Make WordPress Core

Changeset 40337


Ignore:
Timestamp:
03/27/2017 09:23:05 AM (8 years ago)
Author:
swissspidy
Message:

REST API: Confirm the parent post object of an attachment exists in WP_REST_Posts_Controller::check_read_permission().

Avoid a PHP Error when attempting to embed the parent post of an attachment, when the parent post ID is invalid. Instead check if the parent post
object exists before checking the read permission for the parent post.

Props GhostToast.
Fixes #39881.

Merges [40306] to the 4.7 branch.

Location:
branches/4.7
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

    r40325 r40337  
    12891289        if ( 'inherit' === $post->post_status && $post->post_parent > 0 ) {
    12901290            $parent = get_post( $post->post_parent );
    1291             return $this->check_read_permission( $parent );
     1291            if ( $parent ) {
     1292                return $this->check_read_permission( $parent );
     1293            }
    12921294        }
    12931295
  • branches/4.7/tests/phpunit/tests/rest-api/rest-attachments-controller.php

    r39957 r40337  
    479479        $response = $this->server->dispatch( $request );
    480480        $this->assertEquals( 403, $response->get_status() );
     481    }
     482
     483    public function test_get_item_inherit_status_with_invalid_parent() {
     484        $attachment_id = $this->factory->attachment->create_object( $this->test_file, REST_TESTS_IMPOSSIBLY_HIGH_NUMBER, array(
     485            'post_mime_type' => 'image/jpeg',
     486            'post_excerpt'   => 'A sample caption',
     487        ) );
     488        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/media/%d', $attachment_id ) );
     489        $response = $this->server->dispatch( $request );
     490        $data = $response->get_data();
     491
     492        $this->assertEquals( 200, $response->get_status() );
     493        $this->assertEquals( $attachment_id, $data['id'] );
     494    }
     495
     496    public function test_get_item_auto_status_with_invalid_parent_returns_error() {
     497        $attachment_id = $this->factory->attachment->create_object( $this->test_file, REST_TESTS_IMPOSSIBLY_HIGH_NUMBER, array(
     498            'post_mime_type' => 'image/jpeg',
     499            'post_excerpt'   => 'A sample caption',
     500            'post_status'    => 'auto-draft',
     501        ) );
     502        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/media/%d', $attachment_id ) );
     503        $response = $this->server->dispatch( $request );
     504
     505        $this->assertErrorResponse( 'rest_forbidden', $response, 403 );
    481506    }
    482507
Note: See TracChangeset for help on using the changeset viewer.