[wp-trac] [WordPress Trac] #59875: Revisions controller: get_item can return a revision whose parent does not match the `parent` route fragment
WordPress Trac
noreply at wordpress.org
Fri Nov 10 05:20:14 UTC 2023
#59875: Revisions controller: get_item can return a revision whose parent does not
match the `parent` route fragment
-------------------------+-----------------------------
Reporter: ramonopoly | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version:
Severity: normal | Keywords: has-unit-tests
Focuses: rest-api |
-------------------------+-----------------------------
When fetching a single revision from the [https://github.com/WordPress
/wordpress-develop/blob/trunk/src/wp-includes/rest-api/endpoints/class-wp-
rest-revisions-controller.php WP_REST_Revisions_Controller], it's possible
for `get_item` to return a revision whose parent does not match the
`parent` in the REST URL.
For example:
'/wp/v2/posts/${ someParent }/revisions/${ revisionOfSomeOtherParent }'
So long as `someParent` has a matching post type, and
`revisionOfSomeOtherParent` is a revision post type, I'll get the revision
object of `revisionOfSomeOtherParent`, whose parent is another id.
The consequence is that for any post type, I can return the revision of
different parent post of that same type just by knowing the revision's
post ID.
See the failing tests over at https://github.com/WordPress/wordpress-
develop/pull/5655 as an illustration of the issue.
It's a bit of an edge case but one, perhaps, that could be guarded against
for example by checking that `parent.id === revision.parent` or something.
What do folks think?
First noticed here:
https://github.com/WordPress/gutenberg/pull/55827#discussion_r1385977711
Related Slack discussion:
https://wordpress.slack.com/archives/C02RQC26G/p1699504213232439
--
Ticket URL: <https://core.trac.wordpress.org/ticket/59875>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list