Merge pull request #387 from JLG-WOCFR-DEV/codex/add-user-capability-checks-to-link-update-functions

JLG-WOCFR-DEV · web-flow · commit 639d3a8bb894 · 2025-10-14T14:03:57.000+02:00
Add fix-links capability guard and tests
diff --git a/liens-morts-detector-jlg/includes/class-blc-links-list-table.php b/liens-morts-detector-jlg/includes/class-blc-links-list-table.php
@@ -1463,6 +1463,17 @@ protected function process_bulk_action() {
             return;
         }
 
+        if (!function_exists('blc_current_user_can_fix_links') || !blc_current_user_can_fix_links()) {
+            $notice = [
+                'message'      => __('Permissions insuffisantes pour effectuer cette action groupée.', 'liens-morts-detector-jlg'),
+                'type'         => 'error',
+                'announcement' => __('Action groupée annulée : permissions insuffisantes.', 'liens-morts-detector-jlg'),
+            ];
+
+            $this->redirect_after_bulk($notice);
+            return;
+        }
+
         $ids = $this->get_requested_bulk_ids();
 
         check_admin_referer('bulk-' . $this->_args['plural']);
diff --git a/liens-morts-detector-jlg/liens-morts-detector-jlg.php b/liens-morts-detector-jlg/liens-morts-detector-jlg.php
@@ -462,6 +462,10 @@ function blc_require_post_params(array $required_params) {
  * @return array|WP_Error
  */
 function blc_perform_link_update(array $args) {
+    if (!function_exists('blc_current_user_can_fix_links') || !blc_current_user_can_fix_links()) {
+        return new WP_Error('blc_forbidden', __('Permissions insuffisantes.', 'liens-morts-detector-jlg'), ['status' => BLC_HTTP_FORBIDDEN]);
+    }
+
     global $wpdb;
 
     $defaults = [
@@ -1272,6 +1276,10 @@ function blc_ajax_apply_detected_redirect_callback() {
 // Gère la dissociation d'un lien
 add_action('wp_ajax_blc_unlink', 'blc_ajax_unlink_callback');
 function blc_ajax_unlink_callback() {
+    if (!function_exists('blc_current_user_can_fix_links') || !blc_current_user_can_fix_links()) {
+        wp_send_json_error(['message' => __('Permissions insuffisantes.', 'liens-morts-detector-jlg')], BLC_HTTP_FORBIDDEN);
+    }
+
     check_ajax_referer('blc_unlink_nonce');
 
     $params = blc_require_post_params(['post_id', 'row_id', 'url_to_unlink']);
@@ -1401,6 +1409,10 @@ function blc_ajax_unlink_callback() {
 
 add_action('wp_ajax_blc_ignore_link', 'blc_ajax_ignore_link_callback');
 function blc_ajax_ignore_link_callback() {
+    if (!function_exists('blc_current_user_can_fix_links') || !blc_current_user_can_fix_links()) {
+        wp_send_json_error(['message' => __('Permissions insuffisantes.', 'liens-morts-detector-jlg')], BLC_HTTP_FORBIDDEN);
+    }
+
     check_ajax_referer('blc_ignore_link_nonce');
 
     $params = blc_require_post_params(['post_id', 'row_id', 'mode']);
@@ -1529,6 +1541,10 @@ function blc_ajax_ignore_link_callback() {
 
 add_action('wp_ajax_blc_recheck_link', 'blc_ajax_recheck_link_callback');
 function blc_ajax_recheck_link_callback() {
+    if (!function_exists('blc_current_user_can_fix_links') || !blc_current_user_can_fix_links()) {
+        wp_send_json_error(['message' => __('Permissions insuffisantes.', 'liens-morts-detector-jlg')], BLC_HTTP_FORBIDDEN);
+    }
+
     check_ajax_referer('blc_recheck_link_nonce');
 
     $params = blc_require_post_params(['post_id', 'row_id']);
diff --git a/tests/BlcAjaxCallbacksTest.php b/tests/BlcAjaxCallbacksTest.php
@@ -1,6 +1,42 @@
 <?php
 
 namespace {
+    if (!class_exists('WP_Error')) {
+        class WP_Error
+        {
+            /** @var string */
+            private $code;
+
+            /** @var string */
+            private $message;
+
+            /** @var mixed */
+            private $data;
+
+            public function __construct($code = '', $message = '', $data = null)
+            {
+                $this->code    = (string) $code;
+                $this->message = (string) $message;
+                $this->data    = $data;
+            }
+
+            public function get_error_code()
+            {
+                return $this->code;
+            }
+
+            public function get_error_message()
+            {
+                return $this->message;
+            }
+
+            public function get_error_data()
+            {
+                return $this->data;
+            }
+        }
+    }
+
     if (!function_exists('__')) {
         function __($text, $domain = null)
         {
@@ -396,6 +432,33 @@ public function test_edit_link_returns_error_when_required_param_is_missing(arra
         blc_ajax_edit_link_callback();
     }
 
+    public function test_perform_link_update_requires_fix_links_capability_even_if_user_can_edit_post(): void
+    {
+        Functions\when('blc_current_user_can_fix_links')->justReturn(false);
+        Functions\when('current_user_can')->alias(static function ($capability) {
+            return $capability === 'edit_post';
+        });
+
+        global $wpdb;
+        $wpdb = (object) ['prefix' => 'wp_'];
+
+        Functions\when('get_post')->justReturn(null);
+
+        $result = \blc_perform_link_update([
+            'post_id' => 21,
+            'row_id' => 21,
+            'row' => ['url' => 'http://example.com'],
+            'old_url' => 'http://example.com',
+            'new_url' => 'http://example.org',
+        ]);
+
+        $this->assertInstanceOf(\WP_Error::class, $result);
+        $this->assertSame('blc_forbidden', $result->get_error_code());
+        $data = $result->get_error_data('blc_forbidden');
+        $this->assertIsArray($data);
+        $this->assertSame(BLC_HTTP_FORBIDDEN, $data['status'] ?? null);
+    }
+
     public function unlinkMissingParamProvider(): array
     {
         return [
@@ -456,6 +519,23 @@ public function test_unlink_returns_error_when_required_param_is_missing(array $
         blc_ajax_unlink_callback();
     }
 
+    public function test_ajax_unlink_requires_fix_links_capability_even_if_user_can_edit_post(): void
+    {
+        Functions\when('blc_current_user_can_fix_links')->justReturn(false);
+        Functions\when('current_user_can')->alias(static function ($capability) {
+            return $capability === 'edit_post';
+        });
+        Functions\when('check_ajax_referer')->justReturn(true);
+        Functions\expect('wp_send_json_error')->once()->with([
+            'message' => 'Permissions insuffisantes.',
+        ], BLC_HTTP_FORBIDDEN)->andReturnUsing(static function () {
+            throw new \RuntimeException('unlink-forbidden');
+        });
+
+        $this->expectExceptionMessage('unlink-forbidden');
+        blc_ajax_unlink_callback();
+    }
+
     public function test_edit_link_denied_for_user_without_permission(): void
     {
         $_POST['post_id'] = 1;
@@ -2153,6 +2233,40 @@ public function test_unlink_scheme_relative_url_updates_content_and_database():
         $this->assertSame(['id' => 8], $wpdb->delete_args[1]);
         $this->assertSame(['%d'], $wpdb->delete_args[2]);
     }
+
+    public function test_ajax_ignore_requires_fix_links_capability_even_if_user_can_edit_post(): void
+    {
+        Functions\when('blc_current_user_can_fix_links')->justReturn(false);
+        Functions\when('current_user_can')->alias(static function ($capability) {
+            return $capability === 'edit_post';
+        });
+        Functions\when('check_ajax_referer')->justReturn(true);
+        Functions\expect('wp_send_json_error')->once()->with([
+            'message' => 'Permissions insuffisantes.',
+        ], BLC_HTTP_FORBIDDEN)->andReturnUsing(static function () {
+            throw new \RuntimeException('ignore-forbidden');
+        });
+
+        $this->expectExceptionMessage('ignore-forbidden');
+        blc_ajax_ignore_link_callback();
+    }
+
+    public function test_ajax_recheck_requires_fix_links_capability_even_if_user_can_edit_post(): void
+    {
+        Functions\when('blc_current_user_can_fix_links')->justReturn(false);
+        Functions\when('current_user_can')->alias(static function ($capability) {
+            return $capability === 'edit_post';
+        });
+        Functions\when('check_ajax_referer')->justReturn(true);
+        Functions\expect('wp_send_json_error')->once()->with([
+            'message' => 'Permissions insuffisantes.',
+        ], BLC_HTTP_FORBIDDEN)->andReturnUsing(static function () {
+            throw new \RuntimeException('recheck-forbidden');
+        });
+
+        $this->expectExceptionMessage('recheck-forbidden');
+        blc_ajax_recheck_link_callback();
+    }
 }
 
 }
