[wp-trac] [WordPress Trac] #52104: False positive REST API error in Site Health when triggered by wp_site_health_scheduled_check event

WordPress Trac noreply at wordpress.org
Thu Dec 17 11:14:38 UTC 2020 

#52104: False positive REST API error in Site Health when triggered by
wp_site_health_scheduled_check event
--------------------------+-----------------------------
 Reporter:  szaqal21      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Site Health   |    Version:  5.6
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 I'm using system cron (DISABLE_WP_CRON = true) but I think cron type
 doesn't matter (system or WP Cron) and filter requests to REST API to
 allow only logged in users.

 {{{#!php
 <?php
 add_filter('rest_authentication_errors', 'force_rest_auth');

 function force_rest_auth($result)
         {
                 if(!empty($result))
                         return $result;

                 if(!is_user_logged_in())
                         return new WP_Error('rest_not_logged_in', __('Only
 authenticated users can access the REST API.', 'security-hardener'),
 array('status' => 401));

                 return $result;
         }
 }}}


 Cron events are executed with unknown user (ID 0), when a scheduled check
 is made for type post caps:


 {{{
 /wp-json/wp/v2/types/post?context=edit
 }}}


 response code is 401 (raw response):


 {{{
 {"code":"rest_forbidden_context","message":"Sorry, you are not allowed to
 edit posts in this post type.","data":{"status":401}}
 }}}


 this causes false results in Site Health dashboard widget. When Site
 Health isn't triggered manually from wp-admin I get 2 errors in dashboard
 widget, but when I enter Site Health from wp-admin, only 1 error is shown.

 If i hit:

 {{{
 /wp-json/wp/v2/types/post?context=edit
 }}}

 or

 {{{
 /wp-json/
 }}}

 in incognito tab (not logged in), both endpoints return my custom 401
 error for not logged in users so my code works fine, but when I hit those
 endpoints in normal tab (I'm logged in):

 {{{
 /wp-json/
 }}}

 recognizes me and returns proper result but:

 {{{
 /wp-json/wp/v2/types/post?context=edit
 }}}

 doesn't recognize me:

 {{{#!php
 <?php
 if ( 'edit' === $request['context'] && ! current_user_can(
 $obj->cap->edit_posts ) ) {
                         return new WP_Error(
                                 'rest_forbidden_context',
                                 __( 'Sorry, you are not allowed to edit
 posts in this post type.' ),
                                 array( 'status' =>
 rest_authorization_required_code() )
                         );
                 }
 }}}

 current_user_can() check in get_item() method of class
 WP_REST_Post_Types_Controller returns false.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52104>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list