Skip to content

fix: add object-level authorization to corrections REST endpoint#4643

Merged
adekbadek merged 2 commits intotrunkfrom
fix/corrections-idor
Apr 9, 2026
Merged

fix: add object-level authorization to corrections REST endpoint#4643
adekbadek merged 2 commits intotrunkfrom
fix/corrections-idor

Conversation

@adekbadek
Copy link
Copy Markdown
Member

@adekbadek adekbadek commented Apr 8, 2026

Summary

  • Fixes IDOR/broken-access-control in the corrections REST save endpoint
  • The endpoint only checked edit_posts (generic capability), allowing any author/editor to manage corrections on posts they don't own
  • Adds current_user_can( 'edit_post', $post_id ) check for the specific target post
  • Adds IDOR regression test

Test plan

  • Log in as an author, attempt to save corrections for another user's post -- should get 403
  • Log in as an editor, save corrections for any post -- should succeed (editors can edit all posts)
  • Run n test-php --group corrections -- all 21 tests pass

🤖 Generated with Claude Code

@adekbadek @claude
fix: add object-level authorization to corrections REST endpoint
87063b8 
The corrections save endpoint only checked `edit_posts` capability,
allowing any author/editor to add, modify, or delete corrections on
posts they don't own. Now checks `edit_post` for the specific post.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@adekbadek adekbadek requested a review from Copilot April 8, 2026 08:18
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens authorization for the Corrections REST “save” endpoint to prevent IDOR/broken-access-control by ensuring the current user can edit the specific target post.

Changes:

  • Add an object-level capability check (current_user_can( 'edit_post', $post_id )) in Corrections::rest_save_corrections.
  • Add a unit test ensuring an author cannot save corrections for another user’s post.
  • Update test fixtures to run REST-save tests as an editor by default.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
includes/corrections/class-corrections.php Adds per-post authorization enforcement inside the REST save handler.
tests/unit-tests/corrections.php Adds an IDOR regression test and updates setup to use an editor user.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@adekbadek @claude
fix: validate correction ownership before updating
161c988 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@adekbadek adekbadek marked this pull request as ready for review April 8, 2026 12:14
@adekbadek adekbadek requested a review from a team as a code owner April 8, 2026 12:14
@adekbadek adekbadek added the [Status] Needs Review The issue or pull request needs to be reviewed label Apr 8, 2026
@github-actions github-actions bot added [Status] Approved The pull request has been reviewed and is ready to merge and removed [Status] Needs Review The issue or pull request needs to be reviewed labels Apr 8, 2026
@adekbadek adekbadek merged commit a39a62d into trunk Apr 9, 2026
15 checks passed
@adekbadek adekbadek deleted the fix/corrections-idor branch April 9, 2026 07:23
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026

Hey @adekbadek, good job getting this PR merged! 🎉

Now, the needs-changelog label has been added to it.

Please check if this PR needs to be included in the "Upcoming Changes" and "Release Notes" doc. If it doesn't, simply remove the label.

If it does, please add an entry to our shared document, with screenshots and testing instructions if applicable, then remove the label.

Thank you! ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@claudiulodro claudiulodro claudiulodro approved these changes

Assignees

No one assigned

Labels

[Status] Approved The pull request has been reviewed and is ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adekbadek @claudiulodro