WP-API · joehoyle · Jan 20, 2016 · Jan 14, 2016 · Jan 14, 2016 · Jan 14, 2016
diff --git a/lib/endpoints/class-wp-rest-attachments-controller.php b/lib/endpoints/class-wp-rest-attachments-controller.php
@@ -2,6 +2,21 @@
 
 class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 
+	/**
+	 * Determine the allowed query_vars for a get_items() response and
+	 * prepare for WP_Query.
+	 *
+	 * @param array $prepared_args
+	 * @return array $query_args
+	 */
+	protected function prepare_items_query( $prepared_args = array() ) {
+		$query_args = parent::prepare_items_query( $prepared_args );
+		if ( empty( $query_args['post_status'] ) || ! in_array( $query_args['post_status'], array( 'inherit', 'private', 'trash' ) ) ) {
+			$query_args['post_status'] = 'inherit';
+		}
+		return $query_args;
+	}
+
 	/**
 	 * Check if a given request has access to create an attachment.
 	 *
@@ -414,9 +429,26 @@ public function get_collection_params() {
 			'default'            => null,
 			'sanitize_callback'  => 'absint',
 			);
+		$params['status']['default'] = 'inherit';
+		$params['status']['enum'] = array( 'inherit', 'private', 'trash' );
 		return $params;
 	}
 
+	/**
+	 * Validate whether the user can query private statuses
+	 *
+	 * @param  mixed $value
+	 * @param  WP_REST_Request $request
+	 * @param  string $parameter
+	 * @return WP_Error|bool
+	 */
+	public function validate_user_can_query_private_statuses( $value, $request, $parameter ) {
+		if ( 'inherit' === $value ) {
+			return true;
+		}
+		return parent::validate_user_can_query_private_statuses( $value, $request, $parameter );
+	}
+
 	/**
 	 * Handle an upload via multipart/form-data ($_FILES)
 	 *

diff --git a/lib/endpoints/class-wp-rest-posts-controller.php b/lib/endpoints/class-wp-rest-posts-controller.php
@@ -539,10 +539,6 @@ protected function prepare_items_query( $prepared_args = array() ) {
 			}
 		}
 
-		if ( empty( $query_args['post_status'] ) && 'attachment' === $this->post_type ) {
-			$query_args['post_status'] = 'inherit';
-		}
-
 		if ( 'post' !== $this->post_type || ! isset( $query_args['ignore_sticky_posts'] ) ) {
 			$query_args['ignore_sticky_posts'] = true;
 		}
@@ -1626,7 +1622,7 @@ public function get_collection_params() {
 		}
 
 		$params['status'] = array(
-			'default'           => 'attachment' === $this->post_type ? 'inherit' : 'publish',
+			'default'           => 'publish',
 			'description'       => __( 'Limit result set to posts assigned a specific status.' ),
 			'sanitize_callback' => 'sanitize_key',
 			'type'              => 'string',
@@ -1647,7 +1643,7 @@ public function get_collection_params() {
 	 * @return WP_Error|bool
 	 */
 	public function validate_user_can_query_private_statuses( $value, $request, $parameter ) {
-		if ( 'publish' === $value || ( 'attachment' === $this->post_type && 'inherit' === $value ) ) {
+		if ( 'publish' === $value ) {
 			return true;
 		}
 		$post_type_obj = get_post_type_object( $this->post_type );

diff --git a/tests/test-rest-attachments-controller.php b/tests/test-rest-attachments-controller.php
@@ -54,6 +54,28 @@ public function test_context_param() {
 		$this->assertEquals( array( 'view', 'embed', 'edit' ), $data['endpoints'][0]['args']['context']['enum'] );
 	}
 
+	public function test_registered_query_params() {
+		$request = new WP_REST_Request( 'OPTIONS', '/wp/v2/media' );
+		$response = $this->server->dispatch( $request );
+		$data = $response->get_data();
+		$keys = array_keys( $data['endpoints'][0]['args'] );
+		sort( $keys );
+		$this->assertEquals( array(
+			'author',
+			'context',
+			'exclude',
+			'filter',
+			'include',
+			'order',
+			'orderby',
+			'page',
+			'parent',
+			'per_page',
+			'search',
+			'status',
+			), $keys );
+	}
+
 	public function test_get_items() {
 		wp_set_current_user( 0 );
 		$id1 = $this->factory->attachment->create_object( $this->test_file, 0, array(
@@ -145,6 +167,41 @@ public function test_get_items_parent() {
 		$this->assertEquals( 0, count( $data ) );
 	}
 
+	public function test_get_items_invalid_status_param_is_discarded() {
+		wp_set_current_user( $this->editor_id );
+		$attachment_id1 = $this->factory->attachment->create_object( $this->test_file, 0, array(
+			'post_mime_type' => 'image/jpeg',
+			'post_excerpt'   => 'A sample caption',
+		) );
+		$request = new WP_REST_Request( 'GET', '/wp/v2/media' );
+		$request->set_param( 'status', 'publish' );
+		$request->set_param( 'context', 'edit' );
+		$response = $this->server->dispatch( $request );
+		$data = $response->get_data();
+		$this->assertCount( 1, $data );
+		$this->assertEquals( 'inherit', $data[0]['status'] );
+	}
+
+	public function test_get_items_private_status() {
+		// Logged out users can't make the request
+		wp_set_current_user( 0 );
+		$attachment_id1 = $this->factory->attachment->create_object( $this->test_file, 0, array(
+			'post_mime_type' => 'image/jpeg',
+			'post_excerpt'   => 'A sample caption',
+			'post_status'    => 'private',
+		) );
+		$request = new WP_REST_Request( 'GET', '/wp/v2/media' );
+		$request->set_param( 'status', 'private' );
+		$response = $this->server->dispatch( $request );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+		// Properly authorized users can make the request
+		wp_set_current_user( $this->editor_id );
+		$response = $this->server->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$data = $response->get_data();
+		$this->assertEquals( $attachment_id1, $data[0]['id'] );
+	}
+
 	public function test_get_item() {
 		$attachment_id = $this->factory->attachment->create_object( $this->test_file, 0, array(
 			'post_mime_type' => 'image/jpeg',