test single comment endpoint permissions

Author: adamsilverstein

tests/phpunit/tests/rest-api/rest-comments-controller.php

@@ -4137,16 +4137,13 @@ public function test_get_note_with_children_link() {
 	 * Test comment permissions.
 	 *
 	 * @ticket 44157
-	 *
-	 * @return void
 	 */
 	public function test_get_items_type_arg() {
-		// Authorized admin user.
 		wp_set_current_user( self::$admin_id );
-		$comment_type_1 = 'annotation';
-		$comment_type_2 = 'discussion';
-		$comment_type_3 = 'note';
-		$args           = array(
+		$comment_type_1    = 'annotation';
+		$comment_type_2    = 'discussion';
+		$note_comment_type = 'note';
+		$args              = array(
 			'comment_approved' => 1,
 			'comment_post_ID'  => self::$post_id,
 			'user_id'          => self::$author_id,
@@ -4166,15 +4163,14 @@ public function test_get_items_type_arg() {
 		}
 
 		$count_3 = 3;
-		$args['comment_type'] = $comment_type_3;
+		$args['comment_type'] = $note_comment_type;
 		for ( $i = 0; $i < $count_3; $i++ ) {
 			self::factory()->comment->create( $args );
 		}
 
 		$request = new WP_REST_Request( 'GET', '/wp/v2/comments' );
 		$request->set_param( 'type', $comment_type_1 );
 
-		// Admin user and no type gets the two comments of comment type 'all' (the default).
 		$response = rest_get_server()->dispatch( $request );
 		$this->assertEquals( 200, $response->get_status() );
 		$comments = $response->get_data();
@@ -4185,16 +4181,17 @@ public function test_get_items_type_arg() {
 		$this->assertEquals( 200, $response->get_status() );
 		$comments = $response->get_data();
 		$this->assertCount( $count_2, $comments );
-		$comment_type_ids = wp_list_pluck( $comments, 'id' ); // So we can iterate through them later :) .
+		$comment_type_ids = wp_list_pluck( $comments, 'id' );
 
-		$request->set_param( 'type', $comment_type_3 );
+		$request->set_param( 'type', $note_comment_type );
 		$response = rest_get_server()->dispatch( $request );
 		$this->assertEquals( 200, $response->get_status() );
 		$comments = $response->get_data();
 		$this->assertCount( $count_3, $comments );
+		$note_type_ids = wp_list_pluck( $comments, 'id' );
 
-		// Unset the current user.
-		wp_set_current_user( null );
+		// Log out the current user.
+		wp_logout();
 
 		$request->set_param( 'type', 'comments' );
 		$request->set_param( 'per_page', self::$per_page );
@@ -4203,12 +4200,19 @@ public function test_get_items_type_arg() {
 		$comments = $response->get_data();
 		$this->assertErrorResponse( 'rest_forbidden_param', $response, 401 );
 
-		$request->set_param( 'type', $comment_type_2 );
+		$request->set_param( 'comment_type', $comment_type_2 );
 		$response = rest_get_server()->dispatch( $request );
 		$comments = $response->get_data();
 		$this->assertErrorResponse( 'rest_forbidden_param', $response, 401 );
 
-		// But the unauthenticated user can see them at their individual endpoints.
+		$request->set_param( 'comment_type', $note_comment_type );
+		foreach( $note_type_ids as $note_type_id ) {
+			$request  = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%d', $note_type_id ) );
+			$response = rest_get_server()->dispatch( $request );
+			$this->assertEquals( 401, $response->get_status() );
+		}
+
+		// Custom comment types should also not be visible to unauthenticated users.
 		foreach ( $comment_type_ids as $comment_type_id ) {
 			$request  = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%d', $comment_type_id ) );
 			$response = rest_get_server()->dispatch( $request );