release: fixes

- Enhanced security

Author: vytisbulkevicius

inc/class-registration.php

@@ -267,7 +267,12 @@ public function enqueue_block_editor_assets() {
 				'canTrack'                => 'yes' === get_option( 'otter_blocks_logger_flag', false ) ? true : false,
 				'userRoles'               => $wp_roles->roles,
 				'isBlockEditor'           => 'post' === $current_screen->base,
-				'postTypes'               => get_post_types( [ 'public' => true ] ),
+				'postTypes'               => get_post_types(
+					[
+						'public'              => true,
+						'exclude_from_search' => false,
+					] 
+				),
 				'rootUrl'                 => get_site_url(),
 				'restRoot'                => get_rest_url( null, 'otter/v1' ),
 				'isPrettyPermalinks'      => boolval( get_option( 'permalink_structure' ) ),

plugins/otter-pro/inc/server/class-live-search-server.php

@@ -136,11 +136,7 @@ public function register_routes() {
 	 */
 	public function search( WP_REST_Request $request ) {
 		$query = new WP_Query(
-			array(
-				'posts_per_page' => 20,
-				'post_type'      => $request->get_param( 'post_type' ),
-				's'              => $request->get_param( 's' ),
-			)
+			$this->prepare_search_query( $request->get_param( 's' ), $request->get_param( 'post_type' ) )
 		);
 
 		return new WP_REST_Response(
@@ -155,7 +151,7 @@ function( $post ) {
 							'type'   => $post->post_type,
 							'date'   => get_the_date( 'F d, Y', $post ),
 							'author' => get_the_author_meta( 'display_name', intval( $post->post_author ) ),
-							'parent' => get_post( $post->post_parent )->post_title,
+							'parent' => get_post( $post->post_parent ) ? get_post( $post->post_parent )->post_title : '',
 						);
 
 						if ( 'product' === $post->post_type && class_exists( 'WooCommerce' ) ) {
@@ -170,6 +166,53 @@ function( $post ) {
 		);
 	}
 
+	/**
+	 * Prepare the search query. Remove the post types that are not searchable.
+	 * 
+	 * @param string       $s Search query.
+	 * @param string|array $post_types Post type.
+	 * 
+	 * @return array
+	 */
+	public function prepare_search_query( $s, $post_types ) {
+
+		$s = sanitize_text_field( $s );
+
+		if ( is_array( $post_types ) ) {
+			$post_types = array_map( 'sanitize_text_field', $post_types );
+		} else {
+			$post_types = sanitize_text_field( $post_types );
+		}
+
+		if ( ! empty( $post_types ) ) {
+			$searchable_post_types = get_post_types(
+				array(
+					'public'              => true,
+					'exclude_from_search' => false,
+				),
+				'names' 
+			);
+	
+			$needed_post_types = is_array( $post_types ) ? $post_types : explode( ',', $post_types );
+
+			$post_types = array_values(
+				array_filter(
+					$searchable_post_types,
+					function( $post_type ) use ( $needed_post_types ) {
+						return in_array( $post_type, $needed_post_types, true );
+					}
+				) 
+			);
+		}
+
+		return array(
+			'posts_per_page' => 20,
+			's'              => $s,
+			'post_status'    => 'publish',
+			'post_type'      => $post_types,
+		);
+	}
+		
 	/**
 	 * Throw error on object clone
 	 *

tests/test-live-search.php

@@ -0,0 +1,76 @@
+<?php
+/**
+ * Class CSS
+ *
+ * @package gutenberg-blocks
+ */
+
+use ThemeIsle\OtterPro\Server\Live_Search_Server;
+use Yoast\PHPUnitPolyfills\Polyfills\AssertEqualsCanonicalizing;
+use Yoast\PHPUnitPolyfills\Polyfills\AssertNotEqualsCanonicalizing;
+
+/**
+ * Live Search Test Case.
+ */
+class TestLiveSearch extends WP_UnitTestCase
+{
+    /**
+	 * Set up the test.
+	 */
+	public function set_up() {
+		parent::set_up();
+        
+        register_post_type( 'otter_shop_coupon', array(
+            'public' => false,
+            'label'  => 'Shop Coupon',
+        ) );
+
+        register_post_type( 'otter_shop_product', array(
+            'public' => true,
+            'label'  => 'Shop Product',
+        ) );
+
+        register_post_type( 'otter_page', array(
+            'public' => true,
+            'exclude_from_search' => true,
+            'label'  => 'Otter Page',
+        ) );
+	}
+
+	/**
+	 * Tear down the test.
+	 */
+	public function tear_dow() {
+        unregister_post_type( 'otter_shop_coupon' );
+        unregister_post_type( 'otter_shop_product' );
+        unregister_post_type( 'otter_page' );
+		parent::tear_down();
+	}
+
+    /**
+     * Test live search prepare query function.
+     */
+    public function test_live_search_prepare_query() {
+        $live_search = new Live_Search_Server();
+
+        $search_query = $live_search->prepare_search_query( 'test', '' );
+        $this->assertEquals( 'test', $search_query['s'] );
+        $this->assertEquals( '', $search_query['post_type'] );
+
+        $search_query = $live_search->prepare_search_query( 'test', 'otter_shop_product' );
+        $this->assertEquals( 'test', $search_query['s'] );
+        $this->assertEquals( array('otter_shop_product'), $search_query['post_type'] );
+
+        $search_query = $live_search->prepare_search_query( 'test', 'otter_shop_coupon' );
+        $this->assertEquals( 'test', $search_query['s'] );
+        $this->assertEquals( array(), $search_query['post_type'] ); // Non-public post type are filtered out.
+
+        $search_query = $live_search->prepare_search_query( 'test', 'otter_page' );
+        $this->assertEquals( 'test', $search_query['s'] );
+        $this->assertEquals( array(), $search_query['post_type'] ); // Exclude from search post type are filtered out.
+
+        $search_query = $live_search->prepare_search_query( 'test', array('otter_shop_product', 'otter_shop_coupon', 'otter_page') );
+        $this->assertEquals( 'test', $search_query['s'] );
+        $this->assertEquals( array('otter_shop_product'), $search_query['post_type'] ); // Keep only the public post type.
+    }
+}