[wp-trac] [WordPress Trac] #39881: `WP_REST_Posts_Controller::check_read_permission()` should check if `$parent` exists before calling itself

WordPress Trac noreply at wordpress.org
Fri Feb 24 23:06:05 UTC 2017 

#39881: `WP_REST_Posts_Controller::check_read_permission()` should check if
`$parent` exists before calling itself
-------------------------------------------------+-------------------------
 Reporter:  GhostToast                           |       Owner:
     Type:  defect (bug)                         |  rachelbaker
 Priority:  normal                               |      Status:  reviewing
Component:  REST API                             |   Milestone:  4.7.4
 Severity:  normal                               |     Version:  4.7
 Keywords:  has-patch dev-feedback needs-unit-   |  Resolution:
  tests                                          |     Focuses:  rest-api
-------------------------------------------------+-------------------------
Changes (by jnylen0):

 * keywords:  has-patch => has-patch dev-feedback needs-unit-tests


Comment:

 I investigated this a bit more, thinking that it might be pretty simple to
 fix, but I'm going to stick with my earlier recommendation to punt.
 Here's why:

 - It's not clear to me how a post would get into this situation in the
 first place.  `wp_delete_post`
 [https://core.trac.wordpress.org/browser/tags/4.7.2/src/wp-
 includes/post.php?marks=2467-2468,2486#L2465 handles this situation] by
 resetting the `post_parent` of any attachments, so this is likely to be
 very uncommon.

 - WP core itself is pretty broken when this situation does occur.  I
 forced it manually for the following attachment - https://nylen.io/wp-
 dev/i-need-dis-otter/ - you'll note the page 404s, which is also the case
 when I'm logged in.  However, wp-admin still points here for the
 attachment description page, and this is the value of the `link` field in
 the REST API response.  (The API URL is https://nylen.io/wp-dev/wp-
 json/wp/v2/media/21, which I can only view when authenticated.)

 Given the above, this needs more discussion, probably a broader fix than
 just the REST API, and of course unit tests.  The existing behavior is
 kind of broken, but at least it's consistently broken in wp-admin and the
 REST API.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39881#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list