fix(duplicator): prevent race condition in R&R copy creation

enricobattocchi · claude · enricobattocchi · commit bfb3622256cf · 2026-03-27T21:24:42.000+01:00
Claim the slot on the original post using add_post_meta() with $unique = true before creating the copy. This returns false if the meta key already exists, preventing duplicate copies when two concurrent requests both pass the permission check before either sets the meta. If wp_insert_post() fails, the claim is rolled back by deleting the meta. Also fixes Block_Editor_Test to mock get_post_type_object() for the restBase addition to the localized JS object. Ref: Yoast/reserved-tasks#1127 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/src/post-duplicator.php b/src/post-duplicator.php
@@ -149,6 +149,17 @@ public function set_modified( $data ) {
 	 * @return int|WP_Error The copy ID, or a WP_Error object on failure.
 	 */
 	public function create_duplicate_for_rewrite_and_republish( WP_Post $post ) {
+		// Claim the slot on the original before creating the copy to prevent
+		// a race condition where two concurrent requests both pass the
+		// permission check before either has set the meta.
+		$claimed = \add_post_meta( $post->ID, '_dp_has_rewrite_republish_copy', 'pending', true );
+		if ( ! $claimed ) {
+			return new \WP_Error(
+				'duplicate_post_already_has_copy',
+				\__( 'A Rewrite & Republish copy already exists for this post.', 'duplicate-post' ),
+			);
+		}
+
 		$options  = [
 			'copy_title'      => true,
 			'copy_date'       => true,
@@ -164,15 +175,19 @@ public function create_duplicate_for_rewrite_and_republish( WP_Post $post ) {
 
 		$new_post_id = $this->create_duplicate( $post, $options );
 
-		if ( ! \is_wp_error( $new_post_id ) ) {
-			$this->copy_post_taxonomies( $new_post_id, $post, $options );
-			$this->copy_post_meta_info( $new_post_id, $post, $options );
-
-			\update_post_meta( $new_post_id, '_dp_is_rewrite_republish_copy', 1 );
-			\update_post_meta( $post->ID, '_dp_has_rewrite_republish_copy', $new_post_id );
-			\update_post_meta( $new_post_id, '_dp_creation_date_gmt', \current_time( 'mysql', 1 ) );
+		if ( \is_wp_error( $new_post_id ) ) {
+			// Roll back the claim if copy creation failed.
+			\delete_post_meta( $post->ID, '_dp_has_rewrite_republish_copy' );
+			return $new_post_id;
 		}
 
+		$this->copy_post_taxonomies( $new_post_id, $post, $options );
+		$this->copy_post_meta_info( $new_post_id, $post, $options );
+
+		\update_post_meta( $new_post_id, '_dp_is_rewrite_republish_copy', 1 );
+		\update_post_meta( $post->ID, '_dp_has_rewrite_republish_copy', $new_post_id );
+		\update_post_meta( $new_post_id, '_dp_creation_date_gmt', \current_time( 'mysql', 1 ) );
+
 		return $new_post_id;
 	}
 
diff --git a/tests/Unit/UI/Block_Editor_Test.php b/tests/Unit/UI/Block_Editor_Test.php
@@ -310,6 +310,7 @@ public function test_enqueue_block_editor_scripts() {
 		$utils                      = Mockery::mock( 'alias:\Yoast\WP\Duplicate_Post\Utils' );
 		$post                       = Mockery::mock( WP_Post::class );
 		$post->ID                   = 123;
+		$post->post_type            = 'post';
 		$new_draft_link             = 'http://fakeu.rl/new_draft';
 		$rewrite_and_republish_link = 'http://fakeu.rl/rewrite_and_republish';
 		$rewriting                  = 0;
@@ -374,8 +375,16 @@ public function test_enqueue_block_editor_scripts() {
 			->with( $post )
 			->andReturnNull();
 
+		$post_type_object            = Mockery::mock( 'WP_Post_Type' );
+		$post_type_object->rest_base = 'posts';
+
+		Monkey\Functions\expect( '\get_post_type_object' )
+			->with( 'post' )
+			->andReturn( $post_type_object );
+
 		$edit_js_object = [
 			'postId'                  => 123,
+			'restBase'                => 'posts',
 			'newDraftLink'            => $new_draft_link,
 			'rewriteAndRepublishLink' => $rewrite_and_republish_link,
 			'showLinks'               => $show_links,
@@ -414,6 +423,7 @@ public function test_get_enqueue_block_editor_scripts_rewrite_and_republish() {
 		$utils                      = Mockery::mock( 'alias:\Yoast\WP\Duplicate_Post\Utils' );
 		$post                       = Mockery::mock( WP_Post::class );
 		$post->ID                   = 123;
+		$post->post_type            = 'post';
 		$new_draft_link             = 'http://fakeu.rl/new_draft';
 		$rewrite_and_republish_link = 'http://fakeu.rl/rewrite_and_republish';
 		$rewriting                  = 1;
@@ -475,8 +485,16 @@ public function test_get_enqueue_block_editor_scripts_rewrite_and_republish() {
 			->with( $post )
 			->andReturnNull();
 
+		$post_type_object            = Mockery::mock( 'WP_Post_Type' );
+		$post_type_object->rest_base = 'posts';
+
+		Monkey\Functions\expect( '\get_post_type_object' )
+			->with( 'post' )
+			->andReturn( $post_type_object );
+
 		$edit_js_object = [
 			'postId'                  => 123,
+			'restBase'                => 'posts',
 			'newDraftLink'            => $new_draft_link,
 			'rewriteAndRepublishLink' => $rewrite_and_republish_link,
 			'showLinks'               => $show_links,
