From 240ae1a72957f56c349dcb7ca650469d8fce9b2b Mon Sep 17 00:00:00 2001 From: Dhrupo Nil Date: Wed, 15 Jul 2026 23:45:40 +0600 Subject: [PATCH] REST API: Return 404 for invalid post ID in Comments update_item(). `WP_REST_Comments_Controller::update_item()` returned HTTP 403 (Forbidden) when the request targeted a non-existent post ID. The correct status is 404 (Not Found): the post is a missing resource, not an authorization failure. This also makes `update_item()` consistent with `get_item()`, which already returns 404 for the same scenario. Also updates the `test_update_comment_invalid_post_id` assertion to expect the corrected 404 status. Props saratheonline. See #65050. --- .../rest-api/endpoints/class-wp-rest-comments-controller.php | 2 +- tests/phpunit/tests/rest-api/rest-comments-controller.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index 6fecfd3961fe0..fa316127c71c5 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -828,7 +828,7 @@ public function update_item( $request ) { return new WP_Error( 'rest_comment_invalid_post_id', __( 'Invalid post ID.' ), - array( 'status' => 403 ) + array( 'status' => 404 ) ); } } diff --git a/tests/phpunit/tests/rest-api/rest-comments-controller.php b/tests/phpunit/tests/rest-api/rest-comments-controller.php index 9258756a732b2..cff15aed9ce86 100644 --- a/tests/phpunit/tests/rest-api/rest-comments-controller.php +++ b/tests/phpunit/tests/rest-api/rest-comments-controller.php @@ -2675,7 +2675,7 @@ public function test_update_comment_invalid_post_id() { $request->set_param( 'post', REST_TESTS_IMPOSSIBLY_HIGH_NUMBER ); $response = rest_get_server()->dispatch( $request ); - $this->assertErrorResponse( 'rest_comment_invalid_post_id', $response, 403 ); + $this->assertErrorResponse( 'rest_comment_invalid_post_id', $response, 404 ); } public function test_update_comment_invalid_permission() {