WordPress.org

Make WordPress Core

Changeset 40337


Ignore:
Timestamp:
03/27/17 09:23:05 (5 weeks ago)
Author:
swissspidy
Message:

REST API: Confirm the parent post object of an attachment exists in WP_REST_Posts_Controller::check_read_permission().

Avoid a PHP Error when attempting to embed the parent post of an attachment, when the parent post ID is invalid. Instead check if the parent post
object exists before checking the read permission for the parent post.

Props GhostToast.
Fixes #39881.

Merges [40306] to the 4.7 branch.

Location:
branches/4.7
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r40325 r40337  
    12891289        if ( 'inherit' === $post->post_status && $post->post_parent > 0 ) { 
    12901290            $parent = get_post( $post->post_parent ); 
    1291             return $this->check_read_permission( $parent ); 
     1291            if ( $parent ) { 
     1292                return $this->check_read_permission( $parent ); 
     1293            } 
    12921294        } 
    12931295 
  • branches/4.7/tests/phpunit/tests/rest-api/rest-attachments-controller.php

    r39957 r40337  
    479479        $response = $this->server->dispatch( $request ); 
    480480        $this->assertEquals( 403, $response->get_status() ); 
     481    } 
     482 
     483    public function test_get_item_inherit_status_with_invalid_parent() { 
     484        $attachment_id = $this->factory->attachment->create_object( $this->test_file, REST_TESTS_IMPOSSIBLY_HIGH_NUMBER, array( 
     485            'post_mime_type' => 'image/jpeg', 
     486            'post_excerpt'   => 'A sample caption', 
     487        ) ); 
     488        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/media/%d', $attachment_id ) ); 
     489        $response = $this->server->dispatch( $request ); 
     490        $data = $response->get_data(); 
     491 
     492        $this->assertEquals( 200, $response->get_status() ); 
     493        $this->assertEquals( $attachment_id, $data['id'] ); 
     494    } 
     495 
     496    public function test_get_item_auto_status_with_invalid_parent_returns_error() { 
     497        $attachment_id = $this->factory->attachment->create_object( $this->test_file, REST_TESTS_IMPOSSIBLY_HIGH_NUMBER, array( 
     498            'post_mime_type' => 'image/jpeg', 
     499            'post_excerpt'   => 'A sample caption', 
     500            'post_status'    => 'auto-draft', 
     501        ) ); 
     502        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/media/%d', $attachment_id ) ); 
     503        $response = $this->server->dispatch( $request ); 
     504 
     505        $this->assertErrorResponse( 'rest_forbidden', $response, 403 ); 
    481506    } 
    482507 
Note: See TracChangeset for help on using the changeset viewer.