Incorrect HTTP status code in 'posts' query. Patch refresh 43681.diff

src/wp-includes/rest-api/class-wp-rest-request.php

@@ -850,7 +850,10 @@ public function sanitize_params() {
 				$sanitized_value = call_user_func( $param_args['sanitize_callback'], $value, $this, $key );
 
 				if ( is_wp_error( $sanitized_value ) ) {
-					$invalid_params[ $key ]  = implode( ' ', $sanitized_value->get_error_messages() );
+					$invalid_params[ $key ] = implode( ' ', $sanitized_value->get_error_messages() );
+
+					$error_data              = $sanitized_value->get_error_data();
+					$error_code              = $error_data['status'] ?? 400;
 					$invalid_details[ $key ] = rest_convert_error_to_response( $sanitized_value )->get_data();
 				} else {
 					$this->params[ $type ][ $key ] = $sanitized_value;
@@ -864,7 +867,7 @@ public function sanitize_params() {
 				/* translators: %s: List of invalid parameters. */
 				sprintf( __( 'Invalid parameter(s): %s' ), implode( ', ', array_keys( $invalid_params ) ) ),
 				array(
-					'status'  => 400,
+					'status'  => $error_code,
 					'params'  => $invalid_params,
 					'details' => $invalid_details,
 				)

src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -3132,17 +3132,22 @@ public function sanitize_post_statuses( $statuses, $request, $parameter ) {
 				continue;
 			}
 
+			$result = rest_validate_request_arg( $status, $request, $parameter );
+			if ( is_wp_error( $result ) ) {
+					return $result;
+			}
+		}
+		foreach ( $statuses as $status ) {
+			if ( $status === $default_status ) {
+					continue;
+			}
+
 			$post_type_obj = get_post_type_object( $this->post_type );
 
-			if ( current_user_can( $post_type_obj->cap->edit_posts ) || 'private' === $status && current_user_can( $post_type_obj->cap->read_private_posts ) ) {
-				$result = rest_validate_request_arg( $status, $request, $parameter );
-				if ( is_wp_error( $result ) ) {
-					return $result;
-				}
-			} else {
+			if ( ! current_user_can( $post_type_obj->cap->edit_posts ) ) {
 				return new WP_Error(
 					'rest_forbidden_status',
-					__( 'Status is forbidden.' ),
+					__( 'Sorry, you are not allowed to list non-published posts in this post type.' ),
 					array( 'status' => rest_authorization_required_code() )
 				);
 			}

tests/phpunit/tests/rest-api/rest-attachments-controller.php

@@ -517,7 +517,7 @@ public function test_get_items_private_status() {
 		$request        = new WP_REST_Request( 'GET', '/wp/v2/media' );
 		$request->set_param( 'status', 'private' );
 		$response = rest_get_server()->dispatch( $request );
-		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
 		// Properly authorized users can make the request.
 		wp_set_current_user( self::$editor_id );
 		$response = rest_get_server()->dispatch( $request );
@@ -550,7 +550,7 @@ public function test_get_items_multiple_statuses() {
 		$request        = new WP_REST_Request( 'GET', '/wp/v2/media' );
 		$request->set_param( 'status', array( 'private', 'trash' ) );
 		$response = rest_get_server()->dispatch( $request );
-		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
 		// Properly authorized users can make the request.
 		wp_set_current_user( self::$editor_id );
 		$response = rest_get_server()->dispatch( $request );

tests/phpunit/tests/rest-api/rest-pages-controller.php

@@ -317,7 +317,7 @@ public function test_get_items_private_filter_query_var() {
 		$request  = new WP_REST_Request( 'GET', '/wp/v2/pages' );
 		$request->set_param( 'status', 'draft' );
 		$response = rest_get_server()->dispatch( $request );
-		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
 
 		// But they are accessible to authorized users.
 		wp_set_current_user( self::$editor_id );

tests/phpunit/tests/rest-api/rest-posts-controller.php

@@ -772,7 +772,7 @@ public function test_get_items_status_query() {
 		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
 		$request->set_param( 'status', 'draft' );
 		$response = rest_get_server()->dispatch( $request );
-		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
 
 		wp_set_current_user( self::$editor_id );
 
@@ -849,7 +849,7 @@ public function test_get_items_multiple_statuses_custom_role_one_invalid_query()
 		$request->set_param( 'status', array( 'private', 'future' ) );
 
 		$response = rest_get_server()->dispatch( $request );
-		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
 	}
 
 	public function test_get_items_invalid_status_query() {
@@ -858,7 +858,7 @@ public function test_get_items_invalid_status_query() {
 		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
 		$request->set_param( 'status', 'invalid' );
 		$response = rest_get_server()->dispatch( $request );
-		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
 	}
 
 	public function test_get_items_status_without_permissions() {
@@ -2030,15 +2030,15 @@ public function test_get_items_status_draft_permissions() {
 		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
 		$request->set_param( 'status', 'draft' );
 		$response = rest_get_server()->dispatch( $request );
-		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
 
 		// Users with 'read_private_posts' cap shouldn't also be able to view drafts.
 		wp_set_current_user( self::$private_reader_id );
 
 		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
 		$request->set_param( 'status', 'draft' );
 		$response = rest_get_server()->dispatch( $request );
-		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
 
 		// But drafts are accessible to authorized users.
 		wp_set_current_user( self::$editor_id );
@@ -2059,7 +2059,7 @@ public function test_get_items_status_private_permissions() {
 		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
 		$request->set_param( 'status', 'private' );
 		$response = rest_get_server()->dispatch( $request );
-		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 401 );
 
 		wp_set_current_user( self::$private_reader_id );