Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revisions Controller: return single revision only when it matches the parent id #5655

Closed
wants to merge 8 commits into from
Closed

Revisions Controller: return single revision only when it matches the parent id #5655

wants to merge 8 commits into from

Conversation

ramonjd
Copy link
Member

@ramonjd ramonjd commented Nov 10, 2023
edited
Loading

This patch adds a condition to WP_REST_Revisions_Controller->get_item that checks the revision parent id against the supplied parent id.

If it doesn't match, the method returns a 404.

This is to ensure that get_item does not return a revision whose parent does not match the parent route fragment.

Test coverage added.

Run tests: npm run test:php -- --filter WP_Test_REST_Revisions_Controller

Commit 1a7ff6c demonstrates that currently, get_item() can return the revision of different parent post of that same type.

Trac ticket: https://core.trac.wordpress.org/ticket/59875

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

andrewserong
andrewserong reviewed Nov 13, 2023
View reviewed changes
Copy link
Contributor

@andrewserong andrewserong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for following up with this fix! Looks like a good approach to me, just left a tiny comment about the value used in the error message.

src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php Outdated Show resolved Hide resolved
@ramonjd
Adding some tests to check whether get_item can return a revision who…
f6f8e3f 
…se parent does not match the `parent` route fragment.
@ramonjd
Add a condition to get_item that checks the revision parent id agains…
6fdc982 
…t the supplied parent id.

If it doesn't match, return a 404
Updated test coverage

Update error message in class-wp-rest-revisions-controller.php
@ramonjd ramonjd force-pushed the try/revisions-controller-get-item-valid-parent branch from 9f528bf to 6fdc982 Compare November 13, 2023 23:11
danielbachhuber
danielbachhuber approved these changes Nov 19, 2023
View reviewed changes
Copy link
Member

@danielbachhuber danielbachhuber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks for your work on this, @ramonjd

I'll let @adamsilverstein give it a final review.

src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php Outdated Show resolved Hide resolved
src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php Outdated Show resolved Hide resolved
@ramonjd @danielbachhuber
Apply suggestions from code review
6d489eb 
string replacement type signifier %d

Co-authored-by: Daniel Bachhuber <[email protected]>
@ramonjd
Copy link
Member Author

ramonjd commented Nov 19, 2023

Thanks, folks. I appreciate the testing and reviews!

adamsilverstein
adamsilverstein approved these changes Nov 20, 2023
View reviewed changes
Copy link
Member

@adamsilverstein adamsilverstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!

@ramonjd ramonjd mentioned this pull request Nov 23, 2023
Closed
@jonnynews
Copy link

@ramonjd Has this change been tested with https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-template-revisions-controller.php controller that extends this controller?

@ramonjd
Copy link
Member Author

ramonjd commented Nov 27, 2023

Has this change been tested with https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-template-revisions-controller.php controller that extends this controller?

Good point. I can add a relevant unit test to the WP_REST_Template_Revisions_Controller test suite.

@ramonjd
Copy link
Member Author

ramonjd commented Nov 28, 2023
edited
Loading

I can confirm that we'll need to overwrite get_item() in WP_REST_Template_Revisions_Controller to account for the wp_id > parent relationship between template record and their revisions.

Screenshot 2023-11-28 at 1 56 16 pm

I'll do this and add a test to this PR since it's related, and also check any other post types that extend this controller.

No. I was mixing up the results of get_post and WP_REST_Template_Revisions_Controller.

See below.

@ramonjd
Copy link
Member Author

ramonjd commented Nov 28, 2023
edited
Loading

I can confirm that we'll need to overwrite get_item() in WP_REST_Template_Revisions_Controller to account for the wp_id > parent relationship between template record and their revisions.

Actually, withdraw that, I should have checked WP_REST_Revisions_Controller::get_item before posting.

The check in get_item that this PR introduces does so by comparing the results of get_post for both the parent and the revision.

The results of get_post is independent of the WP_REST_Template_Revisions_Controller which performs all the wp_id faffery: get_post will return integer IDs and parent IDs for template posts and revisions alike.

Regardless, WP_REST_Template_Revisions_Controller has unit tests for get_item, which would have failed otherwise.

I've also double checked other registered post types, none of which, wp_template and wp_template_part notwithstanding, define a custom revisions_rest_controller_class.

I'd submit, therefore, that this PR is fine as it is.

Thanks for the reviews!

spacedmonkey

This comment was marked as outdated.

Sign in to view

@ramonjd
Copy link
Member Author

ramonjd commented Dec 19, 2023

Thanks a lot for the feedback @spacedmonkey! 🙇🏻 I'll get it done today or tomorrow.

@ramonjd
Changed duped error code
ff84ef6 
Adding parent id revision parent_id mismatch invalid test to the templates revisions controller tests

Remove specific mention of "post" to discern between other post types, e.g., "template"
@ramonjd ramonjd force-pushed the try/revisions-controller-get-item-valid-parent branch from ae49d86 to ff84ef6 Compare December 20, 2023 19:59
@github-actions GitHub Actions
Copy link

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

adamsilverstein
adamsilverstein approved these changes Dec 21, 2023
View reviewed changes
Copy link
Member

@adamsilverstein adamsilverstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent, thanks for all the tests!

@tellthemachines
Copy link
Contributor

Committed in r57222.

ramonjd added a commit to ramonjd/wordpress-develop that referenced this pull request Jan 31, 2024
@ramonjd
Now that WordPress#5655 has landed, use inherited methods for getting…
f7cf55a 
… individual items.
ramonjd added a commit to ramonjd/wordpress-develop that referenced this pull request Feb 7, 2024
@ramonjd
Now that WordPress#5655 has landed, use inherited methods for getting…
b43344d 
… individual items.
ramonjd added a commit to ramonjd/wordpress-develop that referenced this pull request Feb 14, 2024
@ramonjd
Brings global styles controller in line with the changes from WordPre…
f87622d 
…ss#5655
@ramonjd ramonjd mentioned this pull request Feb 14, 2024
Closed
ramonjd added a commit to WordPress/gutenberg that referenced this pull request Feb 15, 2024
@ramonjd
Backports from Core, the changes in WordPress/wordpress-develop#6108
5bc68dc 
This is required to sync with WordPress/wordpress-develop#5655
@ramonjd ramonjd mentioned this pull request Feb 15, 2024
Merged
ramonjd added a commit to WordPress/gutenberg that referenced this pull request Feb 15, 2024
@ramonjd @andrewserong
Backports from Core, the changes in WordPress/wordpress-develop#6108 (#…
ac607f4 
…59049)

This is required to sync with WordPress/wordpress-develop#5655

Co-authored-by: ramonjd <[email protected]>
Co-authored-by: andrewserong <[email protected]>
ramonjd added a commit to ramonjd/wordpress-develop that referenced this pull request May 18, 2024
@ramonjd
Now that WordPress#5655 has landed, use inherited methods for getting…
fd33d14 
… individual items.
ramonjd added a commit to ramonjd/wordpress-develop that referenced this pull request May 28, 2024
@ramonjd
Now that WordPress#5655 has landed, use inherited methods for getting…
e7d8ddd 
… individual items.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewserong andrewserong andrewserong left review comments

@danielbachhuber danielbachhuber danielbachhuber approved these changes

@adamsilverstein adamsilverstein adamsilverstein approved these changes

@jonnynews jonnynews Awaiting requested review from jonnynews

@spacedmonkey spacedmonkey Awaiting requested review from spacedmonkey

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@ramonjd @jonnynews @tellthemachines @danielbachhuber @spacedmonkey @adamsilverstein @andrewserong