Restrict settings page to admins with manage_options

Updated Settings_Page::init() to require both is_admin() and current_user_can('manage_options'). Added and updated unit tests to verify correct behavior for users with and without the required capability.

Author: colinmurphy

plugins/hwp-previews/src/Admin/Settings_Page.php

@@ -58,7 +58,7 @@ protected function __construct() {
 	 * Initializes the settings page.
 	 */
 	public static function init(): ?Settings_Page {
-		if ( ! is_admin() ) {
+		if ( ! is_admin() || ! current_user_can( 'manage_options' ) ) {
 			return null;
 		}
 		if ( ! isset( self::$instance ) || ! ( is_a( self::$instance, self::class ) ) ) {

plugins/hwp-previews/tests/wpunit/Admin/SettingsPageTest.php

@@ -21,6 +21,12 @@ public function in_admin( $context = null ) {
 				return $context === 'user';
 			}
 		};
+
+		// Reset the instance before each test
+		$reflection       = new ReflectionClass( Settings_Page::class );
+		$instanceProperty = $reflection->getProperty( 'instance' );
+		$instanceProperty->setAccessible( true );
+		$instanceProperty->setValue( null );
 	}
 
 	public function tearDown() : void {
@@ -29,13 +35,40 @@ public function tearDown() : void {
 		parent::tearDown();
 	}
 
+	public function test_init_returns_null_if_not_admin() {
+		// Unset the admin screen mock
+		unset( $GLOBALS['current_screen'] );
+
+		$instance = Settings_Page::init();
+		$this->assertNull( $instance, 'Settings_Page::init() should return null if not in admin.' );
+	}
+
+	public function test_init_returns_null_for_user_without_manage_options_cap() {
+		$user_id = self::factory()->user->create( [ 'role' => 'subscriber' ] );
+		wp_set_current_user( $user_id );
+
+		$instance = Settings_Page::init();
+		$this->assertNull( $instance, 'Settings_Page::init() should return null for users without manage_options capability.' );
+	}
+
+	public function test_init_returns_instance_for_user_with_manage_options_cap() {
+		$user_id = self::factory()->user->create( [ 'role' => 'administrator' ] );
+		wp_set_current_user( $user_id );
+
+		$instance = Settings_Page::init();
+		$this->assertInstanceOf( Settings_Page::class, $instance, 'Settings_Page::init() should return an instance for users with manage_options capability.' );
+	}
+
 	public function test_settings_page_instance() {
 		$reflection       = new ReflectionClass( Settings_Page::class );
 		$instanceProperty = $reflection->getProperty( 'instance' );
 		$instanceProperty->setAccessible( true );
-		$instanceProperty->setValue( null );
 
 		$this->assertNull( $instanceProperty->getValue() );
+
+		// To pass the capability check
+		$user_id = self::factory()->user->create( [ 'role' => 'administrator' ] );
+		wp_set_current_user( $user_id );
 		$instance = Settings_Page::init();
 
 		$this->assertInstanceOf( Settings_Page::class, $instanceProperty->getValue() );
@@ -44,7 +77,11 @@ public function test_settings_page_instance() {
 
 	public function test_get_current_tab() {
 		$_GET['attachment'] = 'attachment';
-		$settings_page      = Settings_Page::init();
+
+		// To pass the capability check
+		$user_id = self::factory()->user->create( [ 'role' => 'administrator' ] );
+		wp_set_current_user( $user_id );
+		$settings_page = Settings_Page::init();
 
 		$post_preview_service = new Post_Preview_Service();
 		$post_types           = $post_preview_service->get_post_types();
@@ -61,6 +98,9 @@ public function test_get_current_tab() {
 	}
 
 	public function test_register_hooks() {
+		// To pass the capability check
+		$user_id = self::factory()->user->create( [ 'role' => 'administrator' ] );
+		wp_set_current_user( $user_id );
 		$settings_page = Settings_Page::init();
 		$this->assertNull( $settings_page->register_settings_page() );
 		$this->assertNull( $settings_page->register_settings_fields() );