diff --git src/wp-includes/rest-api/class-wp-rest-request.php src/wp-includes/rest-api/class-wp-rest-request.php
index 26c1c0fb45..a50c99b97d 100644
|
|
class WP_REST_Request implements ArrayAccess { |
794 | 794 | |
795 | 795 | if ( is_wp_error( $sanitized_value ) ) { |
796 | 796 | $invalid_params[ $key ] = $sanitized_value->get_error_message(); |
| 797 | $error_code = $sanitized_value->get_error_data()['status']; |
797 | 798 | } else { |
798 | 799 | $this->params[ $type ][ $key ] = $sanitized_value; |
799 | 800 | } |
… |
… |
class WP_REST_Request implements ArrayAccess { |
805 | 806 | 'rest_invalid_param', |
806 | 807 | sprintf( __( 'Invalid parameter(s): %s' ), implode( ', ', array_keys( $invalid_params ) ) ), |
807 | 808 | array( |
808 | | 'status' => 400, |
809 | | 'params' => $invalid_params, |
| 809 | 'status' => isset($error_code) ? $error_code : 400, |
| 810 | 'params' => $invalid_params |
810 | 811 | ) |
811 | 812 | ); |
812 | 813 | } |
diff --git src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index 472115e121..e2b89ad6fc 100644
|
|
class WP_REST_Posts_Controller extends WP_REST_Controller { |
2487 | 2487 | continue; |
2488 | 2488 | } |
2489 | 2489 | |
| 2490 | $result = rest_validate_request_arg( $status, $request, $parameter ); |
| 2491 | if ( is_wp_error( $result ) ) { |
| 2492 | return $result; |
| 2493 | } |
| 2494 | } |
| 2495 | |
| 2496 | foreach ( $statuses as $status ) { |
| 2497 | if ( $status === $default_status ) { |
| 2498 | continue; |
| 2499 | } |
2490 | 2500 | $post_type_obj = get_post_type_object( $this->post_type ); |
2491 | 2501 | |
2492 | | if ( current_user_can( $post_type_obj->cap->edit_posts ) ) { |
2493 | | $result = rest_validate_request_arg( $status, $request, $parameter ); |
2494 | | if ( is_wp_error( $result ) ) { |
2495 | | return $result; |
2496 | | } |
2497 | | } else { |
2498 | | return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden.' ), array( 'status' => rest_authorization_required_code() ) ); |
| 2502 | if ( ! current_user_can( $post_type_obj->cap->edit_posts ) ) { |
| 2503 | return new WP_Error( 'rest_forbidden_status', __( 'Sorry, you are not allowed to list non-published posts in this post type.' ), array( 'status' => rest_authorization_required_code() ) ); |
2499 | 2504 | } |
2500 | 2505 | } |
2501 | 2506 | |
diff --git tests/phpunit/tests/rest-api/rest-attachments-controller.php tests/phpunit/tests/rest-api/rest-attachments-controller.php
index 86b66d726c..ba3d5290b0 100644
|
|
class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Control |
409 | 409 | $request = new WP_REST_Request( 'GET', '/wp/v2/media' ); |
410 | 410 | $request->set_param( 'status', 'private' ); |
411 | 411 | $response = rest_get_server()->dispatch( $request ); |
412 | | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| 412 | $this->assertErrorResponse( 'rest_invalid_param', $response, 401 ); |
413 | 413 | // Properly authorized users can make the request |
414 | 414 | wp_set_current_user( self::$editor_id ); |
415 | 415 | $response = rest_get_server()->dispatch( $request ); |
… |
… |
class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Control |
442 | 442 | $request = new WP_REST_Request( 'GET', '/wp/v2/media' ); |
443 | 443 | $request->set_param( 'status', array( 'private', 'trash' ) ); |
444 | 444 | $response = rest_get_server()->dispatch( $request ); |
445 | | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| 445 | $this->assertErrorResponse( 'rest_invalid_param', $response, 401 ); |
446 | 446 | // Properly authorized users can make the request |
447 | 447 | wp_set_current_user( self::$editor_id ); |
448 | 448 | $response = rest_get_server()->dispatch( $request ); |
diff --git tests/phpunit/tests/rest-api/rest-pages-controller.php tests/phpunit/tests/rest-api/rest-pages-controller.php
index 98033dc8a1..8c5f96764c 100644
|
|
class WP_Test_REST_Pages_Controller extends WP_Test_REST_Post_Type_Controller_Te |
303 | 303 | $request = new WP_REST_Request( 'GET', '/wp/v2/pages' ); |
304 | 304 | $request->set_param( 'status', 'draft' ); |
305 | 305 | $response = rest_get_server()->dispatch( $request ); |
306 | | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| 306 | $this->assertErrorResponse( 'rest_invalid_param', $response, 401 ); |
307 | 307 | |
308 | 308 | // But they are accessible to authorized users |
309 | 309 | wp_set_current_user( self::$editor_id ); |
diff --git tests/phpunit/tests/rest-api/rest-posts-controller.php tests/phpunit/tests/rest-api/rest-posts-controller.php
index 0de10c9651..bc27e918ab 100644
|
|
class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te |
529 | 529 | $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); |
530 | 530 | $request->set_param( 'status', 'draft' ); |
531 | 531 | $response = rest_get_server()->dispatch( $request ); |
532 | | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| 532 | $this->assertErrorResponse( 'rest_invalid_param', $response, 401 ); |
533 | 533 | wp_set_current_user( self::$editor_id ); |
534 | 534 | $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); |
535 | 535 | $request->set_param( 'status', 'draft' ); |
… |
… |
class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te |
1201 | 1201 | $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); |
1202 | 1202 | $request->set_param( 'status', 'draft' ); |
1203 | 1203 | $response = rest_get_server()->dispatch( $request ); |
1204 | | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| 1204 | $this->assertErrorResponse( 'rest_invalid_param', $response, 401 ); |
1205 | 1205 | |
1206 | 1206 | // But they are accessible to authorized users |
1207 | 1207 | wp_set_current_user( self::$editor_id ); |