Add missing auth checks and tests for Ajax action

westonruter · westonruter · commit eeaea9066c0e · 2025-08-15T19:10:06.000-07:00
diff --git a/plugins/performance-lab/includes/site-health/audit-enqueued-assets/helper.php b/plugins/performance-lab/includes/site-health/audit-enqueued-assets/helper.php
@@ -200,6 +200,12 @@ function perflab_aea_enqueued_blocking_assets_test(): array {
  * @since n.e.x.t
  */
 function perflab_aea_enqueued_ajax_blocking_assets_test(): void {
+	check_ajax_referer( 'health-check-site-status' );
+
+	if ( ! current_user_can( 'view_site_health_checks' ) ) {
+		wp_send_json_error();
+	}
+
 	wp_send_json_success( perflab_aea_enqueued_blocking_assets_test() );
 }
 
diff --git a/plugins/performance-lab/tests/includes/site-health/audit-enqueued-assets/test-audit-enqueued-assets-helper.php b/plugins/performance-lab/tests/includes/site-health/audit-enqueued-assets/test-audit-enqueued-assets-helper.php
@@ -6,12 +6,20 @@
  * @group audit-enqueued-assets
  */
 
-class Test_Audit_Enqueued_Assets_Helper extends WP_UnitTestCase {
+class Test_Audit_Enqueued_Assets_Helper extends WP_Ajax_UnitTestCase {
 
 	const WARNING_SCRIPTS_THRESHOLD = 31;
 
 	const WARNING_STYLES_THRESHOLD = 11;
 
+	/**
+	 * Set up.
+	 */
+	public function set_up(): void {
+		parent::set_up();
+		remove_action( 'wp_print_styles', 'print_emoji_styles' );
+	}
+
 	/**
 	 * Tear down.
 	 */
@@ -269,6 +277,64 @@ public function test_perflab_aea_enqueued_blocking_assets_test_but_one_style_is_
 		$this->assertStringContainsString( 'Not found', $test['description'] );
 	}
 
+	/**
+	 * Tests perflab_aea_enqueued_ajax_blocking_assets_test
+	 *
+	 * @covers ::perflab_aea_enqueued_ajax_blocking_assets_test
+	 */
+	public function test_perflab_aea_enqueued_ajax_blocking_assets_test_unauthenticated_without_nonce(): void {
+		$this->add_filter_to_mock_front_page_loopback_request();
+		$this->expectException( WPAjaxDieStopException::class );
+		$this->_handleAjax( 'health-check-enqueued-blocking-assets-test' );
+		$response = json_decode( $this->_last_response, true );
+		$this->assertArrayHasKey( 'success', $response );
+		$this->assertFalse( $response['success'] );
+	}
+
+	/**
+	 * Tests perflab_aea_enqueued_ajax_blocking_assets_test
+	 *
+	 * @covers ::perflab_aea_enqueued_ajax_blocking_assets_test
+	 */
+	public function test_perflab_aea_enqueued_ajax_blocking_assets_test_unauthenticated_with_nonce(): void {
+		$this->add_filter_to_mock_front_page_loopback_request();
+		$_GET['_wpnonce'] = wp_create_nonce( 'health-check-site-status' );
+		$this->expectException( WPAjaxDieContinueException::class );
+		$this->_handleAjax( 'health-check-enqueued-blocking-assets-test' );
+		$response = json_decode( $this->_last_response, true );
+		$this->assertFalse( $response['success'] );
+	}
+
+	/**
+	 * Tests perflab_aea_enqueued_ajax_blocking_assets_test
+	 *
+	 * @covers ::perflab_aea_enqueued_ajax_blocking_assets_test
+	 */
+	public function test_perflab_aea_enqueued_ajax_blocking_assets_test_unauthorized(): void {
+		$this->add_filter_to_mock_front_page_loopback_request();
+		wp_set_current_user( self::factory()->user->create( array( 'role' => 'subscriber' ) ) );
+		$_GET['_wpnonce'] = wp_create_nonce( 'health-check-site-status' );
+		$this->expectException( WPAjaxDieContinueException::class );
+		$this->_handleAjax( 'health-check-enqueued-blocking-assets-test' );
+		$response = json_decode( $this->_last_response, true );
+		$this->assertFalse( $response['success'] );
+	}
+
+	/**
+	 * Tests perflab_aea_enqueued_ajax_blocking_assets_test
+	 *
+	 * @covers ::perflab_aea_enqueued_ajax_blocking_assets_test
+	 */
+	public function test_perflab_aea_enqueued_ajax_blocking_assets_test_authorized(): void {
+		$this->add_filter_to_mock_front_page_loopback_request();
+		wp_set_current_user( self::factory()->user->create( array( 'role' => 'administrator' ) ) );
+		$_GET['_wpnonce'] = wp_create_nonce( 'health-check-site-status' );
+		$this->expectException( WPAjaxDieContinueException::class );
+		$this->_handleAjax( 'health-check-enqueued-blocking-assets-test' );
+		$response = json_decode( $this->_last_response, true );
+		$this->assertTrue( $response['success'] );
+	}
+
 	/**
 	 * Test perflab_aea_enqueued_blocking_scripts() with scripts less than WARNING_SCRIPTS_threshold.
 	 *
@@ -514,4 +580,41 @@ public function mock_data_perflab_aea_enqueued_css_assets_test_callback( int $nu
 		}
 		return Site_Health_Mock_Responses::return_aea_enqueued_css_assets_test_callback_more_than_threshold( $number_of_assets );
 	}
+
+	/**
+	 * Add filter to intercept loopback requests.
+	 */
+	public function add_filter_to_mock_front_page_loopback_request(): void {
+		add_filter(
+			'pre_http_request',
+			static function ( $r, $args, $url ) {
+				if ( home_url( '/' ) === remove_query_arg( 'cache_bust', $url ) ) {
+					$r = array(
+						'response' => array(
+							'status'  => 200,
+							'message' => 'OK',
+						),
+						'body'     => '<html></html>',
+						'headers'  => array(
+							'Content-Type' => 'text/html',
+						),
+					);
+				} else {
+					$r = array(
+						'response' => array(
+							'status'  => 503,
+							'message' => "Oh no you didn't",
+						),
+						'body'     => 'NO WAY',
+						'headers'  => array(
+							'Content-Type' => 'text/plain',
+						),
+					);
+				}
+				return $r;
+			},
+			10,
+			3
+		);
+	}
 }
