`WP_REST_Posts_Controller::check_read_permission()` should check if `$parent` exists before calling itself
|Reported by:||GhostToast||Owned by:||rachelbaker|
|Component:||REST API||Keywords:||has-patch has-unit-tests fixed-major|
In WP_REST_Posts_Controller::check_read_permission() there ends up being a check for if the post_status of the post in question is 'inherit' and if the post_parent is greater than 0. It then checks the parent for permissions regarding the child. However, sometimes (as I have found with attachments), the child believes it has a parent, but the parent is missing. This results in a null post being sent to $this->check_is_post_type_allowed() which fails early and throws error about property of non-object.
I believe if the parent is missing, the next sequence should take precedence: which is that if post_status is 'inherit', check_read_permission() returns true. This would essentially be the same as if the post_parent value was set to 0.
A simple check if $parent has a value before passing it to a recursive call of check_read_permission() can alleviate this.
To reproduce this error, try to access a post with attachments, using _embed on the REST API, where one of the attachments has a post_parent that is invalid (integer that doesn't exist in corresponding wp_posts table).
Change History (13)
2 months ago
- Keywords has-patch added
- Milestone changed from Awaiting Review to 4.7.3
- Owner set to rachelbaker
- Status changed from new to reviewing
- Version changed from trunk to 4.7
6 weeks ago
- Keywords has-unit-tests commit added; dev-feedback needs-unit-tests removed
6 weeks ago
- Keywords fixed-major added; commit removed
- Resolution fixed deleted
- Status changed from closed to reopened