[wp-trac] [WordPress Trac] #65050: REST API: Comments controller returns 403 instead of 404 for invalid post ID in update_item()
WordPress Trac
noreply at wordpress.org
Thu Apr 9 10:18:03 UTC 2026
#65050: REST API: Comments controller returns 403 instead of 404 for invalid post
ID in update_item()
---------------------------+-------------------------------------
Reporter: saratheonline | Owner: saratheonline
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: trunk
Severity: normal | Keywords: has-patch needs-testing
Focuses: |
---------------------------+-------------------------------------
In `WP_REST_Comments_Controller`, the `update_item()` method returns HTTP
403 (Forbidden) when an invalid post ID is provided, but the correct
status
code is 404 (Not Found).
The same file returns 404 for the identical scenario in `get_item()`
(line 418), making this inconsistent within the same controller.
403 implies the client lacks permission. 404 is correct here because
the post does not exist — it is a missing resource, not an authorization
failure.
== Affected code (class-wp-rest-comments-controller.php) ==
{{{
if ( empty( $post ) ) {
return new WP_Error(
'rest_comment_invalid_post_id',
__( 'Invalid post ID.' ),
array( 'status' => 403 ) // incorrect
);
}
}}}
== Proposed Fix ==
{{{
array( 'status' => 404 )
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65050>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list