Merge pull request #1103 from Automattic/pattern-edit-fix

Protect against pattern edits

Author: GaryJones

Diff for: php/class-coauthors-endpoint.php

@@ -152,7 +152,9 @@ public function get_coauthors_search_results( $request ): WP_REST_Response {
 	public function get_coauthors( $request ): WP_REST_Response {
 		$response = array();
 
-		$this->_build_authors_response( $response, $request );
+		if ( ! $this->request_is_for_wp_block_post_type( $request ) && ! $this->is_pattern_sync_operation() ) {
+			$this->_build_authors_response( $response, $request );
+		}
 
 		return rest_ensure_response( $response );
 	}
@@ -233,6 +235,36 @@ public function _build_authors_response( &$response, $request ): void {
 		}
 	}
 
+	/**
+	 * Check if the request is for a wp_block post type.
+	 *
+	 * @param WP_REST_Request $request Request object.
+	 * @return bool
+	 */
+	private function request_is_for_wp_block_post_type( WP_REST_Request $request ): bool {
+		return 'wp_block' === get_post_type( $request->get_param( 'post_id' ) );
+	}
+
+	/**
+	 * Check if this is a pattern sync operation.
+	 *
+	 * @return bool
+	 */
+	private function is_pattern_sync_operation(): bool {
+		$referer = wp_get_referer();
+		if ( ! $referer ) {
+			return false;
+		}
+
+		$query_string = wp_parse_url( $referer, PHP_URL_QUERY );
+		if ( ! $query_string ) {
+			return false;
+		}
+
+		parse_str( $query_string, $query_vars );
+		return ! empty( $query_vars['post'] ) && 'wp_block' === get_post_type( $query_vars['post'] );
+	}
+
 	/**
 	 * Add filters to REST endpoints for each post that
 	 * supports co-authors.

Diff for: tests/Integration/EndpointsTest.php

@@ -180,6 +180,35 @@ public function test_authors_get_coauthors(): void {
 		$this->assertEquals( 'author', $get_response->data[0]['userNicename'] );
 	}
 
+	/**
+	 * @covers CoAuthors\API\Endpoints::get_coauthors
+	 */
+	public function test_get_coauthors_wp_block_post_type(): void {
+		$post_id = self::factory()->post->create( array( 'post_type' => 'wp_block' ) );
+		$request = new \WP_REST_Request( 'GET', '/coauthors/v1/authors/' . $post_id );
+		$request->set_param( 'post_id', $post_id );
+
+		$response = $this->_api->get_coauthors( $request );
+		$this->assertEmpty( $response->get_data() );
+	}
+
+	/**
+	 * @covers CoAuthors\API\Endpoints::get_coauthors
+	 */
+	public function test_get_coauthors_pattern_sync(): void {
+		$post_id = self::factory()->post->create();
+		$block_id = self::factory()->post->create( array( 'post_type' => 'wp_block' ) );
+		$_SERVER['HTTP_REFERER'] = admin_url( sprintf( 'post.php?post=%d&action=edit', $block_id ) );
+
+		$request = new \WP_REST_Request( 'GET', '/coauthors/v1/authors/' . $post_id );
+		$request->set_param( 'post_id', $post_id );
+
+		$response = $this->_api->get_coauthors( $request );
+		$this->assertEmpty( $response->get_data() );
+
+		unset( $_SERVER['HTTP_REFERER'] );
+	}
+
 	/**
 	 * @covers \CoAuthors\API\Endpoints::update_coauthors
 	 */