@@ -88,6 +88,12 @@ public function register_routes() {
8888 );
8989 }
9090 register_rest_route ( $ this ->namespace , '/ ' . $ this ->rest_base . '/(?P<id>[\d]+) ' , array (
91+ 'args ' => array (
92+ 'id ' => array (
93+ 'description ' => __ ( 'Unique identifier for the object. ' ),
94+ 'type ' => 'integer ' ,
95+ ),
96+ ),
9197 array (
9298 'methods ' => WP_REST_Server::READABLE ,
9399 'callback ' => array ( $ this , 'get_item ' ),
@@ -349,6 +355,28 @@ public function get_items( $request ) {
349355 return $ response ;
350356 }
351357
358+ /**
359+ * Get the post, if the ID is valid.
360+ *
361+ * @since 4.7.2
362+ *
363+ * @param int $id Supplied ID.
364+ * @return WP_Post|WP_Error Post object if ID is valid, WP_Error otherwise.
365+ */
366+ protected function get_post ( $ id ) {
367+ $ error = new WP_Error ( 'rest_post_invalid_id ' , __ ( 'Invalid post ID. ' ), array ( 'status ' => 404 ) );
368+ if ( (int ) $ id <= 0 ) {
369+ return $ error ;
370+ }
371+
372+ $ post = get_post ( (int ) $ id );
373+ if ( empty ( $ post ) || empty ( $ post ->ID ) || $ this ->post_type !== $ post ->post_type ) {
374+ return $ error ;
375+ }
376+
377+ return $ post ;
378+ }
379+
352380 /**
353381 * Checks if a given request has access to read a post.
354382 *
@@ -359,8 +387,10 @@ public function get_items( $request ) {
359387 * @return bool|WP_Error True if the request has read access for the item, WP_Error object otherwise.
360388 */
361389 public function get_item_permissions_check ( $ request ) {
362-
363- $ post = get_post ( (int ) $ request ['id ' ] );
390+ $ post = $ this ->get_post ( $ request ['id ' ] );
391+ if ( is_wp_error ( $ post ) ) {
392+ return $ post ;
393+ }
364394
365395 if ( 'edit ' === $ request ['context ' ] && $ post && ! $ this ->check_update_permission ( $ post ) ) {
366396 return new WP_Error ( 'rest_forbidden_context ' , __ ( 'Sorry, you are not allowed to edit this post. ' ), array ( 'status ' => rest_authorization_required_code () ) );
@@ -428,18 +458,16 @@ public function can_access_password_content( $post, $request ) {
428458 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
429459 */
430460 public function get_item ( $ request ) {
431- $ id = (int ) $ request ['id ' ];
432- $ post = get_post ( $ id );
433-
434- if ( empty ( $ id ) || empty ( $ post ->ID ) || $ this ->post_type !== $ post ->post_type ) {
435- return new WP_Error ( 'rest_post_invalid_id ' , __ ( 'Invalid post ID. ' ), array ( 'status ' => 404 ) );
461+ $ post = $ this ->get_post ( $ request ['id ' ] );
462+ if ( is_wp_error ( $ post ) ) {
463+ return $ post ;
436464 }
437465
438466 $ data = $ this ->prepare_item_for_response ( $ post , $ request );
439467 $ response = rest_ensure_response ( $ data );
440468
441469 if ( is_post_type_viewable ( get_post_type_object ( $ post ->post_type ) ) ) {
442- $ response ->link_header ( 'alternate ' , get_permalink ( $ id ), array ( 'type ' => 'text/html ' ) );
470+ $ response ->link_header ( 'alternate ' , get_permalink ( $ post -> ID ), array ( 'type ' => 'text/html ' ) );
443471 }
444472
445473 return $ response ;
@@ -455,6 +483,9 @@ public function get_item( $request ) {
455483 * @return true|WP_Error True if the request has access to create items, WP_Error object otherwise.
456484 */
457485 public function create_item_permissions_check ( $ request ) {
486+ if ( ! empty ( $ request ['id ' ] ) ) {
487+ return new WP_Error ( 'rest_post_exists ' , __ ( 'Cannot create existing post. ' ), array ( 'status ' => 400 ) );
488+ }
458489
459490 $ post_type = get_post_type_object ( $ this ->post_type );
460491
@@ -591,8 +622,11 @@ public function create_item( $request ) {
591622 * @return true|WP_Error True if the request has access to update the item, WP_Error object otherwise.
592623 */
593624 public function update_item_permissions_check ( $ request ) {
625+ $ post = $ this ->get_post ( $ request ['id ' ] );
626+ if ( is_wp_error ( $ post ) ) {
627+ return $ post ;
628+ }
594629
595- $ post = get_post ( $ request ['id ' ] );
596630 $ post_type = get_post_type_object ( $ this ->post_type );
597631
598632 if ( $ post && ! $ this ->check_update_permission ( $ post ) ) {
@@ -624,11 +658,9 @@ public function update_item_permissions_check( $request ) {
624658 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
625659 */
626660 public function update_item ( $ request ) {
627- $ id = (int ) $ request ['id ' ];
628- $ post = get_post ( $ id );
629-
630- if ( empty ( $ id ) || empty ( $ post ->ID ) || $ this ->post_type !== $ post ->post_type ) {
631- return new WP_Error ( 'rest_post_invalid_id ' , __ ( 'Invalid post ID. ' ), array ( 'status ' => 404 ) );
661+ $ valid_check = $ this ->get_post ( $ request ['id ' ] );
662+ if ( is_wp_error ( $ valid_check ) ) {
663+ return $ valid_check ;
632664 }
633665
634666 $ post = $ this ->prepare_item_for_database ( $ request );
@@ -714,8 +746,10 @@ public function update_item( $request ) {
714746 * @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
715747 */
716748 public function delete_item_permissions_check ( $ request ) {
717-
718- $ post = get_post ( $ request ['id ' ] );
749+ $ post = $ this ->get_post ( $ request ['id ' ] );
750+ if ( is_wp_error ( $ post ) ) {
751+ return $ post ;
752+ }
719753
720754 if ( $ post && ! $ this ->check_delete_permission ( $ post ) ) {
721755 return new WP_Error ( 'rest_cannot_delete ' , __ ( 'Sorry, you are not allowed to delete this post. ' ), array ( 'status ' => rest_authorization_required_code () ) );
@@ -734,15 +768,14 @@ public function delete_item_permissions_check( $request ) {
734768 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
735769 */
736770 public function delete_item ( $ request ) {
737- $ id = (int ) $ request ['id ' ];
738- $ force = (bool ) $ request ['force ' ];
739-
740- $ post = get_post ( $ id );
741-
742- if ( empty ( $ id ) || empty ( $ post ->ID ) || $ this ->post_type !== $ post ->post_type ) {
743- return new WP_Error ( 'rest_post_invalid_id ' , __ ( 'Invalid post ID. ' ), array ( 'status ' => 404 ) );
771+ $ post = $ this ->get_post ( $ request ['id ' ] );
772+ if ( is_wp_error ( $ post ) ) {
773+ return $ post ;
744774 }
745775
776+ $ id = $ post ->ID ;
777+ $ force = (bool ) $ request ['force ' ];
778+
746779 $ supports_trash = ( EMPTY_TRASH_DAYS > 0 );
747780
748781 if ( 'attachment ' === $ post ->post_type ) {
@@ -901,7 +934,12 @@ protected function prepare_item_for_database( $request ) {
901934
902935 // Post ID.
903936 if ( isset ( $ request ['id ' ] ) ) {
904- $ prepared_post ->ID = absint ( $ request ['id ' ] );
937+ $ existing_post = $ this ->get_post ( $ request ['id ' ] );
938+ if ( is_wp_error ( $ existing_post ) ) {
939+ return $ existing_post ;
940+ }
941+
942+ $ prepared_post ->ID = $ existing_post ->ID ;
905943 }
906944
907945 $ schema = $ this ->get_item_schema ();
0 commit comments