From 93f2d05fd4b4f58182798bc5956ea2cda9e2191b Mon Sep 17 00:00:00 2001 From: Paul Kilmurray Date: Sat, 13 Jan 2024 18:05:58 +0100 Subject: [PATCH] add test for taxes endpoint as cashier role --- includes/API/Orders_Controller.php | 1 + includes/API/Taxes_Controller.php | 52 +++++++++----------- tests/includes/API/Test_Taxes_Controller.php | 22 ++++++++- tests/mockable-functions.php | 2 +- 4 files changed, 45 insertions(+), 32 deletions(-) diff --git a/includes/API/Orders_Controller.php b/includes/API/Orders_Controller.php index 7ebbbf5..d26de41 100644 --- a/includes/API/Orders_Controller.php +++ b/includes/API/Orders_Controller.php @@ -12,6 +12,7 @@ use WC_Email_Customer_Invoice; use WC_Abstract_Order; use WC_Order_Query; +use WC_Order_Item; use WC_REST_Orders_Controller; use WCPOS\WooCommercePOS\Logger; use WP_REST_Request; diff --git a/includes/API/Taxes_Controller.php b/includes/API/Taxes_Controller.php index c03fad1..67c7e56 100644 --- a/includes/API/Taxes_Controller.php +++ b/includes/API/Taxes_Controller.php @@ -39,7 +39,6 @@ class Taxes_Controller extends WC_REST_Taxes_Controller { */ public function __construct() { add_filter( 'woocommerce_pos_rest_dispatch_taxes_request', array( $this, 'wcpos_dispatch_request' ), 10, 4 ); - add_filter( 'woocommerce_rest_check_permissions', array( $this, 'check_permissions' ) ); if ( method_exists( parent::class, '__construct' ) ) { parent::__construct(); @@ -47,17 +46,32 @@ public function __construct() { } /** - * Check if the current user can view the taxes. - * Note: WC REST API currently requires manage_woocommerce capability to access the endpoint (even for read only). - * This would stop the Cashier role from being able to view the taxes, so we check for read_private_products instead. + * Check whether a given request has permission to read taxes. * - * @param mixed $permission + * @param WP_REST_Request $request Full details about the request. + * @return WP_Error|boolean + */ + public function get_items_permissions_check( $request ) { + $permission = parent::get_items_permissions_check( $request ); + + if ( is_wp_error( $permission ) && current_user_can( 'read_private_products' ) ) { + return true; + } + + return $permission; + } + + /** + * Check if a given request has access to read a tax. * - * @return bool + * @param WP_REST_Request $request Full details about the request. + * @return WP_Error|boolean */ - public function check_permissions( $permission ) { - if ( ! $permission ) { - return current_user_can( 'read_private_products' ); + public function get_item_permissions_check( $request ) { + $permission = parent::get_items_permissions_check( $request ); + + if ( is_wp_error( $permission ) && current_user_can( 'read_private_products' ) ) { + return true; } return $permission; @@ -180,26 +194,6 @@ private function wcpos_insert_tax_where_clause( $query, $condition ) { return $query; } - /** - * Check if the current user can view the taxes. - * Note: WC REST API currently requires manage_woocommerce capability to access the endpoint (even for read only). - * This would stop the Cashier role from being able to view the taxes, so we check for read_private_products instead. - * - * @param WP_REST_Request $request - * - * @return bool|WP_Error - */ - public function get_item_permissions_check( $request ) { - // no typing when overriding parent method - $permission = parent::get_item_permissions_check( $request ); - - if ( ! $permission && current_user_can( 'read_private_products' ) ) { - return true; - } - - return $permission; - } - /** * Returns array of all tax_rate ids. * diff --git a/tests/includes/API/Test_Taxes_Controller.php b/tests/includes/API/Test_Taxes_Controller.php index 005668c..eece4d3 100644 --- a/tests/includes/API/Test_Taxes_Controller.php +++ b/tests/includes/API/Test_Taxes_Controller.php @@ -64,7 +64,7 @@ public function get_expected_response_fields() { ); } - public function test_product_category_api_get_all_fields(): void { + public function test_taxes_api_get_all_fields(): void { $expected_response_fields = $this->get_expected_response_fields(); $tax_id = TaxHelper::create_tax_rate( @@ -87,7 +87,7 @@ public function test_product_category_api_get_all_fields(): void { $this->assertEmpty( array_diff( $response_fields, $expected_response_fields ), 'These fields were not expected in the WCPOS API response: ' . print_r( array_diff( $response_fields, $expected_response_fields ), true ) ); } - public function test_product_category_api_get_all_ids(): void { + public function test_taxes_api_get_all_ids(): void { $gb_tax_ids = TaxHelper::create_sample_tax_rates_GB(); $us_tax_ids = TaxHelper::create_sample_tax_rates_US(); @@ -106,6 +106,24 @@ public function test_product_category_api_get_all_ids(): void { $this->assertEqualsCanonicalizing( array_merge( $gb_tax_ids, $us_tax_ids ), $ids ); } + /** + * The Tax endpoint is not accessible by cashiers by default. + */ + public function test_taxes_api_get_for_cashier() { + $cashier_user_id = $this->factory->user->create( array( 'role' => 'cashier' ) ); + wp_set_current_user( $cashier_user_id ); + + $gb_tax_ids = TaxHelper::create_sample_tax_rates_GB(); + $request = $this->wp_rest_get_request( '/wcpos/v1/taxes' ); + $response = $this->server->dispatch( $request ); + $this->assertEquals( 200, $response->get_status() ); + + $data = $response->get_data(); + $this->assertEquals( 3, \count( $data ) ); + + wp_set_current_user( 0 ); + } + /** * The WC REST API does not support the include param. * This test is to ensure that the include param is supported in the WCPOS API. diff --git a/tests/mockable-functions.php b/tests/mockable-functions.php index e841468..56f2496 100644 --- a/tests/mockable-functions.php +++ b/tests/mockable-functions.php @@ -6,7 +6,7 @@ */ return array( - 'current_user_can', + // 'current_user_can', 'get_bloginfo', 'get_woocommerce_currencies', 'get_woocommerce_currency_symbol',