diff --git a/tests/phpunit/tests/admin/includes/ajax-actions/wpAjaxRestNonce.php b/tests/phpunit/tests/admin/includes/ajax-actions/wpAjaxRestNonce.php new file mode 100644 index 0000000000000..cc66dfe715a20 --- /dev/null +++ b/tests/phpunit/tests/admin/includes/ajax-actions/wpAjaxRestNonce.php @@ -0,0 +1,67 @@ +_setRole( 'subscriber' ); + + // Set up the request. + $_REQUEST['action'] = 'rest-nonce'; + + // Make the request. + try { + ob_start(); + $this->_handleAjax( 'rest-nonce' ); + } catch ( WPAjaxDieContinueException $e ) { + // Expected exception. + $this->_last_response = ob_get_clean(); + unset( $e ); + } catch ( WPAjaxDieStopException $e ) { + $this->_last_response = $e->getMessage(); + ob_end_clean(); + } + + // The response should be a valid nonce for 'wp_rest'. + $this->assertNotEmpty( $this->_last_response, 'The response should not be empty' ); + $this->assertSame( 1, wp_verify_nonce( $this->_last_response, 'wp_rest' ), 'The response should be a valid nonce for "wp_rest"' ); + } + + /** + * Tests the rest-nonce AJAX action as a logged-out user. + * + * @ticket 65243 + */ + public function test_wp_ajax_rest_nonce_logged_out(): void { + // Log out. + wp_set_current_user( 0 ); + + // To test the "logged-out" behavior properly, we should verify it DOES NOT have a nopriv handler. + $this->assertFalse( has_action( 'wp_ajax_nopriv_rest-nonce' ), 'Should not have a nopriv handler' ); + } +}