Make WordPress Core

Changeset 47036


Ignore:
Timestamp:
01/03/2020 06:42:09 PM (5 years ago)
Author:
kadamwhite
Message:

REST API: Short-circuit comment controller permissions check if commented-upon post type does not exist.

Props imani3011, dragosh635, subrataemfluence, timothyblynjacobs.
Fixes #42238.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r46823 r47036  
    15931593     */
    15941594    protected function check_read_post_permission( $post, $request ) {
    1595         $post_type        = get_post_type_object( $post->post_type );
     1595        $post_type = get_post_type_object( $post->post_type );
     1596
     1597        // Return false if custom post type doesn't exist
     1598        if ( ! $post_type ) {
     1599            return false;
     1600        }
     1601
    15961602        $posts_controller = $post_type->get_rest_controller();
    15971603
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r46657 r47036  
    32413241        }
    32423242    }
     3243
     3244    /**
     3245     * @ticket 42238
     3246     */
     3247    public function test_check_read_post_permission_with_invalid_post_type() {
     3248        register_post_type(
     3249            'bug-post',
     3250            array(
     3251                'label'        => 'Bug Posts',
     3252                'supports'     => array( 'title', 'editor', 'author', 'comments' ),
     3253                'show_in_rest' => true,
     3254                'public'       => true,
     3255            )
     3256        );
     3257        create_initial_rest_routes();
     3258
     3259        $post_id    = self::factory()->post->create( array( 'post_type' => 'bug-post' ) );
     3260        $comment_id = self::factory()->comment->create( array( 'comment_post_ID' => $post_id ) );
     3261        _unregister_post_type( 'bug-post' );
     3262
     3263        $this->setExpectedIncorrectUsage( 'map_meta_cap' );
     3264
     3265        wp_set_current_user( self::$admin_id );
     3266        $request  = new WP_REST_Request( 'GET', '/wp/v2/comments/' . $comment_id );
     3267        $response = rest_get_server()->dispatch( $request );
     3268        $this->assertEquals( 403, $response->get_status() );
     3269    }
    32433270}
Note: See TracChangeset for help on using the changeset viewer.