Changeset 51943

Timestamp:

10/27/2021 06:42:13 PM (3 years ago)

Author:

swissspidy

Message:

Role/Capability: Add support for capability queries in WP_User_Query.

Similar to the existing role/role__in/role__not_in query arguments, this adds support for three new query arguments in WP_User_Query:

• capability
• capability__in
• capability__not_in

These can be used to fetch users with (or without) a specific set of capabilities, for example to get all users
with the capability to edit a certain post type.

Under the hood, this will check all existing roles on the site and perform a LIKE query against the capabilities user meta field to find:

• all users with a role that has this capability
• all users with the capability being assigned directly

Note: In WordPress, not all capabilities are stored in the database. Capabilities can also be modified using filters like map_meta_cap. These new query arguments do NOT work for such capabilities.

The prime use case for capability queries is to get all "authors", i.e. users with the capability to edit a certain post type.

Until now, 'who' => 'authors' was used for this, which relies on user levels. However, user levels were deprecated a long time ago and thus never added to custom roles. This led to constant frustration due to users with custom roles missing from places like author dropdowns.

This updates any usage of 'who' => 'authors' in core to use capability queries instead.

Subsequently, 'who' => 'authors' queries are being deprecated in favor of these new query arguments.

Also adds a new capabilities parameter (mapping to capability__in in WP_User_Query) to the REST API users controller.

Also updates twentyfourteen_list_authors() in Twenty Fourteen to make use of this new functionality, adding a new twentyfourteen_list_authors_query_args filter to make it easier to override this behavior.

Props scribu, lgladdly, boonebgorges, spacedmonkey, peterwilsoncc, SergeyBiryukov, swissspidy.
Fixes #16841.

Location:

trunk

Files:

• src/wp-admin/includes/class-wp-posts-list-table.php (modified) (1 diff)
• src/wp-admin/includes/meta-boxes.php (modified) (2 diffs)
• src/wp-content/themes/twentyfourteen/functions.php (modified) (1 diff)
• src/wp-includes/class-wp-user-query.php (modified) (6 diffs)
• src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (3 diffs)
• src/wp-includes/user.php (modified) (2 diffs)
• tests/phpunit/tests/rest-api/rest-users-controller.php (modified) (11 diffs)
• tests/phpunit/tests/user/query.php (modified) (4 diffs)
• tests/phpunit/tests/xmlrpc/wp/getUsers.php (modified) (1 diff)
• tests/qunit/fixtures/wp-api-generated.js (modified) (1 diff)

trunk/src/wp-admin/includes/class-wp-posts-list-table.php

@@ -1661 +1661 @@
                         $users_opt = array(
                             'hide_if_only_one_author' => false,
-                            'who'                     => 'authors',
+                            ',
                             'name'                    => 'post_author',
                             'class'                   => 'authors',

trunk/src/wp-admin/includes/meta-boxes.php

@@ -904 +904 @@
 function post_author_meta_box( $post ) {
     global $user_ID;
+
+
     ?>
 <label class="screen-reader-text" for="post_author_override"><?php _e( 'Author' ); ?></label>
@@ -909 +911 @@
     wp_dropdown_users(
         array(
-            'who'              => 'authors',
+            ',
             'name'             => 'post_author_override',
             'selected'         => empty( $post->ID ) ? $user_ID : $post->post_author,

trunk/src/wp-content/themes/twentyfourteen/functions.php

@@ -492 +492 @@
      */
     function twentyfourteen_list_authors() {
-        $contributor_ids = get_users(
-            array(
-                'fields'  => 'ID',
-                'orderby' => 'post_count',
-                'order'   => 'DESC',
-                'who'     => 'authors',
-            )
-        );
+        $args = array(
+            'fields'     => 'ID',
+            'orderby'    => 'post_count',
+            'order'      => 'DESC',
+            'capability' => array( 'edit_posts' ),
+        );
+
+        /**
+         * Filters query arguments for listing authors.
+         *
+         * @since 3.3
+         *
+         * @param array $args Query arguments.
+         */
+        $args = apply_filters( 'twentyfourteen_list_authors_query_args', $args );
+
+        $contributor_ids = get_users( $args );
 
         foreach ( $contributor_ids as $contributor_id ) :

trunk/src/wp-includes/class-wp-user-query.php

@@ -94 +94 @@
             'role__in'            => array(),
             'role__not_in'        => array(),
+
+
+
             'meta_key'            => '',
             'meta_value'          => '',
@@ -134 +137 @@
      * @since 4.7.0 Added 'nicename', 'nicename__in', 'nicename__not_in', 'login', 'login__in',
      *              and 'login__not_in' parameters.
+
      *
      * @global wpdb $wpdb WordPress database abstraction object.
@@ -149 +153 @@
      *     @type string[]     $role__not_in        An array of role names to exclude. Users matching one or more of these
      *                                             roles will not be included in results. Default empty array.
+
+
+
+
+
+
+
+
+
+
+
+
+
      *     @type string       $meta_key            User meta key. Default empty.
      *     @type string       $meta_value          User meta value. Default empty.
@@ -321 +338 @@
 
         if ( isset( $qv['who'] ) && 'authors' === $qv['who'] && $blog_id ) {
+
+
+
+
+
+
+
+
+
+
+
             $who_query = array(
                 'key'     => $wpdb->get_blog_prefix( $blog_id ) . 'user_level',
@@ -344 +372 @@
         }
 
+
         $roles = array();
         if ( isset( $qv['role'] ) ) {
@@ -361 +390 @@
         if ( isset( $qv['role__not_in'] ) ) {
             $role__not_in = (array) $qv['role__not_in'];
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
         }
 

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -199 +199 @@
         }
 
+
+
+
+
+
+
+
+
+
         if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
             return new WP_Error(
@@ -255 +264 @@
          */
         $parameter_mappings = array(
-            'exclude'  => 'exclude',
-            'include'  => 'include',
-            'order'    => 'order',
-            'per_page' => 'number',
-            'search'   => 'search',
-            'roles'    => 'role__in',
-            'slug'     => 'nicename__in',
+            'exclude'      => 'exclude',
+            'include'      => 'include',
+            'order'        => 'order',
+            'per_page'     => 'number',
+            'search'       => 'search',
+            'roles'        => 'role__in',
+            'capabilities' => 'capability__in',
+            'slug'         => 'nicename__in',
         );
 
@@ -1555 +1565 @@
         );
 
+
+
+
+
+
+
+
+
         $query_params['who'] = array(
             'description' => __( 'Limit result set to users who are considered authors.' ),

trunk/src/wp-includes/user.php

@@ -1321 +1321 @@
         'role__in'                => array(),
         'role__not_in'            => array(),
+
+
+
     );
 
@@ -1327 +1330 @@
     $parsed_args = wp_parse_args( $args, $defaults );
 
-    $query_args = wp_array_slice_assoc( $parsed_args, array( 'blog_id', 'include', 'exclude', 'orderby', 'order', 'who', 'role', 'role__in', 'role__not_in' ) );
+    $query_args = wp_array_slice_assoc(
+        $parsed_args,
+        array(
+            'blog_id',
+            'include',
+            'exclude',
+            'orderby',
+            'order',
+            'who',
+            'role',
+            'role__in',
+            'role__not_in',
+            'capability',
+            'capability__in',
+            'capability__not_in',
+        )
+    );
 
     $fields = array( 'ID', 'user_login' );

trunk/tests/phpunit/tests/rest-api/rest-users-controller.php

@@ -16 +16 @@
     protected static $draft_editor;
     protected static $subscriber;
+
 
     protected static $authors     = array();
@@ -54 +55 @@
                 'display_name' => 'subscriber',
                 'user_email'   => 'subscriber@example.com',
+
+
+
+
+
+
+
             )
         );
@@ -108 +116 @@
 
         // Set up users for pagination tests.
-        for ( $i = 0; $i < self::$total_users - 10; $i++ ) {
+        for ( $i = 0; $i < self::$total_users - 1; $i++ ) {
             self::$user_ids[] = $factory->user->create(
                 array(
@@ -122 +130 @@
         self::delete_user( self::$editor );
         self::delete_user( self::$draft_editor );
+
 
         foreach ( self::$posts as $post ) {
@@ -184 +193 @@
         $data     = $response->get_data();
         $keys     = array_keys( $data['endpoints'][0]['args'] );
-        sort( $keys );
-        $this->assertSame(
+        $this->assertEqualSets(
             array(
                 'context',
@@ -196 +204 @@
                 'per_page',
                 'roles',
+
                 'search',
                 'slug',
@@ -796 +805 @@
         wp_set_current_user( self::$user );
 
-        $tango = $this->factory->user->create(
-            array(
-                'display_name' => 'tango',
-                'role'         => 'subscriber',
-            )
-        );
-        $yolo  = $this->factory->user->create(
-            array(
-                'display_name' => 'yolo',
-                'role'         => 'author',
-            )
-        );
-
         $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
         $request->set_param( 'roles', 'author,subscriber' );
         $response = rest_get_server()->dispatch( $request );
         $data     = $response->get_data();
-        $this->assertCount( 3, $data );
-        $this->assertSame( $tango, $data[1]['id'] );
-        $this->assertSame( $yolo, $data[2]['id'] );
+        $this->assertCount( , $data );
+        $this->assertSame( ]['id'] );
+        $this->assertSame( ]['id'] );
 
         $request->set_param( 'roles', 'author' );
@@ -821 +817 @@
         $data     = $response->get_data();
         $this->assertCount( 1, $data );
-        $this->assertSame( $yolo, $data[0]['id'] );
+        $this->assertSame( , $data[0]['id'] );
 
         wp_set_current_user( 0 );
@@ -839 +835 @@
         wp_set_current_user( self::$user );
 
-        $lolz = $this->factory->user->create(
-            array(
-                'display_name' => 'lolz',
-                'role'         => 'author',
-            )
-        );
-
         $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
         $request->set_param( 'roles', 'ilovesteak,author' );
@@ -851 +840 @@
         $data     = $response->get_data();
         $this->assertCount( 1, $data );
-        $this->assertSame( $lolz, $data[0]['id'] );
+        $this->assertSame( , $data[0]['id'] );
 
         $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
@@ -857 +846 @@
         $response = rest_get_server()->dispatch( $request );
         $data     = $response->get_data();
-        $this->assertCount( 0, $data );
-        $this->assertSame( array(), $data );
-    }
-
+        $this->assertIsArray( $data );
+        $this->assertEmpty( $data );
+    }
+
+    /**
+     * @ticket 16841
+     */
+    public function test_get_items_capabilities() {
+        wp_set_current_user( self::$user );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_param( 'capabilities', 'edit_posts' );
+        $response = rest_get_server()->dispatch( $request );
+        $data     = $response->get_data();
+
+        $this->assertNotEmpty( $data );
+        foreach ( $data as $user ) {
+            $this->assertTrue( user_can( $user['id'], 'edit_posts' ) );
+        }
+    }
+
+    /**
+     * @ticket 16841
+     */
+    public function test_get_items_capabilities_no_permission_no_user() {
+        wp_set_current_user( 0 );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_param( 'capabilities', 'edit_posts' );
+        $response = rest_get_server()->dispatch( $request );
+        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
+    }
+
+    /**
+     * @ticket 16841
+     */
+    public function test_get_items_capabilities_no_permission_editor() {
+        wp_set_current_user( self::$editor );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_param( 'capabilities', 'edit_posts' );
+        $response = rest_get_server()->dispatch( $request );
+        $this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 );
+    }
+
+    /**
+     * @ticket 16841
+     */
+    public function test_get_items_invalid_capabilities() {
+        wp_set_current_user( self::$user );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_param( 'roles', 'ilovesteak,author' );
+        $response = rest_get_server()->dispatch( $request );
+        $data     = $response->get_data();
+        $this->assertCount( 1, $data );
+        $this->assertSame( self::$author, $data[0]['id'] );
+
+        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+        $request->set_param( 'capabilities', 'steakisgood' );
+        $response = rest_get_server()->dispatch( $request );
+        $data     = $response->get_data();
+        $this->assertIsArray( $data );
+        $this->assertEmpty( $data );
+    }
+
+    /**
+     * @expectedDeprecated WP_User_Query
+     */
     public function test_get_items_who_author_query() {
         wp_set_current_user( self::$superadmin );

trunk/tests/phpunit/tests/user/query.php

@@ -731 +731 @@
      * @ticket 32019
      * @group ms-required
+
      */
     public function test_who_authors() {
@@ -756 +757 @@
      * @ticket 32019
      * @group ms-required
+
      */
     public function test_who_authors_should_work_alongside_meta_query() {
@@ -790 +792 @@
      * @ticket 36724
      * @group ms-required
+
      */
     public function test_who_authors_should_work_alongside_meta_params() {
@@ -1726 +1729 @@
         return array( 555 );
     }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 }

trunk/tests/phpunit/tests/xmlrpc/wp/getUsers.php

@@ -55 +55 @@
     }
 
+
+
+
     function test_role_filter() {
         $author_id        = $this->make_user_by_role( 'author' );

trunk/tests/qunit/fixtures/wp-api-generated.js

@@ -5358 +5358 @@
                             "required": false
                         },
+
+
+
+
+
+
+
+
                         "who": {
                             "description": "Limit result set to users who are considered authors.",