Merge pull request #78 from xwp/develop

Release 0.5.1

composer.json

@@ -1,7 +1,7 @@
 {
 	"name": "xwp/wp-customize-snapshots",
 	"description": "Allow Customizer states to be drafted, and previewed with a private URL.",
-	"version": "0.5.0",
+	"version": "0.5.1",
 	"type": "wordpress-plugin",
 	"homepage": "https://github.com/xwp/wp-customize-snapshots",
 	"license": "GPL-2.0+",

customize-snapshots.php

@@ -3,7 +3,7 @@
  * Plugin Name: Customize Snapshots
  * Plugin URI: https://github.com/xwp/wp-customize-snapshots
  * Description: Allow Customizer states to be drafted, and previewed with a private URL.
- * Version: 0.5.0
+ * Version: 0.5.1
  * Author:  XWP
  * Author URI: https://xwp.co/
  * License: GPLv2+

js/customize-snapshots.js

@@ -19,7 +19,7 @@
 		editLink: '',
 		publishDate: '',
 		postStatus: '',
-		currentUserCanPublish: '',
+		currentUserCanPublish: true,
 		initialServerDate: '',
 		initialServerTimestamp: 0,
 		initialClientTimestamp: 0,
@@ -56,7 +56,9 @@
 
 			component.extendPreviewerQuery();
 			component.addButtons();
-			component.addSchedule();
+			if ( component.data.currentUserCanPublish ) {
+				component.addSchedule();
+			}
 
 			$( '#snapshot-save' ).on( 'click', function( event ) {
 				var scheduleDate;
@@ -209,21 +211,23 @@
 		snapshotButton.insertAfter( publishButton );
 
 		// Schedule button.
-		scheduleButton = wp.template( 'snapshot-schedule-button' );
-		scheduleButton = $( $.trim( scheduleButton( {} ) ) );
-		scheduleButton.insertAfter( snapshotButton );
+		if ( component.data.currentUserCanPublish ) {
+			scheduleButton = wp.template( 'snapshot-schedule-button' );
+			scheduleButton = $( $.trim( scheduleButton( {} ) ) );
+			scheduleButton.insertAfter( snapshotButton );
 
-		if ( ! component.data.editLink ) {
-			scheduleButton.hide();
-		}
+			if ( ! component.data.editLink ) {
+				scheduleButton.hide();
+			}
 
-		api.state( 'change', function() {
-			scheduleButton.toggle( api.state( 'snapshot-saved' ).get() && api.state( 'snapshot-exists' ).get() );
-		} );
+			api.state( 'change', function() {
+				scheduleButton.toggle( api.state( 'snapshot-saved' ).get() && api.state( 'snapshot-exists' ).get() );
+			} );
 
-		api.state( 'snapshot-exists' ).bind( function( exist ) {
-			scheduleButton.toggle( exist );
-		} );
+			api.state( 'snapshot-exists' ).bind( function( exist ) {
+				scheduleButton.toggle( exist );
+			} );
+		}
 
 		api.state( 'snapshot-saved' ).bind( function( saved ) {
 			snapshotButton.prop( 'disabled', saved );
@@ -281,7 +285,7 @@
 			submitButton = $( $.trim( submitButton( {
 				buttonText: component.data.i18n.submit
 			} ) ) );
-			submitButton.prop( 'disabled', true );
+			submitButton.prop( 'disabled', ! api.state( 'snapshot-exists' ).get() );
 			submitButton.insertBefore( snapshotButton );
 			api.state( 'snapshot-submitted' ).bind( function( submitted ) {
 				submitButton.prop( 'disabled', submitted );
@@ -303,6 +307,10 @@
 
 		component.scheduleContainerDisplayed = new api.Value();
 
+		if ( ! component.data.currentUserCanPublish ) {
+			return;
+		}
+
 		// Inject the UI.
 		if ( _.isEmpty( component.schedule.container ) ) {
 			if ( '0000-00-00 00:00:00' === component.data.publishDate ) {
@@ -425,7 +433,7 @@
 			sliceBegin = 0,
 			sliceEnd = -2;
 
-		if ( _.isEmpty( component.schedule.container ) ) {
+		if ( _.isEmpty( component.schedule.container ) || ! component.data.currentUserCanPublish ) {
 			return;
 		}
 

php/class-customize-snapshot-manager.php

@@ -110,6 +110,7 @@ function init() {
 		add_action( 'admin_bar_menu', array( $this, 'customize_menu' ), 41 );
 		add_action( 'admin_bar_menu', array( $this, 'remove_all_non_snapshot_admin_bar_links' ), 100000 );
 		add_action( 'wp_before_admin_bar_render', array( $this, 'print_admin_bar_styles' ) );
+		add_filter( 'removable_query_args', array( $this, 'filter_removable_query_args' ) );
 
 		add_filter( 'wp_insert_post_data', array( $this, 'prepare_snapshot_post_content_for_publish' ) );
 		add_action( 'customize_save_after', array( $this, 'publish_snapshot_with_customize_save_after' ) );
@@ -878,6 +879,17 @@ public function prepare_snapshot_post_content_for_publish( $data ) {
 		return $data;
 	}
 
+	/**
+	 * Add snapshot_error_on_publish to removable_query_args.
+	 *
+	 * @param array $query_args Query args.
+	 * @return array Removable query args.
+	 */
+	public function filter_removable_query_args( $query_args ) {
+		$query_args[] = 'snapshot_error_on_publish';
+		return $query_args;
+	}
+
 	/**
 	 * Publish snapshot changes when snapshot post is being published.
 	 *
@@ -988,16 +1000,19 @@ public function save_settings_with_publish_snapshot( $new_status, $old_status, $
 			}
 
 			// Validate setting value.
-			if ( method_exists( $setting, 'validate' ) && is_wp_error( $setting->validate( $setting_params['value'] ) ) ) {
-				$setting_params['publish_error'] = 'invalid_value';
-				$publish_error_count += 1;
-				continue;
+			if ( method_exists( $setting, 'validate' ) ) {
+				$validity = $setting->validate( $setting_params['value'] );
+				if ( is_wp_error( $validity ) ) {
+					$setting_params['publish_error'] = $validity->get_error_code();
+					$publish_error_count += 1;
+					continue;
+				}
 			}
 
 			// Validate sanitized setting value.
 			$sanitized_value = $setting->sanitize( $setting_params['value'] );
 			if ( is_null( $sanitized_value ) || is_wp_error( $sanitized_value ) ) {
-				$setting_params['publish_error'] = 'invalid_value';
+				$setting_params['publish_error'] = is_wp_error( $sanitized_value ) ? $sanitized_value->get_error_code() : 'invalid_value';
 				$publish_error_count += 1;
 				continue;
 			}
@@ -1015,6 +1030,11 @@ public function save_settings_with_publish_snapshot( $new_status, $old_status, $
 			);
 			wp_update_post( wp_slash( $update_setting_args ) );
 			update_post_meta( $post->ID, 'snapshot_error_on_publish', $publish_error_count );
+
+			add_filter( 'redirect_post_location', function( $location ) {
+				$location = add_query_arg( 'snapshot_error_on_publish', '1', $location );
+				return $location;
+			} );
 			return false;
 		}
 
@@ -1079,6 +1099,10 @@ public function handle_update_snapshot_request() {
 			status_header( 400 );
 			wp_send_json_error( 'bad_status' );
 		}
+		if ( 'future' === $status && ! current_user_can( 'customize_publish' ) ) {
+			status_header( 400 );
+			wp_send_json_error( 'customize_not_allowed' );
+		}
 		$publish_date = isset( $_POST['publish_date'] ) ? $_POST['publish_date'] : '';
 		if ( 'future' === $status ) {
 			$publish_date_obj = new \DateTime( $publish_date );

php/class-customize-snapshot.php

@@ -294,10 +294,11 @@ public function save( array $args ) {
 		/**
 		 * Filter the snapshot's data before it's saved to 'post_content'.
 		 *
-		 * @param array $data Customizer snapshot data, with setting IDs mapped to an array
-		 *                    containing a `value` array item and potentially other metadata.
+		 * @param array              $data Customizer snapshot data, with setting IDs mapped to an array
+		 *                                 containing a `value` array item and potentially other metadata.
+		 * @param Customize_Snapshot $this Snapshot object.
 		 */
-		$this->data = apply_filters( 'customize_snapshot_save', $this->data );
+		$this->data = apply_filters( 'customize_snapshot_save', $this->data, $this );
 
 		$result = $this->snapshot_manager->post_type->save( array_merge(
 			$args,

php/class-post-type.php

@@ -585,6 +585,9 @@ public function filter_user_has_cap( $allcaps, $caps ) {
 				$allcaps[ $granted_cap ] = current_user_can( 'customize' );
 			}
 
+			if ( ! current_user_can( 'customize_publish' ) || empty( $allcaps['customize_publish'] ) ) {
+				$allcaps[ $post_type_obj->cap->publish_posts ] = false;
+			}
 			if ( ! current_user_can( 'edit_others_posts' ) ) {
 				$allcaps[ $post_type_obj->cap->edit_others_posts ] = false;
 			}
@@ -626,10 +629,7 @@ public function show_publish_error_admin_notice() {
 		if ( ! $current_screen || 'customize_snapshot' !== $current_screen->id || 'post' !== $current_screen->base ) {
 			return;
 		}
-		if ( ! isset( $_REQUEST['message'] ) || 8 !== intval( $_REQUEST['message'] ) ) {
-			return;
-		}
-		if ( 'pending' !== get_post_status() ) {
+		if ( ! isset( $_REQUEST['snapshot_error_on_publish'] ) ) {
 			return;
 		}
 		?>

readme.md

@@ -8,7 +8,7 @@ Allow Customizer states to be drafted, and previewed with a private URL.
 **Tags:** [customizer](https://wordpress.org/plugins/tags/customizer), [customize](https://wordpress.org/plugins/tags/customize), [snapshots](https://wordpress.org/plugins/tags/snapshots)  
 **Requires at least:** 4.5.3  
 **Tested up to:** 4.6  
-**Stable tag:** 0.5.0  
+**Stable tag:** 0.5.1  
 **License:** [GPLv2 or later](http://www.gnu.org/licenses/gpl-2.0.html)  
 
 [![Build Status](https://travis-ci.org/xwp/wp-customize-snapshots.svg?branch=master)](https://travis-ci.org/xwp/wp-customize-snapshots) [![Coverage Status](https://coveralls.io/repos/xwp/wp-customize-snapshots/badge.svg?branch=master)](https://coveralls.io/github/xwp/wp-customize-snapshots) [![Built with Grunt](https://cdn.gruntjs.com/builtwith.svg)](http://gruntjs.com) [![devDependency Status](https://david-dm.org/xwp/wp-customize-snapshots/dev-status.svg)](https://david-dm.org/xwp/wp-customize-snapshots#info=devDependencies) 
@@ -87,6 +87,15 @@ if ( ! $bypass_object_cache ) {
 
 ## Changelog ##
 
+* Added: Pass `Customize_Snapshot` instance as second param to `customize_snapshot_save` filter. See [#77](https://github.com/xwp/wp-customize-snapshots/pull/77).
+* Fixed: Restrict user from publishing or scheduling a snapshot unless they can `customize_publish`. See [#74](https://github.com/xwp/wp-customize-snapshots/pull/74).
+* Fixed: Fix logic for when to show the snapshot publish error admin notice and show underlying error codes when there are validity errors. See [#79](https://github.com/xwp/wp-customize-snapshots/pull/79).
+
+See full commit log: [`0.5.0...0.5.1`](https://github.com/xwp/wp-customize-posts/compare/0.5.0...0.5.1)
+
+Issues in milestone: [`milestone:0.5.1`](https://github.com/xwp/wp-customize-snapshots/issues?q=milestone%3A0.5.1)
+
+Props: Utkarsh Patel (<a href="https://github.com/PatelUtkarsh" class="user-mention">@PatelUtkarsh</a>), Luke Gedeon (<a href="https://github.com/lgedeon" class="user-mention">@lgedeon</a>), Weston Ruter (<a href="https://github.com/westonruter" class="user-mention">@westonruter</a>)
 ### 0.5.0 - 2016-08-11 ###
 Added:
 

readme.txt

@@ -2,7 +2,7 @@
 Contributors: westonruter, valendesigns, xwp, newscorpau
 Requires at least: 4.5.3
 Tested up to: 4.6
-Stable tag: 0.5.0
+Stable tag: 0.5.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Tags: customizer, customize, snapshots
@@ -64,6 +64,16 @@ if ( ! $bypass_object_cache ) {
 
 == Changelog ==
 
+* Added: Pass `Customize_Snapshot` instance as second param to `customize_snapshot_save` filter. See [#77](https://github.com/xwp/wp-customize-snapshots/pull/77).
+* Fixed: Restrict user from publishing or scheduling a snapshot unless they can `customize_publish`. See [#74](https://github.com/xwp/wp-customize-snapshots/pull/74).
+* Fixed: Fix logic for when to show the snapshot publish error admin notice and show underlying error codes when there are validity errors. See [#79](https://github.com/xwp/wp-customize-snapshots/pull/79).
+
+See full commit log: [`0.5.0...0.5.1`](https://github.com/xwp/wp-customize-posts/compare/0.5.0...0.5.1)
+
+Issues in milestone: [`milestone:0.5.1`](https://github.com/xwp/wp-customize-snapshots/issues?q=milestone%3A0.5.1)
+
+Props: Utkarsh Patel (<a href="https://github.com/PatelUtkarsh" class="user-mention">@PatelUtkarsh</a>), Luke Gedeon (<a href="https://github.com/lgedeon" class="user-mention">@lgedeon</a>), Weston Ruter (<a href="https://github.com/westonruter" class="user-mention">@westonruter</a>)
+
 = 0.5.0 - 2016-08-11 =
 
 Added:

tests/php/test-class-ajax-customize-snapshot-manager.php

@@ -427,9 +427,11 @@ function test_ajax_update_snapshot_schedule() {
 		unset( $GLOBALS['wp_customize'] );
 		remove_all_actions( 'wp_ajax_' . Customize_Snapshot_Manager::AJAX_ACTION );
 
+		$post_type_obj = get_post_type_object( Post_Type::SLUG );
 		$setting_key = 'anyonecanedit';
 		$tomorrow = date( 'Y-m-d H:i:s', time() + 86400 );
 		$this->set_current_user( 'administrator' );
+		$this->assertTrue( current_user_can( $post_type_obj->cap->publish_posts ) );
 		$this->set_input_vars( array(
 			'action' => Customize_Snapshot_Manager::AJAX_ACTION,
 			'nonce' => wp_create_nonce( Customize_Snapshot_Manager::AJAX_ACTION ),
@@ -463,4 +465,65 @@ function test_ajax_update_snapshot_schedule() {
 		$this->assertSame( $expected_results, $response );
 		$this->assertEquals( 'future', get_post_status( $post_id ) );
 	}
+
+	/**
+	 * Test updating a snapshot when the user does not have the customize_publish capability.
+	 *
+	 * @covers \CustomizeSnapshots\Customize_Snapshot_Manager::handle_update_snapshot_request()
+	 */
+	function test_ajax_update_snapshot_ok_for_draft_and_pending_but_not_future() {
+		unset( $GLOBALS['wp_customize'] );
+		remove_all_actions( 'wp_ajax_' . Customize_Snapshot_Manager::AJAX_ACTION );
+
+		$post_type_obj = get_post_type_object( Post_Type::SLUG );
+		$setting_key = 'anyonecanedit';
+		add_filter( 'user_has_cap', function( $allcaps, $caps, $args ) {
+			$allcaps['customize'] = true;
+			if ( ! empty( $allcaps['edit_posts'] ) && ! empty( $args ) && 'customize' === $args[0] ) {
+				$allcaps = array_merge( $allcaps, array_fill_keys( $caps, true ) );
+			}
+			return $allcaps;
+		}, 10, 3 );
+		$tomorrow = date( 'Y-m-d H:i:s', time() + 86400 );
+		$this->set_current_user( 'contributor' );
+		$this->assertFalse( current_user_can( $post_type_obj->cap->publish_posts ) );
+		$post_vars = array(
+			'action' => Customize_Snapshot_Manager::AJAX_ACTION,
+			'nonce' => wp_create_nonce( Customize_Snapshot_Manager::AJAX_ACTION ),
+			'customize_snapshot_uuid' => self::UUID,
+			'customized' => wp_json_encode( array( $setting_key => 'Hello' ) ),
+			'publish_date' => $tomorrow, // Tomorrow.
+		);
+
+		$this->plugin = new Plugin();
+		$this->plugin->init();
+		$this->add_setting();
+
+		// Draft pass.
+		$post_vars['status'] = 'draft';
+		$this->set_input_vars( $post_vars );
+		$this->make_ajax_call( Customize_Snapshot_Manager::AJAX_ACTION );
+		$response = json_decode( $this->_last_response, true );
+		$this->_last_response = '';
+		$this->assertTrue( $response['success'] );
+
+		// Pending pass.
+		$post_vars['status'] = 'pending';
+		$this->set_input_vars( $post_vars );
+		$this->make_ajax_call( Customize_Snapshot_Manager::AJAX_ACTION );
+		$response = json_decode( $this->_last_response, true );
+		$this->_last_response = '';
+		$this->assertTrue( $response['success'] );
+
+		// Future fail.
+		$post_vars['status'] = 'future';
+		$this->set_input_vars( $post_vars );
+		$this->make_ajax_call( Customize_Snapshot_Manager::AJAX_ACTION );
+		$response = json_decode( $this->_last_response, true );
+		$expected_results = array(
+			'success' => false,
+			'data' => 'customize_not_allowed',
+		);
+		$this->assertSame( $expected_results, $response );
+	}
 }

tests/php/test-class-customize-snapshot-manager.php

@@ -209,6 +209,7 @@ public function test_init_hooks() {
 		$this->assertEquals( 41, has_action( 'admin_bar_menu', array( $manager, 'customize_menu' ) ) );
 		$this->assertEquals( 100000, has_action( 'admin_bar_menu', array( $manager, 'remove_all_non_snapshot_admin_bar_links' ) ) );
 		$this->assertEquals( 10, has_action( 'wp_before_admin_bar_render', array( $manager, 'print_admin_bar_styles' ) ) );
+		$this->assertEquals( 10, has_filter( 'removable_query_args', array( $manager, 'filter_removable_query_args' ) ) );
 
 		$this->assertEquals( 10, has_filter( 'wp_insert_post_data', array( $manager, 'prepare_snapshot_post_content_for_publish' ) ) );
 		$this->assertEquals( 10, has_action( 'customize_save_after', array( $manager, 'publish_snapshot_with_customize_save_after' ) ) );
@@ -819,6 +820,16 @@ public function test_prepare_snapshot_post_content_for_publish() {
 		$this->assertEquals( $validate_data, json_decode( wp_unslash( $data_without_errors['post_content'] ), true ) );
 	}
 
+	/**
+	 * Test adding snapshot_error_on_publish to removable_query_args.
+	 *
+	 * @covers \CustomizeSnapshots\Customize_Snapshot_Manager::filter_removable_query_args()
+	 */
+	public function test_filter_removable_query_args() {
+		$manager = new Customize_Snapshot_Manager( $this->plugin );
+		$this->assertContains( 'snapshot_error_on_publish', $manager->filter_removable_query_args( array() ) );
+	}
+
 	/**
 	 * Test save_settings_with_publish_snapshot.
 	 *
@@ -848,7 +859,7 @@ public function test_save_settings_with_publish_snapshot() {
 		);
 
 		if ( method_exists( 'WP_Customize_Setting', 'validate' ) ) {
-			$validate_data['foo']['publish_error'] = 'invalid_value';
+			$validate_data['foo']['publish_error'] = 'you_shell_not_pass';
 			add_filter( 'customize_validate_foo', function( $validity ) {
 				$validity->add( 'you_shell_not_pass', 'Testing invalid setting while publishing snapshot' );
 				return $validity;