Post Passwords over 255 are not controlled in Quick Edit, nor reported Server Level.

[SirLouen]

In [38590] max length was increased from 20 to 255 for post_password
The problem is that, if a post is over 255, there is no server side validation, and this is not enforced in the Quick Edit panel either with a maxlenght

In the database, obviously the 255+ character password will be truncated, but the user will never know this.

[rishabhwp]

Hey @SirLouen,
I am able to reproduce the issue. I’ll be happy to work on it and raise a PR.

[SirLouen]

From the testing side, it looks good.

I had to open the maxlength to check this

Also in Gutenberg, as expected, the error

Maybe this could follow up with a patch for API/Gutenberg to show the right message.

And the error in the Post Editor as expected also

For the code review part: For the error section, I would set something like invalid_post_password_length to be more explicit. Also, you don't need to add the Error: in front of the sentence.

For the test, try to keep it simpler and remove all the assertions that are not really straight to the point. We all know that when you use an AI to assist you in building the unit tests, it adds too much fluff, but you have to try to walk the extra mile and clean them up to go straight to the point with the minimal and best possible selection of asserts.

And even more importantly, check (I have not checked) if you are not repeating tests. For example, we can be 100% sure that there is no check for the WP_Error because we are creating it in this patch. But are you completely sure there are no other tests already checking the validity of a post_password?

[rishabhwp]

Thanks for reviewing the PR!

For the code review part: For the error section, I would set something like invalid_post_password_length to be more explicit. Also, you don't need to add the Error: in front of the sentence.

I've updated the error code to invalid_post_password_length and removed the "Error:" prefix to make it more explicit.

For the test, try to keep it simpler and remove all the assertions that are not really straight to the point.

I simplified the test. Now it only checks that passwords longer than 255 characters return the right error. When you say ‘remove all the assertions that are not really straight to the point,’ do you mean the extra ​asserts in the PR?

But are you completely sure there are no other tests already checking the validity of a post_password?

I did check and found there's a test_post_password() function in ​results.php, but it only tests password-protected post queries, not the validation logic itself. The _wp_translate_postdata() function didn't have any existing password length validation tests, so this new test is covering a gap in the test suite.

[SirLouen]

Replying to rishabhwp:

I did check and found there's a test_post_password() function in ​results.php, but it only tests password-protected post queries, not the validation logic itself. The _wp_translate_postdata() function didn't have any existing password length validation tests, so this new test is covering a gap in the test suite.

In this case, you can perfectly add the other test.

You could also be adding some extra tests like for example having a user without publish_post cap calling to this function with a post_password and checking if the resulting array from this function has the password unset (just to add more coverage to this function)

[rishabhwp]

Replying to SirLouen:

You could also be adding some extra tests like for example having a user without publish_post cap calling to this function with a post_password and checking if the resulting array from this function has the password unset (just to add more coverage to this function)

I’ve added the test case for additional coverage and addressed all the review comments on the PR. Thanks for the feedback!

[SirLouen]

Ready for testing.