Support » Plugin: Press Permit Core » WP_Comment_Query, REST and post_type query-interceptor_pp

  • Resolved drzraf

    (@drzraf)



    Declaring a REST API in 4.8 I experienced an issue related to press-permit-core.
    Plugin deactivated, I could grab comments for a given post (assuming $wp_post_types[<post_type>]->show_in_rest = TRUE)
    GET /wp-json/wp/v2/comments?post=1234

    But with press-permit-core enabled, I could observe spurious 1=2 in the SQL query forbidding any result:
    SELECT SQL_CALC_FOUND_ROWS COUNT(*) FROM wp_comments INNER JOIN wp_posts ON wp_posts.ID = wp_comments.comment_post_ID WHERE 1=1 AND ( ( wp_posts.post_type = 'XXX' AND ( 1=2 ) ) ) AND ( comment_approved = '1' ) AND comment_post_ID IN ( 1234 ) AND comment_type IN ('') ORDER BY wp_comments.comment_date_gmt DESC, wp_comments.comment_ID DESC

    I tracked this down to query-interceptor_pp.php l. 519: else { $where_arr[$post_type] = '1=2'; }

    Any hints about why this line, and how this should be changed to let WP 4.8 REST API behave correctly?

Viewing 14 replies - 1 through 14 (of 14 total)
  • Plugin Author Kevin Behrens

    (@kevinb)

    Try changing that line to:

    
    elseif ( ! in_array( 'comments', $args['query_contexts'] ) ) {$where_arr[$post_type] = '1=2';}
    

    Part of a solution but not enough.

    I found the second restriction to be the one inside exceptions_pp.php
    at line 67 else { $where = '1=2'; }

    And fixing the second with an elseif rather than 1=1, I found there was still an issue, with queries like ( wp_posts.post_type = 'xxx' AND ( Array ) )

    The reason being that no $wherebeing defined inside exceptions_pp.php, if ( $append_post_type_clause ) { creates a buggy SQL string.
    ==> $where = "$src_table.post_type = '$post_type'" . ( $where ? " AND ( $where )" : "" );

    Fixing these three made the stuff work.
    Do you plan a bugfix release about this?
    (I’m asking to know how I should personally manage the issue)

    Plugin Author Kevin Behrens

    (@kevinb)

    Can you explain your post type and permissions configuration? I’m having trouble recreating the error.

    Plugin Author Kevin Behrens

    (@kevinb)

    Never mind, I see it now. My pro extensions support filtering REST results based on PP permissions. I hadn’t noticed that this error occurs when running without the pro extensions. I’ll publish the Press Permit Core fix soon.

    Just tried ppc 2.3.21 today. The issue still exist in some form:
    In query-interceptor_pp.php l.519: else { $where_arr[$post_type] = '1=2';
    Specifically, this block custom post type listing:
    Ex: /wp-json/wp/v2/restaurant

    Plugin Author Kevin Behrens

    (@kevinb)

    I’m not seeing this error on my test site. Please provide detailed instructions for creating the error on a fresh WP 4.8 install. Include your custom post type definition attributes and method, all active plugins, status of the custom posts and any other related factors.

    $ GET http://localhost/wp-json/wp/v2/fooo/21536
    {object...} # OK with PPC enabled or not

    $ GET http://localhost/wp-json/wp/v2/fooo # PPC enabled
    []

    $ GET http://localhost/wp-json/wp/v2/fooo # PPC disabled
    [{normal full array of objects}]

    $ wp option get capsman_backup Permissions (is that the “backup” way?)

    ‘fooo’ =>
    array (
    ‘name’ => ‘Foos Editor’,
    ‘capabilities’ =>
    array (
    ‘edit_post’ => true,
    ‘read_post’ => true,
    ‘delete_post’ => true,
    ‘read’ => true,
    ‘edit_fooos’ => true,
    ‘publish_fooos’ => true,
    ‘edit_published_fooos’ => true,
    ‘edit_private_fooos’ => true,
    ‘delete_fooos’ => true,
    ‘delete_published_fooos’ => true,
    ‘delete_private_fooos’ => true,
    ‘level_0’ => true,
    ‘read_private_fooos’ => true,
    ‘edit_others_fooos’ => true,
    ‘delete_others_fooos’ => true,
    ‘upload_files’ => true,
    ),
    ),

    $ wp eval 'var_export(get_post_type_object("foo"));'

    WP_Post_Type::__set_state(array(
    ‘name’ => ‘foo’,
    ‘label’ => ‘Foos’,
    ‘labels’ =>
    stdClass::__set_state(array(
    ‘name’ => ‘Foos’,
    ‘singular_name’ => ‘Foo’,
    ‘add_new’ => ‘Ajouter’,
    ‘add_new_item’ => ‘Ajouter un nouveau foo’,
    ‘edit_item’ => ‘Modifier le foo’,
    ‘new_item’ => ‘Nouveau foo’,
    ‘view_item’ => ‘Voir le foo’,
    ‘view_items’ => ‘Voir les articles’,
    ‘search_items’ => ‘Chercher un foo’,
    ‘not_found’ => ‘Aucun foo trouvé’,
    ‘not_found_in_trash’ => ‘Aucun foo trouvé dans la corbeille’,
    ‘parent_item_colon’ => ‘Foo parent:’,
    ‘all_items’ => ‘Foos’,
    ‘archives’ => ‘Foos’,
    ‘attributes’ => ‘Attributs d’articles’,
    ‘insert_into_item’ => ‘Insérer dans l’article’,
    ‘uploaded_to_this_item’ => ‘Mis en ligne sur cet article’,
    ‘featured_image’ => ‘Image mise en avant’,
    ‘set_featured_image’ => ‘Définir l’image mise en avant’,
    ‘remove_featured_image’ => ‘Supprimer l’image mise en avant’,
    ‘use_featured_image’ => ‘Utiliser comme image mise en avant’,
    ‘filter_items_list’ => ‘Filtrer la liste des articles’,
    ‘items_list_navigation’ => ‘Navigation de la liste des articles’,
    ‘items_list’ => ‘Liste des articles’,
    ‘menu_name’ => ‘Foos’,
    ‘name_admin_bar’ => ‘Foo’,
    )),
    ‘description’ => ”,
    ‘public’ => true,
    ‘hierarchical’ => false,
    ‘exclude_from_search’ => false,
    ‘publicly_queryable’ => true,
    ‘show_ui’ => true,
    ‘show_in_menu’ => true,
    ‘show_in_nav_menus’ => true,
    ‘show_in_admin_bar’ => true,
    ‘menu_position’ => 30,
    ‘menu_icon’ => ”,
    ‘capability_type’ => ‘foo’,
    ‘map_meta_cap’ => true,
    ‘register_meta_box_cb’ => NULL,
    ‘taxonomies’ =>
    array (
    ),
    ‘has_archive’ => false,
    ‘query_var’ => ‘foo’,
    ‘can_export’ => true,
    ‘delete_with_user’ => NULL,
    ‘_builtin’ => false,
    ‘_edit_link’ => ‘post.php?post=%d’,
    ‘cap’ =>
    stdClass::__set_state(array(
    ‘edit_post’ => ‘edit_post’,
    ‘read_post’ => ‘read_post’,
    ‘delete_post’ => ‘delete_post’,
    ‘edit_posts’ => ‘edit_foos’,
    ‘edit_others_posts’ => ‘edit_others_foos’,
    ‘publish_posts’ => ‘publish_foos’,
    ‘read_private_posts’ => ‘read_private_foos’,
    ‘read’ => ‘read’,
    ‘delete_posts’ => ‘delete_foos’,
    ‘delete_private_posts’ => ‘delete_private_foos’,
    ‘delete_published_posts’ => ‘delete_published_foos’,
    ‘delete_others_posts’ => ‘delete_others_foos’,
    ‘edit_private_posts’ => ‘edit_private_foos’,
    ‘edit_published_posts’ => ‘edit_published_foos’,
    ‘create_posts’ => ‘edit_foos’,
    )),
    ‘rewrite’ => false,
    ‘show_in_rest’ => true,
    ‘rest_base’ => ‘foo’,
    ‘rest_controller_class’ => ‘WP_REST_Posts_Controller’,
    ‘plural_name’ => ‘foos’,
    ))

    $ wp plugin list --status=active

    advanced-custom-fields-pro active none 5.6.1
    capability-manager-enhanced active none 1.5.7
    page-list active none 5.1
    post-duplicator active none 2.20
    press-permit-core active none 2.3.21
    simple-custom-types active none 3.4

    • This reply was modified 1 year, 3 months ago by  drzraf. Reason: formatting
    Plugin Author Kevin Behrens

    (@kevinb)

    I’m still having trouble recreating that error on a test site. What are the post statuses of your foos?

    Plugin Author Kevin Behrens

    (@kevinb)

    Regarding your previous comment:

    Just tried ppc 2.3.21 today. The issue still exist in some form:
    In query-interceptor_pp.php l.519: else { $where_arr[$post_type] = ‘1=2’;

    Did you actually confirm that line is causing your issue, or just search the code and find the instance of ‘1=2’ (which is not accidental)?

    Plugin Author Kevin Behrens

    (@kevinb)

    And a further question: The last available version of the Simple Post Types plugin does not enable REST access. Can you show me the code you are using to turn that on, along with any other custom code that related to this post type?

    Plugin Author Kevin Behrens

    (@kevinb)

    Do you have the rest request authenticating as any particular user?

    Plugin Author Kevin Behrens

    (@kevinb)

    Update: Please let me know if the new Press Permit Core development version (2.4-beta) resolves your issue.

    Sorry for the barrage of prior replies.

    great, that works!
    From a quick look at the diff’ it seems to mean that PPC custom permissions are simply “ignored” for REST, and I think it’s the good thing to do, for the moment.

    thank you!

    Plugin Author Kevin Behrens

    (@kevinb)

    Actually, as of Press Permit Core 2.4-beta, PP-modified read permissions are applied to REST requests handled by WP_REST_Posts_Controller (or a custom controller registered to a post type and using the same url argument syntax) if you are running WP 4.7 or higher.

    • This reply was modified 1 year, 2 months ago by  Kevin Behrens.
Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘WP_Comment_Query, REST and post_type query-interceptor_pp’ is closed to new replies.