WordPress.org

Make WordPress Core

Opened 3 months ago

Last modified 2 months ago

#52112 new defect (bug)

get_test_rest_availability() test should point to diffrent endpoint (where no current_user_can() check is made)

Reported by: szaqal21 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.6
Component: Site Health Keywords:
Focuses: Cc:

Description

Using system cron, when wp_site_health_scheduled_check event is triggered there is no way to determine user (auth cookie isn't set this causes wp_get_current_user() return "empty" user) this scenario results REST API unavailable because /wp-json/wp/v2/types/post?context=edit endpoint does caps check

<?php
if ( 'edit' === $request['context'] && ! current_user_can( $obj->cap->edit_posts ) ) {
                        return new WP_Error(
                                'rest_forbidden_context',
                                __( 'Sorry, you are not allowed to edit posts in this post type.' ),
                                array( 'status' => rest_authorization_required_code() )
                        );
                }

Triggering Site Health from wp-admin (browser) works fine because user is authenticated by auth cookie.

get_test_rest_availability() should check endpoint where no caps check is made or ?context=edit should be removed to bypass caps check.

Change History (4)

#1 @SergeyBiryukov
3 months ago

  • Summary changed from get_test_rest_availability() test should point to diffrent ednpoint (where no current_user_can() check is made) to get_test_rest_availability() test should point to diffrent endpoint (where no current_user_can() check is made)

#3 @TimothyBlynJacobs
2 months ago

The check including context is intentional because it allows us to determine whether Gutenberg will be able to function properly. In other words it tests that authenticated requests to the REST API work, and that query parameters are properly parsed and context evaluated.

This is probably one of the tests that should only be done in a "live" mode that @clorith mentions.

#4 @TimothyBlynJacobs
2 months ago

#52104 was marked as a duplicate.

Note: See TracTickets for help on using tickets.