Test comment permissions for 44157

Author: adamsilverstein

tests/phpunit/tests/rest-api/rest-comments-controller.php

@@ -4133,4 +4133,86 @@ public function test_get_note_with_children_link() {
 		$this->assertStringContainsString( 'status=all', $children[0]['href'] );
 		$this->assertStringContainsString( 'type=note', $children[0]['href'] );
 	}
+	/**
+	 * Test comment permissions.
+	 *
+	 * @ticket 44157
+	 *
+	 * @return void
+	 */
+	public function test_get_items_type_arg() {
+		// Authorized admin user.
+		wp_set_current_user( self::$admin_id );
+		$comment_type_1 = 'annotation';
+		$comment_type_2 = 'discussion';
+		$comment_type_3 = 'note';
+		$args           = array(
+			'comment_approved' => 1,
+			'comment_post_ID'  => self::$post_id,
+			'user_id'          => self::$author_id,
+			'post_id'          => self::$post_id,
+		);
+
+		$count_1 = 5;
+		$args['comment_type'] = $comment_type_1;
+		for ( $i = 0; $i < $count_1; $i++ ) {
+			self::factory()->comment->create( $args );
+		}
+
+		$count_2 = 9;
+		$args['comment_type'] = $comment_type_2;
+		for ( $i = 0; $i < $count_2; $i++ ) {
+			self::factory()->comment->create( $args );
+		}
+
+		$count_3 = 3;
+		$args['comment_type'] = $comment_type_3;
+		for ( $i = 0; $i < $count_3; $i++ ) {
+			self::factory()->comment->create( $args );
+		}
+
+		$request = new WP_REST_Request( 'GET', '/wp/v2/comments' );
+		$request->set_param( 'type', $comment_type_1 );
+
+		// Admin user and no type gets the two comments of comment type 'all' (the default).
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$comments = $response->get_data();
+		$this->assertCount( $count_1, $comments );
+
+		$request->set_param( 'type', $comment_type_2 );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$comments = $response->get_data();
+		$this->assertCount( $count_2, $comments );
+		$comment_type_ids = wp_list_pluck( $comments, 'id' ); // So we can iterate through them later :) .
+
+		$request->set_param( 'type', $comment_type_3 );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$comments = $response->get_data();
+		$this->assertCount( $count_3, $comments );
+
+		// Unset the current user.
+		wp_set_current_user( null );
+
+		$request->set_param( 'type', 'comments' );
+		$request->set_param( 'per_page', self::$per_page );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertEquals( 401, $response->get_status() );
+		$comments = $response->get_data();
+		$this->assertErrorResponse( 'rest_forbidden_param', $response, 401 );
+
+		$request->set_param( 'type', $comment_type_2 );
+		$response = rest_get_server()->dispatch( $request );
+		$comments = $response->get_data();
+		$this->assertErrorResponse( 'rest_forbidden_param', $response, 401 );
+
+		// But the unauthenticated user can see them at their individual endpoints.
+		foreach ( $comment_type_ids as $comment_type_id ) {
+			$request  = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%d', $comment_type_id ) );
+			$response = rest_get_server()->dispatch( $request );
+			$this->assertEquals( 401, $response->get_status() );
+		}
+	}
 }