Make WordPress Core


Ignore:
Timestamp:
12/22/2023 02:10:18 AM (7 months ago)
Author:
isabel_brison
Message:

REST API: check parent and revision ids match before retrieving revision.

Adds a condition to check that parent id matches revision parent id in WP_REST_Revisions_Controller get_item method.

Props ramonopoly, adamsilverstein, danielbachhuber, spacedmonkey, andrewserong.
Fixes #59875.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/rest-api/wpRestTemplateRevisionsController.php

    r56819 r57222  
    2323     * @var string
    2424     */
     25    const TEMPLATE_NAME_2 = 'my_template_2';
     26
     27    /**
     28     * @var string
     29     */
    2530    const PARENT_POST_TYPE = 'wp_template';
    2631
     
    5156     */
    5257    private static $template_post;
     58
     59    /**
     60     * Template post.
     61     *
     62     * @since 6.5.0
     63     *
     64     * @var WP_Post
     65     */
     66    private static $template_post_2;
    5367
    5468    /**
     
    124138            )
    125139        );
     140
     141        // Create a new template post to test the get_item method.
     142        self::$template_post_2 = $factory->post->create_and_get(
     143            array(
     144                'post_type'    => self::PARENT_POST_TYPE,
     145                'post_name'    => self::TEMPLATE_NAME_2,
     146                'post_title'   => 'My Template 2',
     147                'post_content' => 'Content 2',
     148                'post_excerpt' => 'Description of my template 2',
     149                'tax_input'    => array(
     150                    'wp_theme' => array(
     151                        self::TEST_THEME,
     152                    ),
     153                ),
     154            )
     155        );
     156        wp_set_post_terms( self::$template_post_2->ID, self::TEST_THEME, 'wp_theme' );
     157
     158        var_dump( self::$template_post->ID );
     159        var_dump( self::$template_post_2->ID );
    126160    }
    127161
     
    335369        $response = rest_get_server()->dispatch( $request );
    336370        $this->assertErrorResponse( 'rest_post_invalid_parent', $response, WP_Http::NOT_FOUND );
     371    }
     372
     373    /**
     374     * @ticket 59875
     375     */
     376    public function test_get_item_invalid_parent_id() {
     377        wp_set_current_user( self::$admin_id );
     378        $revisions   = wp_get_post_revisions( self::$template_post, array( 'fields' => 'ids' ) );
     379        $revision_id = array_shift( $revisions );
     380
     381        $request = new WP_REST_Request( 'GET', '/wp/v2/templates/' . self::TEST_THEME . '/' . self::TEMPLATE_NAME_2 . '/revisions/' . $revision_id );
     382
     383        $response = rest_get_server()->dispatch( $request );
     384        $this->assertErrorResponse( 'rest_revision_parent_id_mismatch', $response, 404 );
     385
     386        $expected_message = 'The revision does not belong to the specified parent with id of "' . self::$template_post_2->ID . '"';
     387        $this->assertSame( $expected_message, $response->as_error()->get_error_messages()[0], 'The message must contain the correct parent ID.' );
    337388    }
    338389
Note: See TracChangeset for help on using the changeset viewer.