From bb76c79a44a55a3acf0decbac9796817d2cf46fd Mon Sep 17 00:00:00 2001
From: Jb Audras <audrasjb@git.wordpress.org>
Date: Mon, 25 Apr 2022 12:55:35 +0000
Subject: [PATCH] Users: Make sure `WP_User_Query` can be filtered using the
 `fields` parameter.

This change ensures the `fields` parameter is taken into account when running `WP_User_Query` by fixing the conditional statement used to process the `fields` param.

Props rilwis, peterwilsoncc, NomNom99, hellofromTonya, audrasjb, rilwis, Boniu91.
Fixes #53177.


git-svn-id: https://develop.svn.wordpress.org/trunk@53255 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/class-wp-user-query.php |  15 ++-
 tests/phpunit/tests/user/query.php      | 139 ++++++++++++++++++++++--
 2 files changed, 144 insertions(+), 10 deletions(-)

diff --git a/src/wp-includes/class-wp-user-query.php b/src/wp-includes/class-wp-user-query.php
index a757e38e20..6d88b4a855 100644
--- a/src/wp-includes/class-wp-user-query.php
+++ b/src/wp-includes/class-wp-user-query.php
@@ -274,6 +274,16 @@ class WP_User_Query {
 		$qv =& $this->query_vars;
 		$qv = $this->fill_query_vars( $qv );
 
+		$allowed_fields = array(
+			'ID',
+			'display_name',
+			'user_login',
+			'user_nicename',
+			'user_email',
+			'user_url',
+			'user_registered',
+		);
+
 		if ( is_array( $qv['fields'] ) ) {
 			$qv['fields'] = array_unique( $qv['fields'] );
 
@@ -283,10 +293,11 @@ class WP_User_Query {
 				$this->query_fields[] = "$wpdb->users.$field";
 			}
 			$this->query_fields = implode( ',', $this->query_fields );
-		} elseif ( 'all' === $qv['fields'] ) {
+		} elseif ( ! in_array( $qv['fields'], $allowed_fields, true ) ) {
 			$this->query_fields = "$wpdb->users.*";
 		} else {
-			$this->query_fields = "$wpdb->users.ID";
+			$field              = 'ID' === $qv['fields'] ? 'ID' : sanitize_key( $qv['fields'] );
+			$this->query_fields = "$wpdb->users.$field";
 		}
 
 		if ( isset( $qv['count_total'] ) && $qv['count_total'] ) {
diff --git a/tests/phpunit/tests/user/query.php b/tests/phpunit/tests/user/query.php
index 1c17d3d09c..4ee93ae167 100644
--- a/tests/phpunit/tests/user/query.php
+++ b/tests/phpunit/tests/user/query.php
@@ -198,7 +198,7 @@ class Tests_User_Query extends WP_UnitTestCase {
 				'include'  => self::$author_ids,
 				'meta_key' => 'last_name',
 				'orderby'  => 'meta_value',
-				'fields'   => 'ids',
+				'fields'   => 'ID',
 			)
 		);
 
@@ -220,7 +220,7 @@ class Tests_User_Query extends WP_UnitTestCase {
 				'include'  => self::$author_ids,
 				'meta_key' => 'user_age',
 				'orderby'  => 'meta_value_num',
-				'fields'   => 'ids',
+				'fields'   => 'ID',
 			)
 		);
 
@@ -242,7 +242,7 @@ class Tests_User_Query extends WP_UnitTestCase {
 				'include'  => self::$author_ids,
 				'meta_key' => 'foo',
 				'orderby'  => 'foo',
-				'fields'   => 'ids',
+				'fields'   => 'ID',
 			)
 		);
 
@@ -261,7 +261,7 @@ class Tests_User_Query extends WP_UnitTestCase {
 
 		$q = new WP_User_Query(
 			array(
-				'fields'     => 'ids',
+				'fields'     => 'ID',
 				'meta_query' => array(
 					'foo_key' => array(
 						'key'     => 'foo',
@@ -302,7 +302,7 @@ class Tests_User_Query extends WP_UnitTestCase {
 
 		$q = new WP_User_Query(
 			array(
-				'fields'     => 'ids',
+				'fields'     => 'ID',
 				'meta_query' => array(
 					'foo_key' => array(
 						'key'     => 'foo',
@@ -332,7 +332,7 @@ class Tests_User_Query extends WP_UnitTestCase {
 
 		$q = new WP_User_Query(
 			array(
-				'fields'     => 'ids',
+				'fields'     => 'ID',
 				'meta_query' => array(
 					'foo_key' => array(
 						'key'     => 'foo',
@@ -1281,7 +1281,7 @@ class Tests_User_Query extends WP_UnitTestCase {
 				'paged'   => 2,
 				'orderby' => 'ID',
 				'order'   => 'DESC', // Avoid funkiness with user 1.
-				'fields'  => 'ids',
+				'fields'  => 'ID',
 			)
 		);
 
@@ -1357,7 +1357,7 @@ class Tests_User_Query extends WP_UnitTestCase {
 		$users = get_users(
 			array(
 				'role'   => 'editor',
-				'fields' => 'ids',
+				'fields' => 'ID',
 			)
 		);
 
@@ -1966,4 +1966,127 @@ class Tests_User_Query extends WP_UnitTestCase {
 		$this->assertContains( self::$author_ids[1], $found );
 		$this->assertContains( self::$author_ids[2], $found );
 	}
+
+	/**
+	 * @ticket 53177
+	 *
+	 * @param $field
+	 * @param $expected
+	 *
+	 * @return void
+	 *
+	 * @dataProvider data_returning_fields
+	 *
+	 * @covers WP_User_Query::prepare_query
+	 */
+	public function test_returning_fields( $field, $expected_values ) {
+		$q       = new WP_User_Query(
+			array(
+				'fields'   => $field,
+				'include ' => array( self::$admin_ids[0] ),
+			)
+		);
+		$results = $q->get_results();
+
+		if ( 'all_with_meta' === $field ) {
+			$data = array_shift( $results )->data;
+
+		} else {
+			$data = ( isset( $results[0]->data ) ) ? $results[0]->data : $results[0];
+		}
+
+		foreach ( $expected_values as $key => $expected_value ) {
+			if ( ! is_array( $results ) ) {
+				$this->assertEquals( array_shift( $results ), $expected_value );
+			} else {
+				$value = ( isset( $data->$key ) ) ? $data->$key : $data;
+				$this->assertEquals( $value, $expected_value );
+			}
+		}
+	}
+
+	public function data_returning_fields() {
+		return array(
+			'all'           => array(
+				'field'    => 'all',
+				'expected' => array(
+					'ID'                  => '1',
+					'user_login'          => 'admin',
+					'user_nicename'       => 'admin',
+					'user_email'          => 'admin@example.org',
+					'user_url'            => 'http://example.org',
+					'user_activation_key' => '',
+					'user_status'         => '0',
+					'display_name'        => 'admin',
+				),
+			),
+			'all_with_meta' => array(
+				'field'    => 'all_with_meta',
+				'expected' => array(
+					'ID'                  => '1',
+					'user_login'          => 'admin',
+					'user_nicename'       => 'admin',
+					'user_email'          => 'admin@example.org',
+					'user_url'            => 'http://example.org',
+					'user_activation_key' => '',
+					'user_status'         => '0',
+					'display_name'        => 'admin',
+				),
+			),
+			'ID'            => array(
+				'field'    => 'ID',
+				'expected' => array(
+					'ID' => '1',
+				),
+			),
+			'display_name'  => array(
+				'field'    => 'display_name',
+				'expected' => array(
+					'display_name' => 'admin',
+				),
+			),
+			'user_login'    => array(
+				'field'    => 'user_login',
+				'expected' => array(
+					'user_login' => 'admin',
+				),
+			),
+			'user_nicename' => array(
+				'field'    => 'user_nicename',
+				'expected' => array(
+					'user_nicename' => 'admin',
+				),
+			),
+			'user_email'    => array(
+				'field'    => 'user_email',
+				'expected' => array(
+					'user_email' => 'admin@example.org',
+				),
+			),
+			'invalid_field' => array(
+				'field'    => 'invalid_field',
+				'expected' => array(
+					'0' => '1',
+				),
+			),
+		);
+	}
+
+	/**
+	 * @ticket 53177
+	 *
+	 * @return void
+	 *
+	 * @covers WP_User_Query::prepare_query
+	 */
+	public function test_returning_field_user_registered() {
+		$q       = new WP_User_Query(
+			array(
+				'fields'  => 'user_registered',
+				'include' => array( self::$admin_ids[0] ),
+			)
+		);
+		$results = $q->get_results();
+		$this->assertNotFalse( DateTime::createFromFormat( 'Y-m-d H:i:s', $results[0] ) );
+	}
 }