WordPress.org

Make WordPress Core

Opened 14 months ago

Last modified 13 months ago

#40383 new defect (bug)

Comments Controller is not checking permission of Custom Post Type controller class

Reported by: langan Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7.3
Component: REST API Keywords: has-patch needs-unit-tests
Focuses: Cc:

Description

In class-wp-rest-comments-controller.php

	protected function check_read_post_permission( $post, $request ) {
		$posts_controller = new WP_REST_Posts_Controller( $post->post_type );

$posts_controller is hard coded to use WP_REST_Posts_Controller

But what if you have set

    'rest_controller_class' => 'Plugin_REST_CPT_Controller',

Shouldn't the check_read_post_permission function check for a custom post type controller class first?

Something like this

	protected function check_read_post_permission( $post, $request ) {
		$post_type = get_post_type_object( $post->post_type );
		$posts_controller_class = ! empty( $post_type->rest_controller_class ) ? $post_type->rest_controller_class : 'WP_REST_Posts_Controller';
		$posts_controller = new $posts_controller_class( $post->post_type );

Would be happy to push a fix for this if needed

Attachments (1)

40383.diff (2.2 KB) - added by joehoyle 13 months ago.

Download all attachments as: .zip

Change History (4)

#1 follow-up: @swissspidy
14 months ago

Hey there,

Thanks for your report! At first glance this looks reasonable to me. I'll leave this for the REST API team to verify though.

#2 in reply to: ↑ 1 @langan
14 months ago

No problem @swissspidy

I think we will need to add a class_exist check on the class, but the quick hack I added above worked for me when I created a custom post type and made some comments.

@joehoyle
13 months ago

#3 @joehoyle
13 months ago

  • Keywords has-patch needs-unit-tests added

Added a patch to support the custom controller on comments and revisions endpoint. This needs unit test which I am working on, however setting up the custom controller via unit test is a little laborious so not quite there yet.

Note: See TracTickets for help on using tickets.