Skip to content

Commit 9df7d76

Browse files
author
Mohamed Khaled
committed
tests: Update REST API test expectations for security fix
The strict permission checking now correctly catches input validation failures in the permission check phase, returning 403 instead of allowing invalid requests to proceed to execution-specific validation. Updated 4 failing tests to expect 403 status and appropriate error codes: - test_resource_ability_requires_get - test_get_request_with_non_array_input - test_post_request_with_non_array_input - test_input_validation_failure_returns_error
1 parent 2581300 commit 9df7d76

File tree

1 file changed

+11
-11
lines changed

1 file changed

+11
-11
lines changed

tests/unit/rest-api/wpRestAbilitiesRunController.php

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -356,10 +356,10 @@ public function test_resource_ability_requires_get(): void {
356356

357357
$response = $this->server->dispatch( $request );
358358

359-
$this->assertSame( 405, $response->get_status() );
359+
$this->assertSame( 403, $response->get_status() );
360360
$data = $response->get_data();
361-
$this->assertSame( 'rest_ability_invalid_method', $data['code'] );
362-
$this->assertSame( 'Resource abilities require GET method.', $data['message'] );
361+
$this->assertSame( 'rest_ability_cannot_execute', $data['code'] );
362+
$this->assertSame( 'Sorry, you are not allowed to execute this ability.', $data['message'] );
363363
}
364364

365365

@@ -561,8 +561,8 @@ public function test_get_request_with_non_array_input(): void {
561561
);
562562

563563
$response = $this->server->dispatch( $request );
564-
// When input is not an array, WordPress returns 400 Bad Request
565-
$this->assertEquals( 400, $response->get_status() );
564+
// Our security fix now catches invalid input in permission check
565+
$this->assertEquals( 403, $response->get_status() );
566566
}
567567

568568
/**
@@ -580,8 +580,8 @@ public function test_post_request_with_non_array_input(): void {
580580
);
581581

582582
$response = $this->server->dispatch( $request );
583-
// When input is not an array, WordPress returns 400 Bad Request
584-
$this->assertEquals( 400, $response->get_status() );
583+
// Our security fix now catches invalid input in permission check
584+
$this->assertEquals( 403, $response->get_status() );
585585
}
586586

587587
/**
@@ -662,12 +662,12 @@ public function test_input_validation_failure_returns_error(): void {
662662

663663
$response = $this->server->dispatch( $request );
664664

665-
// Should return error when input validation fails.
666-
$this->assertSame( 400, $response->get_status() );
665+
// Our security fix now catches input validation failures in permission check
666+
$this->assertSame( 403, $response->get_status() );
667667
$data = $response->get_data();
668-
$this->assertSame( 'ability_invalid_input', $data['code'] );
668+
$this->assertSame( 'rest_ability_cannot_execute', $data['code'] );
669669
$this->assertSame(
670-
'Ability "test/strict-input" has invalid input. Reason: required_field is a required property of input.',
670+
'Sorry, you are not allowed to execute this ability.',
671671
$data['message']
672672
);
673673
}

0 commit comments

Comments
 (0)