
+	 */
+	public function test_get_items_wrong_permission_author() {
+		wp_set_current_user( self::$author_id );
+		$request  = new WP_REST_Request( 'GET', '/__experimental/sidebars' );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'widgets_cannot_access', $response, 403 );
+	}
+
+	/**
+	 *
+	 */
+	public function test_get_items_wrong_permission_subscriber() {
+		wp_set_current_user( self::$subscriber_id );
+		$request  = new WP_REST_Request( 'GET', '/__experimental/sidebars' );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'widgets_cannot_access', $response, 403 );
+	}
+
 	/**
 	 *
 	 */
@@ -274,6 +299,57 @@ public function test_get_item() {
 		);
 	}
 
+	/**
+	 *
+	 */
+	public function test_get_item_no_permission() {
+		wp_set_current_user( 0 );
+		$this->setup_sidebar(
+			'sidebar-1',
+			array(
+				'name' => 'Test sidebar',
+			)
+		);
+
+		$request  = new WP_REST_Request( 'GET', '/__experimental/sidebars/sidebar-1' );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'widgets_cannot_access', $response, 401 );
+	}
+
+	/**
+	 *
+	 */
+	public function test_get_item_wrong_permission_author() {
+		wp_set_current_user( self::$author_id );
+		$this->setup_sidebar(
+			'sidebar-1',
+			array(
+				'name' => 'Test sidebar',
+			)
+		);
+
+		$request  = new WP_REST_Request( 'GET', '/__experimental/sidebars/sidebar-1' );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'widgets_cannot_access', $response, 403 );
+	}
+
+	/**
+	 *
+	 */
+	public function test_get_item_wrong_permission_subscriber() {
+		wp_set_current_user( self::$subscriber_id );
+		$this->setup_sidebar(
+			'sidebar-1',
+			array(
+				'name' => 'Test sidebar',
+			)
+		);
+
+		$request  = new WP_REST_Request( 'GET', '/__experimental/sidebars/sidebar-1' );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'widgets_cannot_access', $response, 403 );
+	}
+
 	/**
 	 * The test_update_item() method does not exist for sidebar.
 	 */
@@ -378,6 +454,54 @@ public function test_update_item() {
 		);
 	}
 
+	/**
+	 *
+	 */
+	public function test_update_item_no_permission() {
+		wp_set_current_user( 0 );
+
+		$request = new WP_REST_Request( 'POST', '/__experimental/sidebars/sidebar-1' );
+		$request->set_body_params(
+			array(
+				'widgets' => array(),
+			)
+		);
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'widgets_cannot_access', $response, 401 );
+	}
+
+	/**
+	 *
+	 */
+	public function test_update_item_wrong_permission_author() {
+		wp_set_current_user( self::$author_id );
+
+		$request = new WP_REST_Request( 'POST', '/__experimental/sidebars/sidebar-1' );
+		$request->set_body_params(
+			array(
+				'widgets' => array(),
+			)
+		);
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'widgets_cannot_access', $response, 403 );
+	}
+
+	/**
+	 *
+	 */
+	public function test_update_item_wrong_permission_subscriber() {
+		wp_set_current_user( self::$subscriber_id );
+
+		$request = new WP_REST_Request( 'POST', '/__experimental/sidebars/sidebar-1' );
+		$request->set_body_params(
+			array(
+				'widgets' => array(),
+			)
+		);
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'widgets_cannot_access', $response, 403 );
+	}
+
 	/**
 	 * The test_delete_item() method does not exist for sidebar.
 	 */
@@ -407,4 +531,5 @@ public function test_get_item_schema() {
 		$this->assertArrayHasKey( 'status', $properties );
 		$this->assertArrayHasKey( 'widgets', $properties );
 	}
+
 }