Skip to content

REST API: Return 404 for invalid post ID in Comments update_item().#12545

Open
dhrupo wants to merge 2 commits into
WordPress:trunkfrom
dhrupo:ticket-65050-rest-comments-invalid-post-id-404
Open

REST API: Return 404 for invalid post ID in Comments update_item().#12545
dhrupo wants to merge 2 commits into
WordPress:trunkfrom
dhrupo:ticket-65050-rest-comments-invalid-post-id-404

Conversation

@dhrupo

@dhrupo dhrupo commented Jul 15, 2026

Copy link
Copy Markdown

Summary

WP_REST_Comments_Controller::update_item() returned HTTP 403 (Forbidden) when the request targeted a non-existent post ID (e.g. PUT /wp/v2/comments/<id> with post set to a missing post). The correct status is 404 (Not Found): the post is a missing resource, not an authorization failure.

This also makes update_item() consistent with get_item(), which already returns 404 for the same "post does not exist" scenario within the same controller.

Changes

  • class-wp-rest-comments-controller.php: change the rest_comment_invalid_post_id error status from 403 to 404 in update_item().
  • rest-comments-controller.php (tests): update the test_update_comment_invalid_post_id assertion to expect 404.

The error code (rest_comment_invalid_post_id) is intentionally unchanged to preserve backwards compatibility for clients matching on it. The create_item 403 responses ("Sorry, you are not allowed to create this comment without a post.") are genuine authorization checks and are left untouched.

Relationship to #11529

This completes the work started in #11529 by @saratheonline, which made the code change but left the existing unit test asserting 403, causing CI to fail. @westonruter requested changes noting the test needed updating. This PR includes both the code fix and the corresponding test update so the suite passes.

Testing

Reproduced red → green:

  1. With the unpatched code, updating test_update_comment_invalid_post_id to expect 404 fails: Failed asserting that 403 is identical to 404.
  2. After the one-line controller fix, the test passes.

Full controller suite green (verified in the local Docker environment):

WP_Test_REST_Comments_Controller: OK (142 tests, 675 assertions)

Manual reproduction:

curl -X POST http://localhost:8889/wp-json/wp/v2/comments/1 \
  -u "admin:<app-password>" \
  -H "Content-Type: application/json" \
  -d '{"post": 9999}'
# Before: 403 Forbidden
# After:  404 Not Found

Trac ticket: https://core.trac.wordpress.org/ticket/65050

Props saratheonline.

Use of AI Tools

AI assistance: Yes
Tool(s): Claude Code
Model(s): Claude Opus 4.8
Used for: Reproducing the failing test, applying the fix and the test update, and running the test suite. All changes were reviewed by me.

`WP_REST_Comments_Controller::update_item()` returned HTTP 403 (Forbidden)
when the request targeted a non-existent post ID. The correct status is
404 (Not Found): the post is a missing resource, not an authorization
failure. This also makes `update_item()` consistent with `get_item()`,
which already returns 404 for the same scenario.

Also updates the `test_update_comment_invalid_post_id` assertion to expect
the corrected 404 status.

Props saratheonline.
See #65050.
@github-actions

Copy link
Copy Markdown

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props dhrupo.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions

Copy link
Copy Markdown

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant