sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

REST API: Short-circuit comment controller permissions check if commented-upon post type does not exist.

Browse Source 
Props imani3011, dragosh635, subrataemfluence, timothyblynjacobs.
Fixes #42238.



git-svn-id: https://develop.svn.wordpress.org/trunk@47036 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
K. Adam White 2020-01-03 18:42:09 +00:00
parent a35e46a937
commit 172e0b01c6
2 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
View File

@ -1592,7 +1592,13 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
* @return bool Whether post can be read. * @return bool Whether post can be read.
*/ */
protected function check_read_post_permission( $post, $request ) { protected function check_read_post_permission( $post, $request ) {
$post_type = get_post_type_object( $post->post_type ); $post_type = get_post_type_object( $post->post_type );
// Return false if custom post type doesn't exist
if ( ! $post_type ) {
return false;
}
$posts_controller = $post_type->get_rest_controller(); $posts_controller = $post_type->get_rest_controller();
// Ensure the posts controller is specifically a WP_REST_Posts_Controller instance // Ensure the posts controller is specifically a WP_REST_Posts_Controller instance

27
tests/phpunit/tests/rest-api/rest-comments-controller.php
View File

@ -3240,4 +3240,31 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
$this->assertArrayNotHasKey( 'raw', $data['content'] ); $this->assertArrayNotHasKey( 'raw', $data['content'] );
} }
} }
/**
* @ticket 42238
*/
public function test_check_read_post_permission_with_invalid_post_type() {
register_post_type(
'bug-post',
array(
'label' => 'Bug Posts',
'supports' => array( 'title', 'editor', 'author', 'comments' ),
'show_in_rest' => true,
'public' => true,
)
);
create_initial_rest_routes();
$post_id = self::factory()->post->create( array( 'post_type' => 'bug-post' ) );
$comment_id = self::factory()->comment->create( array( 'comment_post_ID' => $post_id ) );
_unregister_post_type( 'bug-post' );
$this->setExpectedIncorrectUsage( 'map_meta_cap' );
wp_set_current_user( self::$admin_id );
$request = new WP_REST_Request( 'GET', '/wp/v2/comments/' . $comment_id );
$response = rest_get_server()->dispatch( $request );
$this->assertEquals( 403, $response->get_status() );
}
} }