[wp-trac] [WordPress Trac] #39881: `WP_REST_Posts_Controller::check_read_permission()` should check if `$parent` exists before calling itself
WordPress Trac
noreply at wordpress.org
Wed Feb 15 14:36:00 UTC 2017
#39881: `WP_REST_Posts_Controller::check_read_permission()` should check if
`$parent` exists before calling itself
--------------------------+-----------------------------
Reporter: GhostToast | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: trunk
Severity: normal | Keywords:
Focuses: rest-api |
--------------------------+-----------------------------
In `WP_REST_Posts_Controller::check_read_permission()` there ends up being
a check for if the `post_status` of the post in question is `'inherit'`
and if the `post_parent` is greater than 0. It then checks the parent for
permissions regarding the child. However, sometimes (as I have found with
attachments), the child believes it has a parent, but the parent is
missing. This results in a `null` post being sent to
`$this->check_is_post_type_allowed()` which fails early and throws error
about property of non-object.
I believe if the parent is missing, the next sequence should take
precedence: which is that if `post_status` is `'inherit'`,
`check_read_permission()` returns true. This would essentially be the same
as if the `post_parent` value was set to `0`.
A simple check if `$parent` has a value before passing it to a recursive
call of `check_read_permission()` can alleviate this.
To reproduce this error, try to access a post with attachments, using
`_embed` on the REST API, where one of the attachments has a `post_parent`
that is invalid (integer that doesn't exist in corresponding `wp_posts`
table).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39881>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list