False HTTP 500 response on unauthenticated requests
-
I found an issue with how REST API errors are returned in the plugin.
When unauthenticated requests hit the plugin’s endpoints (like
/wp-json/advanced-db-cleaner/v1/get-system-information), they return an HTTP 500 status. The response body itself contains a 403 code.This happens because the permission callback returns a WP_Error but does not specify the HTTP status in the error data. In WordPress, returning a WP_Error from a permission callback without status data defaults the response status to 500.
In
includes/classes/class-adbc-routes.php, therest_security_checkmethod returns:return new WP_Error( ADBC_Rest::UNAUTHORIZED, __( 'Security check failed! Invalid nonce.', 'advanced-database-cleaner' ) );Updating the WP_Error constructor to include the status code in the third parameter fixes this:
return new WP_Error( ADBC_Rest::UNAUTHORIZED, __( 'Security check failed! Invalid nonce.', 'advanced-database-cleaner' ), [ 'status' => 403 ] );This will correctly return an HTTP 403 Forbidden instead of HTTP 500. This prevents false alarms on server security monitors that watch for 500 errors.
Thanks,
Austin
You must be logged in to reply to this topic.