WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 12 months ago

#42303 closed defect (bug) (fixed)

REST API: Post status controller has wrong view permission check error message

Reported by: schlessera Owned by: joehoyle
Milestone: 5.0 Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords: has-patch
Focuses: rest-api Cc:
PR Number:

Description

The REST API post status controller has the following code to make a read-only permissions check for viewing the post statuses:

<?php
if ( 'edit' === $request['context'] ) {
   $types = get_post_types( array( 'show_in_rest' => true ), 'objects' );

   foreach ( $types as $type ) {
      if ( current_user_can( $type->cap->edit_posts ) ) {
         return true;
      }
   }
   return new WP_Error( 'rest_cannot_view', __( 'Sorry, you are not allowed to edit posts in this post type.' ), array( 'status' => rest_authorization_required_code() ) );
}

This seems to be left-over copy-pasta from the post types controller.

I'd suggest sending the following WP_Error message instead:

__( 'Sorry, you are not allowed to manage post statuses.' )

Attachments (1)

42303.1.diff (846 bytes) - added by schlessera 2 years ago.
'Sorry, you are not allowed to manage post statuses.'

Download all attachments as: .zip

Change History (8)

@schlessera
2 years ago

'Sorry, you are not allowed to manage post statuses.'

#1 @schlessera
2 years ago

  • Keywords has-patch added

#2 in reply to: ↑ description @schlessera
2 years ago

Replying to schlessera:
Oh, sorry, I seemed to have edited out the actual problem in my description: The error message does not match the intent of the controller.

#3 @joehoyle
23 months ago

  • Owner set to joehoyle
  • Status changed from new to accepted

#4 @joehoyle
23 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 42356:

REST API: Fix permissions error message in post statuses controller.

The permissions error message when a request tries to fetch post statuses unauthenticated is incorrect. It was a copy/paste from elsewhere, as indicated by the use of "in this post type" where this is no post type referenced.

Props schlessera.
Fixes #42303.

#5 @netweb
23 months ago

  • Milestone changed from Awaiting Review to 5.0

#6 @SergeyBiryukov
12 months ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

[42356] should be backported to the 5.0 branch.

#7 @danielbachhuber
12 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 43755:

REST API: Fix permissions error message in post statuses controller.

The permissions error message when a request tries to fetch post statuses unauthenticated is incorrect. It was a copy/paste from elsewhere, as indicated by the use of "in this post type" where this is no post type referenced.

Props schlessera.
Merges [42356] to the 5.0 branch.
Fixes #42303.

Note: See TracTickets for help on using tickets.