[wp-trac] [WordPress Trac] #43681: Incorrect HTTP status code in 'posts' query.

WordPress Trac noreply at wordpress.org
Tue Jun 24 09:57:06 UTC 2025 

#43681: Incorrect HTTP status code in 'posts' query.
-------------------------------------------------+-------------------------
 Reporter:  demitrimuna                          |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  REST API                             |     Version:  4.4
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests has-test-   |     Focuses:  rest-api
  info needs-testing has-screenshots             |
-------------------------------------------------+-------------------------
Changes (by krupajnanda):

 * keywords:  has-patch has-unit-tests has-test-info needs-testing => has-
     patch has-unit-tests has-test-info needs-testing has-screenshots


Comment:

 == Test Report
 === Description
 This report validates the indicated patch is partially working as
 expected.

 Patch tested: https://github.com/WordPress/wordpress-develop/pull/8991

 === Environment
 - WordPress: 6.9-alpha-60093-src
 - PHP: 8.2.15
 - Server: nginx/1.25.3
 - Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.15)
 - Browser: Chrome 137.0.0.0
 - OS: macOS
 - Theme: Twenty Twenty-Five 1.2
 - MU Plugins: None activated
 - Plugins:
   * PublishPress Capabilities 2.19.2
   * Test Reports 1.2.0

 === Actual Results
 1.  Issue is not completely resolved with given patch.

 === Additional Notes
 - ✅ I tried to replicate the bug and I was able to recreate the issue in
 my set up.
 - ✅ After checking out the code at this PR, the baseline state issue is
 resolved.
 - ⚠️ However, 403 Forbidden is not observed in unauthorized scenarios —
 instead, all such cases return 401 Unauthorized.


 🔍 Scenarios & Results


 1. **User with/without extra capabilities querying status=private:**

 - User created with no additional capabilities
 - Sent GET request to: /wp-json/wp/v2/posts?status=private
 - Expected: 403 Forbidden
 - Actual: ❌ Received 401 Unauthorized

 2. **User with/without read_private_posts capability querying
 status=draft:**

 - Same user from scenario 1
 - Sent GET request to: /wp-json/wp/v2/posts?status=draft
 - Expected: 403 Forbidden
 - Actual: ❌ Received 401 Unauthorized

 === Supplemental Artifacts

 Add as Attachment

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/43681#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list