diff --git src/wp-includes/rest-api/class-wp-rest-request.php src/wp-includes/rest-api/class-wp-rest-request.php
index 26c1c0fb45..a50c99b97d 100644
|
|
|
class WP_REST_Request implements ArrayAccess { |
| 794 | 794 | |
| 795 | 795 | if ( is_wp_error( $sanitized_value ) ) { |
| 796 | 796 | $invalid_params[ $key ] = $sanitized_value->get_error_message(); |
| | 797 | $error_code = $sanitized_value->get_error_data()['status']; |
| 797 | 798 | } else { |
| 798 | 799 | $this->params[ $type ][ $key ] = $sanitized_value; |
| 799 | 800 | } |
| … |
… |
class WP_REST_Request implements ArrayAccess { |
| 805 | 806 | 'rest_invalid_param', |
| 806 | 807 | sprintf( __( 'Invalid parameter(s): %s' ), implode( ', ', array_keys( $invalid_params ) ) ), |
| 807 | 808 | array( |
| 808 | | 'status' => |
| 809 | | 'params' => $invalid_params, |
| | 809 | 'status' => isset($error_code) ? $error_code : 400, |
| | 810 | 'params' => $invalid_params |
| 810 | 811 | ) |
| 811 | 812 | ); |
| 812 | 813 | } |
diff --git src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index 472115e121..e2b89ad6fc 100644
|
|
|
class WP_REST_Posts_Controller extends WP_REST_Controller { |
| 2487 | 2487 | continue; |
| 2488 | 2488 | } |
| 2489 | 2489 | |
| | 2490 | $result = rest_validate_request_arg( $status, $request, $parameter ); |
| | 2491 | if ( is_wp_error( $result ) ) { |
| | 2492 | return $result; |
| | 2493 | } |
| | 2494 | } |
| | 2495 | |
| | 2496 | foreach ( $statuses as $status ) { |
| | 2497 | if ( $status === $default_status ) { |
| | 2498 | continue; |
| | 2499 | } |
| 2490 | 2500 | $post_type_obj = get_post_type_object( $this->post_type ); |
| 2491 | 2501 | |
| 2492 | | if ( current_user_can( $post_type_obj->cap->edit_posts ) ) { |
| 2493 | | $result = rest_validate_request_arg( $status, $request, $parameter ); |
| 2494 | | if ( is_wp_error( $result ) ) { |
| 2495 | | return $result; |
| 2496 | | } |
| 2497 | | } else { |
| 2498 | | return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden.' ), array( 'status' => rest_authorization_required_code() ) ); |
| | 2502 | if ( ! current_user_can( $post_type_obj->cap->edit_posts ) ) { |
| | 2503 | return new WP_Error( 'rest_forbidden_status', __( 'Sorry, you are not allowed to list non-published posts in this post type.' ), array( 'status' => rest_authorization_required_code() ) ); |
| 2499 | 2504 | } |
| 2500 | 2505 | } |
| 2501 | 2506 | |
diff --git tests/phpunit/tests/rest-api/rest-attachments-controller.php tests/phpunit/tests/rest-api/rest-attachments-controller.php
index 86b66d726c..ba3d5290b0 100644
|
|
|
class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Control |
| 409 | 409 | $request = new WP_REST_Request( 'GET', '/wp/v2/media' ); |
| 410 | 410 | $request->set_param( 'status', 'private' ); |
| 411 | 411 | $response = rest_get_server()->dispatch( $request ); |
| 412 | | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| | 412 | $this->assertErrorResponse( 'rest_invalid_param', $response, 401 ); |
| 413 | 413 | // Properly authorized users can make the request |
| 414 | 414 | wp_set_current_user( self::$editor_id ); |
| 415 | 415 | $response = rest_get_server()->dispatch( $request ); |
| … |
… |
class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Control |
| 442 | 442 | $request = new WP_REST_Request( 'GET', '/wp/v2/media' ); |
| 443 | 443 | $request->set_param( 'status', array( 'private', 'trash' ) ); |
| 444 | 444 | $response = rest_get_server()->dispatch( $request ); |
| 445 | | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| | 445 | $this->assertErrorResponse( 'rest_invalid_param', $response, 401 ); |
| 446 | 446 | // Properly authorized users can make the request |
| 447 | 447 | wp_set_current_user( self::$editor_id ); |
| 448 | 448 | $response = rest_get_server()->dispatch( $request ); |
diff --git tests/phpunit/tests/rest-api/rest-pages-controller.php tests/phpunit/tests/rest-api/rest-pages-controller.php
index 98033dc8a1..8c5f96764c 100644
|
|
|
class WP_Test_REST_Pages_Controller extends WP_Test_REST_Post_Type_Controller_Te |
| 303 | 303 | $request = new WP_REST_Request( 'GET', '/wp/v2/pages' ); |
| 304 | 304 | $request->set_param( 'status', 'draft' ); |
| 305 | 305 | $response = rest_get_server()->dispatch( $request ); |
| 306 | | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| | 306 | $this->assertErrorResponse( 'rest_invalid_param', $response, 401 ); |
| 307 | 307 | |
| 308 | 308 | // But they are accessible to authorized users |
| 309 | 309 | wp_set_current_user( self::$editor_id ); |
diff --git tests/phpunit/tests/rest-api/rest-posts-controller.php tests/phpunit/tests/rest-api/rest-posts-controller.php
index 0de10c9651..bc27e918ab 100644
|
|
|
class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te |
| 529 | 529 | $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); |
| 530 | 530 | $request->set_param( 'status', 'draft' ); |
| 531 | 531 | $response = rest_get_server()->dispatch( $request ); |
| 532 | | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| | 532 | $this->assertErrorResponse( 'rest_invalid_param', $response, 401 ); |
| 533 | 533 | wp_set_current_user( self::$editor_id ); |
| 534 | 534 | $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); |
| 535 | 535 | $request->set_param( 'status', 'draft' ); |
| … |
… |
class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te |
| 1201 | 1201 | $request = new WP_REST_Request( 'GET', '/wp/v2/posts' ); |
| 1202 | 1202 | $request->set_param( 'status', 'draft' ); |
| 1203 | 1203 | $response = rest_get_server()->dispatch( $request ); |
| 1204 | | $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); |
| | 1204 | $this->assertErrorResponse( 'rest_invalid_param', $response, 401 ); |
| 1205 | 1205 | |
| 1206 | 1206 | // But they are accessible to authorized users |
| 1207 | 1207 | wp_set_current_user( self::$editor_id ); |