Autosaves controller: Post checks will never catch invalid IDs

[coreymckrill]

The create_item and create_post_autosave methods both try to check if the id parameter in a request is for a valid post, by calling the get_post function. The problem is that both methods expect that if it's not a valid post, it will return a WP_Error object, when in fact get_post only returns null on failure.

The Posts controller has a protected get_post method that will generate an appropriate WP_Error for this case, but neither the Autosaves, nor its parent Revisions controller has a similar method. Copying that method to the Revisions controller, and then using it in the create_* methods seems like the best approach here.

[donmhico]

Created a PR here - ​https://github.com/WordPress/wordpress-develop/pull/1145 - i'm not sure why the PR is not attached in this ticket. PR still needs unit test though.

This PR copies the implementation of get_post() from WP_REST_Posts_Controller to WP_REST_Autosaves_Controller so create_item() and create_post_autosave() would return the correct WP_Error on get_post() failure.

I'll try to add a unit test when possible.

Trac ticket: https://core.trac.wordpress.org/ticket/52925

[hermpheus]

Hi @donmhico , I have some suggestions for unit tests. I made a pull request into your branch here ​https://github.com/donmhico/wordpress-develop/pull/1.

[whyisjake]

I like the changes from @hermpheus. Can we get a unified PR created?