Make WordPress Core

Ticket #43681: 43681.diff

File 43681.diff, 5.8 KB (added by davidhernando, 6 years ago)

Changes status 400 with 401 for unauthorized requests. keeps status 400 for wrong requests.

  • src/wp-includes/rest-api/class-wp-rest-request.php

    diff --git src/wp-includes/rest-api/class-wp-rest-request.php src/wp-includes/rest-api/class-wp-rest-request.php
    index 26c1c0fb45..a50c99b97d 100644
    class WP_REST_Request implements ArrayAccess { 
    794794
    795795                                if ( is_wp_error( $sanitized_value ) ) {
    796796                                        $invalid_params[ $key ] = $sanitized_value->get_error_message();
     797                                        $error_code = $sanitized_value->get_error_data()['status'];
    797798                                } else {
    798799                                        $this->params[ $type ][ $key ] = $sanitized_value;
    799800                                }
    class WP_REST_Request implements ArrayAccess { 
    805806                                'rest_invalid_param',
    806807                                sprintf( __( 'Invalid parameter(s): %s' ), implode( ', ', array_keys( $invalid_params ) ) ),
    807808                                array(
    808                                         'status' => 400,
    809                                         'params' => $invalid_params,
     809                                        'status' => isset($error_code) ? $error_code : 400,
     810                                        'params' => $invalid_params
    810811                                )
    811812                        );
    812813                }
  • src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    diff --git src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
    index 472115e121..e2b89ad6fc 100644
    class WP_REST_Posts_Controller extends WP_REST_Controller { 
    24872487                                continue;
    24882488                        }
    24892489
     2490                        $result = rest_validate_request_arg( $status, $request, $parameter );
     2491                        if ( is_wp_error( $result ) ) {
     2492                                return $result;
     2493                        }
     2494                }
     2495
     2496                foreach ( $statuses as $status ) {
     2497                        if ( $status === $default_status ) {
     2498                                continue;
     2499                        }
    24902500                        $post_type_obj = get_post_type_object( $this->post_type );
    24912501
    2492                         if ( current_user_can( $post_type_obj->cap->edit_posts ) ) {
    2493                                 $result = rest_validate_request_arg( $status, $request, $parameter );
    2494                                 if ( is_wp_error( $result ) ) {
    2495                                         return $result;
    2496                                 }
    2497                         } else {
    2498                                 return new WP_Error( 'rest_forbidden_status', __( 'Status is forbidden.' ), array( 'status' => rest_authorization_required_code() ) );
     2502                        if ( ! current_user_can( $post_type_obj->cap->edit_posts ) ) {
     2503                                return new WP_Error( 'rest_forbidden_status', __( 'Sorry, you are not allowed to list non-published posts in this post type.' ), array( 'status' => rest_authorization_required_code() ) );
    24992504                        }
    25002505                }
    25012506
  • tests/phpunit/tests/rest-api/rest-attachments-controller.php

    diff --git tests/phpunit/tests/rest-api/rest-attachments-controller.php tests/phpunit/tests/rest-api/rest-attachments-controller.php
    index 86b66d726c..ba3d5290b0 100644
    class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Control 
    409409                $request        = new WP_REST_Request( 'GET', '/wp/v2/media' );
    410410                $request->set_param( 'status', 'private' );
    411411                $response = rest_get_server()->dispatch( $request );
    412                 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     412                $this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
    413413                // Properly authorized users can make the request
    414414                wp_set_current_user( self::$editor_id );
    415415                $response = rest_get_server()->dispatch( $request );
    class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Control 
    442442                $request        = new WP_REST_Request( 'GET', '/wp/v2/media' );
    443443                $request->set_param( 'status', array( 'private', 'trash' ) );
    444444                $response = rest_get_server()->dispatch( $request );
    445                 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     445                $this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
    446446                // Properly authorized users can make the request
    447447                wp_set_current_user( self::$editor_id );
    448448                $response = rest_get_server()->dispatch( $request );
  • tests/phpunit/tests/rest-api/rest-pages-controller.php

    diff --git tests/phpunit/tests/rest-api/rest-pages-controller.php tests/phpunit/tests/rest-api/rest-pages-controller.php
    index 98033dc8a1..8c5f96764c 100644
    class WP_Test_REST_Pages_Controller extends WP_Test_REST_Post_Type_Controller_Te 
    303303                $request  = new WP_REST_Request( 'GET', '/wp/v2/pages' );
    304304                $request->set_param( 'status', 'draft' );
    305305                $response = rest_get_server()->dispatch( $request );
    306                 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     306                $this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
    307307
    308308                // But they are accessible to authorized users
    309309                wp_set_current_user( self::$editor_id );
  • tests/phpunit/tests/rest-api/rest-posts-controller.php

    diff --git tests/phpunit/tests/rest-api/rest-posts-controller.php tests/phpunit/tests/rest-api/rest-posts-controller.php
    index 0de10c9651..bc27e918ab 100644
    class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te 
    529529                $request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
    530530                $request->set_param( 'status', 'draft' );
    531531                $response = rest_get_server()->dispatch( $request );
    532                 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     532                $this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
    533533                wp_set_current_user( self::$editor_id );
    534534                $request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
    535535                $request->set_param( 'status', 'draft' );
    class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te 
    12011201                $request  = new WP_REST_Request( 'GET', '/wp/v2/posts' );
    12021202                $request->set_param( 'status', 'draft' );
    12031203                $response = rest_get_server()->dispatch( $request );
    1204                 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     1204                $this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
    12051205
    12061206                // But they are accessible to authorized users
    12071207                wp_set_current_user( self::$editor_id );