From e03124bf3ef35d3552120b770237c1c650a831ba Mon Sep 17 00:00:00 2001
From: Colin <colin@DESKTOP-IAN8NPS>
Date: Thu, 25 Jan 2024 14:37:45 +0100
Subject: [PATCH 1/3] (chore): code style

---
 src/Base/Repositories/AbstractRepository.php  | 22 +++++--------------
 .../RestAPI/Controllers/BaseController.php    | 14 ++++++------
 src/Base/RestAPI/SharedFields/ItemsField.php  |  6 ++---
 3 files changed, 16 insertions(+), 26 deletions(-)

diff --git a/src/Base/Repositories/AbstractRepository.php b/src/Base/Repositories/AbstractRepository.php
index 2fa8e71..c7a8532 100644
--- a/src/Base/Repositories/AbstractRepository.php
+++ b/src/Base/Repositories/AbstractRepository.php
@@ -7,11 +7,11 @@
 namespace OWC\PDC\Base\Repositories;
 
 use Closure;
-use WP_Post;
-use WP_Query;
+use OWC\PDC\Base\Exceptions\PropertyNotExistsException;
 use OWC\PDC\Base\Support\CreatesFields;
 use OWC\PDC\Base\Support\Traits\QueryHelpers;
-use OWC\PDC\Base\Exceptions\PropertyNotExistsException;
+use WP_Post;
+use WP_Query;
 
 /**
  * PDC item object with default quering and methods.
@@ -98,8 +98,6 @@ public function __construct()
 
     /**
      * Get all the items from the database.
-     *
-     * @return array
      */
     public function all(): array
     {
@@ -114,12 +112,8 @@ public function all(): array
 
     /**
      * Find a particular pdc item by ID.
-     *
-     * @param int $id
-     *
-     * @return array
      */
-    public function find(int $id)
+    public function find(int $id): ?array
     {
         $args = array_merge($this->queryArgs, [
             'p' => $id,
@@ -137,12 +131,8 @@ public function find(int $id)
 
     /**
      * Find a particular pdc item by slug.
-     *
-     * @param string $slug
-     *
-     * @return array|null
      */
-    public function findBySlug(string $slug)
+    public function findBySlug(string $slug): ?array
     {
         $args = array_merge($this->queryArgs, [
             'name' => $slug,
@@ -273,7 +263,7 @@ public function transform(WP_Post $post)
             'date' => $post->post_date,
             'slug' => $post->post_name,
             'post_status' => $post->post_status,
-            'protected' => ! $this->isAllowed($post)
+            'protected' => ! $this->isAllowed($post),
         ];
 
         $data = $this->assignFields($data, $post);
diff --git a/src/Base/RestAPI/Controllers/BaseController.php b/src/Base/RestAPI/Controllers/BaseController.php
index ec0b5b8..486b67e 100644
--- a/src/Base/RestAPI/Controllers/BaseController.php
+++ b/src/Base/RestAPI/Controllers/BaseController.php
@@ -6,9 +6,9 @@
 
 namespace OWC\PDC\Base\RestAPI\Controllers;
 
+use OWC\PDC\Base\Foundation\Plugin;
 use WP_Query;
 use WP_REST_Request;
-use OWC\PDC\Base\Foundation\Plugin;
 
 /**
  * Controller which handels general quering, such as pagination.
@@ -39,14 +39,14 @@ protected function addPaginator(array $data, WP_Query $query): array
         $page = 0 == $page ? 1 : $page;
 
         return array_merge([
-            'data' => $data
+            'data' => $data,
         ], [
             'pagination' => [
-                'total_count' => (int) $query->found_posts,
-                'total_pages' => $query->max_num_pages,
+                'total_count'  => (int) $query->found_posts,
+                'total_pages'  => $query->max_num_pages,
                 'current_page' => $page,
-                'limit' => $query->get('posts_per_page')
-            ]
+                'limit'        => $query->get('posts_per_page'),
+            ],
         ]);
     }
 
@@ -57,7 +57,7 @@ protected function getPaginatorParams(WP_REST_Request $request, int $limit = 10)
     {
         return [
             'posts_per_page' => $request->get_param('limit') ?: $limit,
-            'paged' => $request->get_param('page') ?: 0
+            'paged'          => $request->get_param('page') ?: 0,
         ];
     }
 
diff --git a/src/Base/RestAPI/SharedFields/ItemsField.php b/src/Base/RestAPI/SharedFields/ItemsField.php
index 22d36bd..3988c34 100644
--- a/src/Base/RestAPI/SharedFields/ItemsField.php
+++ b/src/Base/RestAPI/SharedFields/ItemsField.php
@@ -6,10 +6,10 @@
 
 namespace OWC\PDC\Base\RestAPI\SharedFields;
 
-use WP_Post;
-use OWC\PDC\Base\Support\Traits\QueryHelpers;
-use OWC\PDC\Base\Support\Traits\CheckPluginActive;
 use OWC\PDC\Base\RestAPI\ItemFields\ConnectedField;
+use OWC\PDC\Base\Support\Traits\CheckPluginActive;
+use OWC\PDC\Base\Support\Traits\QueryHelpers;
+use WP_Post;
 
 /**
  * Adds connected fields to item in API.

From 55072302575150aa554bd37b8b92927c8ea6f983 Mon Sep 17 00:00:00 2001
From: Colin <colin@DESKTOP-IAN8NPS>
Date: Thu, 25 Jan 2024 14:50:47 +0100
Subject: [PATCH 2/3] (feat): ItemController: allow additional query params

---
 .../RestAPI/Controllers/ItemController.php    | 40 ++++++++++++++-----
 1 file changed, 29 insertions(+), 11 deletions(-)

diff --git a/src/Base/RestAPI/Controllers/ItemController.php b/src/Base/RestAPI/Controllers/ItemController.php
index b4fa406..2c88c3d 100644
--- a/src/Base/RestAPI/Controllers/ItemController.php
+++ b/src/Base/RestAPI/Controllers/ItemController.php
@@ -50,22 +50,40 @@ public function getItems(WP_REST_Request $request): array
      */
     protected function convertParameters(array $parametersFromRequest): array
     {
-        $parameters = [];
-
-        if (isset($parametersFromRequest['name'])) {
-            $parameters['name'] = esc_attr($parametersFromRequest['name']);
+        $allowedQueryParams = [
+            'name',
+            'include-connected',
+            'slug',
+            'id',
+            'p',
+            'tax_query',
+            'meta_query',
+            'post_type',
+            'post_status',
+        ];
+
+        $parameters = array_filter(
+            $parametersFromRequest,
+            static function ($param) use ($allowedQueryParams) {
+                return in_array($param, $allowedQueryParams, true);
+            },
+            ARRAY_FILTER_USE_KEY
+        );
+
+        if (isset($parameters['name'])) {
+            $parameters['name'] = esc_attr($parameters['name']);
         }
 
-        $parameters['include-connected'] = (isset($parametersFromRequest['include-connected'])) ? true : false;
+        $parameters['include-connected'] = (isset($parameters['include-connected'])) ? true : false;
 
-        if (isset($parametersFromRequest['slug'])) {
-            $parameters['name'] = esc_attr($parametersFromRequest['slug']);
-            unset($parametersFromRequest['slug']);
+        if (isset($parameters['slug'])) {
+            $parameters['name'] = esc_attr($parameters['slug']);
+            unset($parameters['slug']);
         }
 
-        if (isset($parametersFromRequest['id'])) {
-            $parameters['p'] = absint($parametersFromRequest['id']);
-            unset($parametersFromRequest['slug']);
+        if (isset($parameters['id'])) {
+            $parameters['p'] = absint($parameters['id']);
+            unset($parameters['id']);
         }
 
         return $parameters;

From d7f0c4f5f3f94d018bf4fa5789f35b91fd71ddc0 Mon Sep 17 00:00:00 2001
From: Colin <colin@DESKTOP-IAN8NPS>
Date: Thu, 25 Jan 2024 14:55:40 +0100
Subject: [PATCH 3/3] (fix): validate post_status

---
 src/Base/Repositories/AbstractRepository.php | 29 ++++++++++++++++++--
 src/Base/RestAPI/SharedFields/ItemsField.php |  6 +++-
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/src/Base/Repositories/AbstractRepository.php b/src/Base/Repositories/AbstractRepository.php
index c7a8532..6e16caf 100644
--- a/src/Base/Repositories/AbstractRepository.php
+++ b/src/Base/Repositories/AbstractRepository.php
@@ -105,7 +105,7 @@ public function all(): array
             'post_type' => [$this->posttype],
         ]);
 
-        $this->query = new WP_Query($args);
+        $this->query = new WP_Query($this->validatePostStatusParam($args));
 
         return array_map([$this, 'transform'], $this->getQuery()->posts);
     }
@@ -120,7 +120,7 @@ public function find(int $id): ?array
             'post_type' => [$this->posttype],
         ]);
 
-        $this->query = new WP_Query($args);
+        $this->query = new WP_Query($this->validatePostStatusParam($args));
 
         if (empty($this->getQuery()->posts)) {
             return null;
@@ -139,7 +139,7 @@ public function findBySlug(string $slug): ?array
             'post_type' => [$this->posttype],
         ]);
 
-        $this->query = new WP_Query($args);
+        $this->query = new WP_Query($this->validatePostStatusParam($args));
 
         if (empty($this->getQuery()->posts)) {
             return null;
@@ -148,6 +148,29 @@ public function findBySlug(string $slug): ?array
         return $this->transform(reset($this->getQuery()->posts));
     }
 
+    protected function validatePostStatusParam(array $args): array
+    {
+        if (empty($args['post_status'])) {
+            return $args;
+        }
+
+        if (! is_string($args['post_status']) && ! is_array($args['post_status'])) {
+            unset($args['post_status']);
+
+            return $args;
+        }
+
+        if (is_string($args['post_status'])) {
+            $args['post_status'] = [$args['post_status']];
+        }
+
+        if (! \is_user_logged_in()) {
+            $args['post_status'] = ['publish'];
+        }
+
+        return $args;
+    }
+
     /**
      * Get the WP_Query object.
      *
diff --git a/src/Base/RestAPI/SharedFields/ItemsField.php b/src/Base/RestAPI/SharedFields/ItemsField.php
index 3988c34..7d62f2a 100644
--- a/src/Base/RestAPI/SharedFields/ItemsField.php
+++ b/src/Base/RestAPI/SharedFields/ItemsField.php
@@ -43,8 +43,12 @@ protected function extraQueryArgs(string $type): array
             $query = array_merge_recursive($query, $this->filterShowOnTaxonomyQuery($this->source));
         }
 
+        $postStatus = \is_user_logged_in()
+            ? ['publish', 'draft']
+            : ['publish'];
+
         $query['connected_query'] = [
-            'post_status' => ['publish', 'draft'],
+            'post_status' => $postStatus,
         ];
 
         return $query;