[wp-trac] [WordPress Trac] #57745: REST API post update fails with unchanged but auth-restricted meta value

WordPress Trac noreply at wordpress.org
Fri Feb 17 06:39:54 UTC 2023 

#57745: REST API post update fails with unchanged but auth-restricted meta value
--------------------------+-----------------------------
 Reporter:  kadamwhite    |      Owner:  kadamwhite
     Type:  defect (bug)  |     Status:  assigned
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  REST API      |    Version:  6.1.1
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Originally flagged by @ckoerner

 If there is a meta value registered for a REST object which requires
 authentication to change, updates to the parent object will fail on save
 even if the meta value is not being updated.

 Example:

 1. Register a post meta value, with `show_in_rest`, which defines a custom
 `auth_callback` which requires elevated permissions
 2. Open a post in the block editor (you can use the wp.data selectors to
 validate the meta value is set to its default value)
 3. Trigger a post save
 4. The post updates, because post data is processed before meta; but the
 PUT request will fail with a 403, because the (unchanged) meta value
 `auth_callback` is not satisfied

 What is expected: A save to a post with no changes to the passed data
 would succeed, and authentication for a meta field would only be invoked
 if the passed value differs

 Note: this touches the same piece of code as #55600, and the goals of
 these two tickets may be incompatible. If a meta field has authentication
 required and a default value, when the REST response for that post is
 received which includes the default meta value and then PUT back to the
 server, this ticket argues that the unchanged value should be ignored and
 the authentication callback not invoked. #55600 argues that a default
 value should be written to the database on save, which would require an
 authentication check even if the value being sent back is the default.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57745>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list