Social: Fix permissions for update/delete connections endpoints (#38187)

* Fix the permissions for the update and disconnect connections endpoint * Fix lints * Add changelog * Ensure that non-editors cannot mark/unmark connections as shared. * Fix up versions * Fallback to author permissions for update * Ensure that user_id exists on connection
Automattic · Jul 5, 2024 · 780144e · 780144e
1 parent 17aa73d
commit 780144e
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 8 deletions.
diff --git a/...ts/packages/publicize/changelog/fix-social-update-permissions-for-the-disconnect-endpoint b/...ts/packages/publicize/changelog/fix-social-update-permissions-for-the-disconnect-endpoint
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Social | Fixed the permissions for update and disconnection connections endpoints
diff --git a/projects/packages/publicize/package.json b/projects/packages/publicize/package.json
@@ -1,7 +1,7 @@
 {
 	"private": true,
 	"name": "@automattic/jetpack-publicize",
-	"version": "0.47.1",
+	"version": "0.47.2-alpha",
 	"description": "Publicize makes it easy to share your site’s posts on several social media networks automatically when you publish a new post.",
 	"homepage": "https://github.com/Automattic/jetpack/tree/HEAD/projects/packages/publicize/#readme",
 	"bugs": {

diff --git a/projects/packages/publicize/src/class-publicize.php b/projects/packages/publicize/src/class-publicize.php
@@ -254,7 +254,7 @@ public function get_all_connections_for_user( $args = array() ) {
 									'connection_id'  => $connection['connection_data']['id'],
 									'can_disconnect' => self::can_manage_connection( $connection['connection_data'] ),
 									'profile_link'   => $this->get_profile_link( $service_name, $connection ),
-									'shared'         => $connection['connection_data']['user_id'] === '0',
+									'shared'         => '0' === $connection['connection_data']['user_id'],
 									'status'         => 'ok',
 								)
 							);
@@ -491,7 +491,7 @@ public function refresh_connections() {
 		}
 
 		$connections = get_transient( self::JETPACK_SOCIAL_CONNECTIONS_TRANSIENT );
-		if ( $connections === false ) {
+		if ( false === $connections ) {
 			$xml = new Jetpack_IXR_Client();
 			$xml->query( 'jetpack.fetchPublicizeConnections' );
 			if ( ! $xml->isError() ) {
@@ -693,7 +693,7 @@ public function test_connection( $service_name, $connection ) {
 	public function post_is_done_sharing( $post_id = null ) {
 		// Defaults to current post if $post_id is null.
 		$post = get_post( $post_id );
-		if ( $post === null ) {
+		if ( null === $post ) {
 			return false;
 		}
 
@@ -708,7 +708,7 @@ public function post_is_done_sharing( $post_id = null ) {
 	 * @param WP_Post $post Post object.
 	 */
 	public function save_publicized( $post_ID, $post = null ) {
-		if ( $post === null ) {
+		if ( null === $post ) {
 			return;
 		}
 		// Only do this when a post transitions to being published.

diff --git a/projects/packages/publicize/src/class-rest-controller.php b/projects/packages/publicize/src/class-rest-controller.php
@@ -82,7 +82,7 @@ public function register_rest_routes() {
 
 		// Dismiss a notice.
 		// Flagged to be removed after deprecation.
-		// @deprecated $$next_version$$
+		// @deprecated $$next_version$$.
 		register_rest_route(
 			'jetpack/v4',
 			'/social/dismiss-notice',
@@ -146,7 +146,7 @@ public function register_rest_routes() {
 			array(
 				'methods'             => WP_REST_Server::EDITABLE,
 				'callback'            => array( $this, 'update_publicize_connection' ),
-				'permission_callback' => array( $this, 'require_author_privilege_callback' ),
+				'permission_callback' => array( $this, 'update_connection_permission_check' ),
 				'schema'              => array( $this, 'get_jetpack_social_connections_update_schema' ),
 			)
 		);
@@ -158,11 +158,61 @@ public function register_rest_routes() {
 			array(
 				'methods'             => WP_REST_Server::DELETABLE,
 				'callback'            => array( $this, 'delete_publicize_connection' ),
-				'permission_callback' => array( $this, 'require_author_privilege_callback' ),
+				'permission_callback' => array( $this, 'manage_connection_permission_check' ),
 			)
 		);
 	}
 
+	/**
+	 * Manage connection permission check
+	 *
+	 * @param WP_REST_Request $request The request object, which includes the parameters.
+	 *
+	 * @return bool True if the user can manage the connection, false otherwise.
+	 */
+	public function manage_connection_permission_check( WP_REST_Request $request ) {
+
+		if ( current_user_can( 'edit_others_posts' ) ) {
+			return true;
+		}
+
+		/**
+		 * Publicize instance.
+		 *
+		 * @var Publicize $publicize Publicize instance.
+		 */
+		global $publicize;
+
+		$connection = $publicize->get_connection_for_user( $request->get_param( 'connection_id' ) );
+
+		$owns_connection = isset( $connection['user_id'] ) && get_current_user_id() === (int) $connection['user_id'];
+
+		return $owns_connection;
+	}
+
+	/**
+	 * Update connection permission check.
+	 *
+	 * @param WP_REST_Request $request The request object, which includes the parameters.
+	 *
+	 * @return bool True if the user can update the connection, false otherwise.
+	 */
+	public function update_connection_permission_check( WP_REST_Request $request ) {
+
+		// If the user cannot manage the connection, they can't update it either.
+		if ( ! $this->manage_connection_permission_check( $request ) ) {
+			return false;
+		}
+
+		// If the connection is being marked/unmarked as shared.
+		if ( $request->has_param( 'shared' ) ) {
+			// Only editors and above can mark a connection as shared.
+			return current_user_can( 'edit_others_posts' );
+		}
+
+		return $this->require_author_privilege_callback();
+	}
+
 	/**
 	 * Only administrators can access the API.
 	 *