REST API: Return 404 for invalid post ID in Comments update_item().#12545
REST API: Return 404 for invalid post ID in Comments update_item().#12545dhrupo wants to merge 2 commits into
Conversation
`WP_REST_Comments_Controller::update_item()` returned HTTP 403 (Forbidden) when the request targeted a non-existent post ID. The correct status is 404 (Not Found): the post is a missing resource, not an authorization failure. This also makes `update_item()` consistent with `get_item()`, which already returns 404 for the same scenario. Also updates the `test_update_comment_invalid_post_id` assertion to expect the corrected 404 status. Props saratheonline. See #65050.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
Summary
WP_REST_Comments_Controller::update_item()returned HTTP 403 (Forbidden) when the request targeted a non-existent post ID (e.g.PUT /wp/v2/comments/<id>withpostset to a missing post). The correct status is 404 (Not Found): the post is a missing resource, not an authorization failure.This also makes
update_item()consistent withget_item(), which already returns 404 for the same "post does not exist" scenario within the same controller.Changes
class-wp-rest-comments-controller.php: change therest_comment_invalid_post_iderror status from403to404inupdate_item().rest-comments-controller.php(tests): update thetest_update_comment_invalid_post_idassertion to expect404.The error code (
rest_comment_invalid_post_id) is intentionally unchanged to preserve backwards compatibility for clients matching on it. Thecreate_item403 responses ("Sorry, you are not allowed to create this comment without a post.") are genuine authorization checks and are left untouched.Relationship to #11529
This completes the work started in #11529 by @saratheonline, which made the code change but left the existing unit test asserting
403, causing CI to fail. @westonruter requested changes noting the test needed updating. This PR includes both the code fix and the corresponding test update so the suite passes.Testing
Reproduced red → green:
test_update_comment_invalid_post_idto expect404fails:Failed asserting that 403 is identical to 404.Full controller suite green (verified in the local Docker environment):
Manual reproduction:
Trac ticket: https://core.trac.wordpress.org/ticket/65050
Props saratheonline.
Use of AI Tools
AI assistance: Yes
Tool(s): Claude Code
Model(s): Claude Opus 4.8
Used for: Reproducing the failing test, applying the fix and the test update, and running the test suite. All changes were reviewed by me.