Opened 8 years ago
Closed 5 years ago
#40383 closed defect (bug) (fixed)
Comments Controller is not checking permission of Custom Post Type controller class
Reported by: | langan | Owned by: | TimothyBlynJacobs |
---|---|---|---|
Milestone: | 5.3 | Priority: | normal |
Severity: | normal | Version: | 4.7 |
Component: | REST API | Keywords: | needs-unit-tests has-patch |
Focuses: | Cc: |
Description
In class-wp-rest-comments-controller.php
protected function check_read_post_permission( $post, $request ) { $posts_controller = new WP_REST_Posts_Controller( $post->post_type );
$posts_controller is hard coded to use WP_REST_Posts_Controller
But what if you have set
'rest_controller_class' => 'Plugin_REST_CPT_Controller',
Shouldn't the check_read_post_permission function check for a custom post type controller class first?
Something like this
protected function check_read_post_permission( $post, $request ) { $post_type = get_post_type_object( $post->post_type ); $posts_controller_class = ! empty( $post_type->rest_controller_class ) ? $post_type->rest_controller_class : 'WP_REST_Posts_Controller'; $posts_controller = new $posts_controller_class( $post->post_type );
Would be happy to push a fix for this if needed
Attachments (2)
Change History (22)
#2
in reply to:
↑ 1
@
8 years ago
No problem @swissspidy
I think we will need to add a class_exist check on the class, but the quick hack I added above worked for me when I created a custom post type and made some comments.
#3
@
7 years ago
- Keywords has-patch needs-unit-tests added
Added a patch to support the custom controller on comments and revisions endpoint. This needs unit test which I am working on, however setting up the custom controller via unit test is a little laborious so not quite there yet.
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
5 years ago
#5
@
5 years ago
- Keywords needs-refresh added; has-patch removed
- Milestone changed from Awaiting Review to Future Release
- Owner set to TimothyBlynJacobs
- Status changed from new to accepted
- Version changed from 4.7.3 to 4.7
Going to take a look at this one.
Creating a new instance would break #45677. Perhaps we should introduce something like WP_Post_Type::get_rest_controller()
to ensure only one instance of a post type controller is created? It would also consolidate checking whether the class exists and falling back.
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
5 years ago
#7
@
5 years ago
Rather than putting it on WP_Post_Type
, could we just have a WP_Posts_REST_Controller::get_for_post_type()
, thinking that's a bit more encapsulated / stays in the context of the rest api.
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
5 years ago
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
5 years ago
#10
@
5 years ago
That'd work. Interestingly, it isn't enforced or documented that the rest_controller_class
must extend WP_REST_Posts_Controller
, just WP_REST_Controller
. I don't know if that changes the thinking any.
The different usages of the controller have different requirements, so I opted to make the ::get_for_post_type
method be as conservative in possible in what it should return. It matches how create_initial_rest_routes
works.
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
5 years ago
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
5 years ago
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
5 years ago
This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.
5 years ago
#17
@
5 years ago
This should be fully addressed by the patch committed for #45677; cc @TimothyBlynJacobs for confirmation. I'm leaving it open for now to formally validate, if anybody can independently confirm that this is sorted before I get to it please chime in below :)
Hey there,
Thanks for your report! At first glance this looks reasonable to me. I'll leave this for the REST API team to verify though.