mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-06-30 23:30:05 +00:00
Users: Validate WP_User_Query's fields argument.
Improve validation of `WP_User_Query`'s `fields` argument when passed as an array to ensure it only accepts permitted values. This prevents the invalid values being included in the generated database query. Expand unit tests to include passing invalid values as part of an array, the lower case value `id`. Correct earlier unit tests to limit database query to one result. Follow up to [53255]. Props felipeelia. Fixes #53177. git-svn-id: https://develop.svn.wordpress.org/trunk@53327 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
@@ -285,7 +285,11 @@ class WP_User_Query {
|
||||
);
|
||||
|
||||
if ( is_array( $qv['fields'] ) ) {
|
||||
$qv['fields'] = array_unique( $qv['fields'] );
|
||||
$qv['fields'] = array_intersect( array_unique( $qv['fields'] ), $allowed_fields );
|
||||
|
||||
if ( empty( $qv['fields'] ) ) {
|
||||
$qv['fields'] = array( 'ID' );
|
||||
}
|
||||
|
||||
$this->query_fields = array();
|
||||
foreach ( $qv['fields'] as $field ) {
|
||||
@@ -293,8 +297,10 @@ class WP_User_Query {
|
||||
$this->query_fields[] = "$wpdb->users.$field";
|
||||
}
|
||||
$this->query_fields = implode( ',', $this->query_fields );
|
||||
} elseif ( ! in_array( $qv['fields'], $allowed_fields, true ) ) {
|
||||
} elseif ( 'all' === $qv['fields'] ) {
|
||||
$this->query_fields = "$wpdb->users.*";
|
||||
} elseif ( ! in_array( $qv['fields'], $allowed_fields, true ) ) {
|
||||
$this->query_fields = "$wpdb->users.ID";
|
||||
} else {
|
||||
$field = 'ID' === $qv['fields'] ? 'ID' : sanitize_key( $qv['fields'] );
|
||||
$this->query_fields = "$wpdb->users.$field";
|
||||
|
||||
@@ -1982,8 +1982,8 @@ class Tests_User_Query extends WP_UnitTestCase {
|
||||
public function test_returning_fields( $field, $expected_values ) {
|
||||
$q = new WP_User_Query(
|
||||
array(
|
||||
'fields' => $field,
|
||||
'include ' => array( self::$admin_ids[0] ),
|
||||
'fields' => $field,
|
||||
'include' => array( '1' ),
|
||||
)
|
||||
);
|
||||
$results = $q->get_results();
|
||||
@@ -2007,68 +2007,94 @@ class Tests_User_Query extends WP_UnitTestCase {
|
||||
|
||||
public function data_returning_fields() {
|
||||
return array(
|
||||
'all' => array(
|
||||
'all' => array(
|
||||
'field' => 'all',
|
||||
'expected' => array(
|
||||
'ID' => '1',
|
||||
'user_login' => 'admin',
|
||||
'user_nicename' => 'admin',
|
||||
'user_email' => 'admin@example.org',
|
||||
'user_url' => 'http://example.org',
|
||||
'user_email' => WP_TESTS_EMAIL,
|
||||
'user_url' => wp_guess_url(),
|
||||
'user_activation_key' => '',
|
||||
'user_status' => '0',
|
||||
'display_name' => 'admin',
|
||||
),
|
||||
),
|
||||
'all_with_meta' => array(
|
||||
'all_with_meta' => array(
|
||||
'field' => 'all_with_meta',
|
||||
'expected' => array(
|
||||
'ID' => '1',
|
||||
'user_login' => 'admin',
|
||||
'user_nicename' => 'admin',
|
||||
'user_email' => 'admin@example.org',
|
||||
'user_url' => 'http://example.org',
|
||||
'user_email' => WP_TESTS_EMAIL,
|
||||
'user_url' => wp_guess_url(),
|
||||
'user_activation_key' => '',
|
||||
'user_status' => '0',
|
||||
'display_name' => 'admin',
|
||||
),
|
||||
),
|
||||
'ID' => array(
|
||||
'ID' => array(
|
||||
'field' => 'ID',
|
||||
'expected' => array(
|
||||
'ID' => '1',
|
||||
),
|
||||
),
|
||||
'display_name' => array(
|
||||
'id' => array(
|
||||
'field' => 'id',
|
||||
'expected' => array(
|
||||
'ID' => '1',
|
||||
),
|
||||
),
|
||||
'display_name' => array(
|
||||
'field' => 'display_name',
|
||||
'expected' => array(
|
||||
'display_name' => 'admin',
|
||||
),
|
||||
),
|
||||
'user_login' => array(
|
||||
'user_login' => array(
|
||||
'field' => 'user_login',
|
||||
'expected' => array(
|
||||
'user_login' => 'admin',
|
||||
),
|
||||
),
|
||||
'user_nicename' => array(
|
||||
'user_nicename' => array(
|
||||
'field' => 'user_nicename',
|
||||
'expected' => array(
|
||||
'user_nicename' => 'admin',
|
||||
),
|
||||
),
|
||||
'user_email' => array(
|
||||
'user_email' => array(
|
||||
'field' => 'user_email',
|
||||
'expected' => array(
|
||||
'user_email' => 'admin@example.org',
|
||||
'user_email' => WP_TESTS_EMAIL,
|
||||
),
|
||||
),
|
||||
'invalid_field' => array(
|
||||
'invalid_field' => array(
|
||||
'field' => 'invalid_field',
|
||||
'expected' => array(
|
||||
'0' => '1',
|
||||
),
|
||||
),
|
||||
'valid_array' => array(
|
||||
'field' => array( 'ID', 'display_name' ),
|
||||
'expected' => array(
|
||||
'ID' => '1',
|
||||
'display_name' => 'admin',
|
||||
),
|
||||
),
|
||||
'semivalid_array' => array(
|
||||
'field' => array( 'ID', 'display_name', 'invalid_field' ),
|
||||
'expected' => array(
|
||||
'ID' => '1',
|
||||
'display_name' => 'admin',
|
||||
),
|
||||
),
|
||||
'invalid_array' => array(
|
||||
'field' => array( 'invalid_field' ),
|
||||
'expected' => array(
|
||||
'ID' => '1',
|
||||
),
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user