WordPress.org

Make WordPress Core

Opened 21 months ago

Closed 20 months ago

Last modified 20 months ago

#42828 closed defect (bug) (fixed)

Hard-coded 403 status in REST response should use `rest_authorization_required_code()`

Reported by: jaswrks Owned by: rachelbaker
Milestone: 4.9.2 Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords: commit
Focuses: rest-api Cc:

Description

Line 911 in the WP_REST_Server class currently uses a hard-coded 403 error code. It should be calling upon rest_authorization_required_code() to determine the proper response code; e.g., 401 instead of a 403 whenever a user is not logged-in.

<?php
$response = new WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to do that.' ), array( 'status' => 403 ) );

Should be:

<?php
$response = new WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to do that.' ), array( 'status' => rest_authorization_required_code() ) );

Attachments (1)

42828.patch (740 bytes) - added by jaswrks 21 months ago.

Download all attachments as: .zip

Change History (7)

@jaswrks
21 months ago

#1 @rmccue
21 months ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 4.9.2
  • Version changed from trunk to 4.7

#2 @rachelbaker
20 months ago

  • Owner set to rachelbaker
  • Resolution set to fixed
  • Status changed from new to closed

In 42421:

REST API: Return the proper status code for failed permission callbacks in WP_REST_Server->dispatch().

Use the rest_authorization_required_code() function to return a 401 status code when a permission callback fails due to a user not being logged in.

Props jaswrks.
Fixes #42828.

#3 @rachelbaker
20 months ago

In 42422:

REST API: Return the proper status code for failed permission callbacks in WP_REST_Server->dispatch().

Use the rest_authorization_required_code() function to return a 401 status code when a permission callback fails due to a user not being logged in.

Merges [42421] to the 4.9 branch.

Props jaswrks.
Fixes #42828.

#4 @rachelbaker
20 months ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening because I missed committing the unit test changes needed here.

#5 @rachelbaker
20 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 42423:

REST API: Adjust unit testes to expect a 401 status code in error responses from permission callbacks when user is not authenticated.

Missed in [42421].

Fixes #42828.

#6 @rachelbaker
20 months ago

In 42427:

EST API: Adjust unit testes to expect a 401 status code in error responses from permission callbacks when user is not authenticated.

Missed in [42421].

Merges [42423] to the 4.9 branch.
Fixes #42828.

Note: See TracTickets for help on using tickets.