WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 5 days ago

#40383 accepted defect (bug)

Comments Controller is not checking permission of Custom Post Type controller class

Reported by: langan Owned by: TimothyBlynJacobs
Milestone: 5.3 Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords: needs-unit-tests has-patch
Focuses: Cc:

Description

In class-wp-rest-comments-controller.php

	protected function check_read_post_permission( $post, $request ) {
		$posts_controller = new WP_REST_Posts_Controller( $post->post_type );

$posts_controller is hard coded to use WP_REST_Posts_Controller

But what if you have set

    'rest_controller_class' => 'Plugin_REST_CPT_Controller',

Shouldn't the check_read_post_permission function check for a custom post type controller class first?

Something like this

	protected function check_read_post_permission( $post, $request ) {
		$post_type = get_post_type_object( $post->post_type );
		$posts_controller_class = ! empty( $post_type->rest_controller_class ) ? $post_type->rest_controller_class : 'WP_REST_Posts_Controller';
		$posts_controller = new $posts_controller_class( $post->post_type );

Would be happy to push a fix for this if needed

Attachments (2)

40383.diff (2.2 KB) - added by joehoyle 2 years ago.
40383.2.diff (8.1 KB) - added by TimothyBlynJacobs 5 days ago.

Download all attachments as: .zip

Change History (15)

#1 follow-up: @swissspidy
2 years ago

Hey there,

Thanks for your report! At first glance this looks reasonable to me. I'll leave this for the REST API team to verify though.

#2 in reply to: ↑ 1 @langan
2 years ago

No problem @swissspidy

I think we will need to add a class_exist check on the class, but the quick hack I added above worked for me when I created a custom post type and made some comments.

@joehoyle
2 years ago

#3 @joehoyle
2 years ago

  • Keywords has-patch needs-unit-tests added

Added a patch to support the custom controller on comments and revisions endpoint. This needs unit test which I am working on, however setting up the custom controller via unit test is a little laborious so not quite there yet.

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


6 weeks ago

#5 @TimothyBlynJacobs
6 weeks ago

  • Keywords needs-refresh added; has-patch removed
  • Milestone changed from Awaiting Review to Future Release
  • Owner set to TimothyBlynJacobs
  • Status changed from new to accepted
  • Version changed from 4.7.3 to 4.7

Going to take a look at this one.

Creating a new instance would break #45677. Perhaps we should introduce something like WP_Post_Type::get_rest_controller() to ensure only one instance of a post type controller is created? It would also consolidate checking whether the class exists and falling back.

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


5 weeks ago

#7 @joehoyle
5 weeks ago

Rather than putting it on WP_Post_Type, could we just have a WP_Posts_REST_Controller::get_for_post_type(), thinking that's a bit more encapsulated / stays in the context of the rest api.

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


3 weeks ago

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


10 days ago

#10 @TimothyBlynJacobs
5 days ago

That'd work. Interestingly, it isn't enforced or documented that the rest_controller_class must extend WP_REST_Posts_Controller, just WP_REST_Controller. I don't know if that changes the thinking any.

The different usages of the controller have different requirements, so I opted to make the ::get_for_post_type method be as conservative in possible in what it should return. It matches how create_initial_rest_routes works.

#11 @TimothyBlynJacobs
5 days ago

  • Keywords has-patch added; needs-refresh removed

#12 @TimothyBlynJacobs
5 days ago

  • Milestone changed from Future Release to 5.3

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


5 days ago

Note: See TracTickets for help on using tickets.