Opened 23 months ago

Last modified 15 months ago

#17981 new defect (bug)

XML-RPC wp.getComments should work for non-admins

Reported by: koke Owned by:
Priority: normal Milestone: Awaiting Review
Component: XML-RPC Version: 3.2
Severity: normal Keywords: mobile has-patch commit
Cc: jbernal@…, ercoli@…

Description

Right now, if the caller doesn't have the moderate_comments permission, the XML-RPC call returns a 401 error.

A more graceful alternative would be to return the approved comments. The user may not be able to moderate, but still should be able to read/reply

Attachments (7)

patch-core-17981.diff (1.9 KB) - added by koke 23 months ago.
patch-core-17981-2.diff (1.9 KB) - added by koke 20 months ago.
Second patch closer to dashboard behavior
commentAPIfixes.patch (3.9 KB) - added by nprasath002 16 months ago.
Fixes cap checks
patch-gp-157-strings-3.diff (3.8 KB) - added by koke 16 months ago.
patch-core-17981-3.diff (3.1 KB) - added by koke 16 months ago.
17981-refresh.diff (3.5 KB) - added by ericmann 15 months ago.
Refresh patch to match latest version of trunk.
patch-core-17981-ut.diff (6.6 KB) - added by koke 14 months ago.
Unit Tests for wp.getComments and wp.editComment

Download all attachments as: .zip

Change History (18)

koke23 months ago

comment:1   koke23 months ago

  • Keywords has-patch added; needs-patch removed

Added patch for wp.getComments and wp.getComment. If user can't moderate comments, in only returns approved comments for wp.getComments, and returns an error if comment isn't approved for wp.getComment

koke20 months ago

Second patch closer to dashboard behavior

comment:2   koke20 months ago

I should have done a trac search before writing a second patch but I feel it's better ;)

Dashboard also shows unapproved comments to authors, so we check for (edit_posts OR moderate_comments) instead of just moderate_comments. The current checks for edit_comment should take care of the rest.

Also, added better error descriptions.

comment:3   koke20 months ago

  • Cc jbernal@… added

comment:4   Anton Torvald19 months ago

Nothing.

Last edited 19 months ago by ocean90 (previous) (diff)

comment:6   daniloercoli16 months ago

  • Cc ercoli@… added

comment:7   josephscott16 months ago

Have you compared this with #19916 yet?

nprasath00216 months ago

Fixes cap checks

comment:8   nprasath00216 months ago

The patch fixes the issues in cap checks.
Also added validation for post_id

koke16 months ago

koke16 months ago

comment:9   koke16 months ago

Added a new patch (sorry about the wrong one). Tested with an Author user:

  • wp.getComments shows every comment (as dashboard does)
  • Added a new field 'can_edit' to show if the user has permission to edit/delete that specific comment. That'll allow to customize the UI for it
  • Can edit/delete comments in own posts
  • Can't edit/delete comments in others posts

I think this also solves #19916. Some questions about it:

  • Should wp.deleteComment error be "You are not allowed to delete..." instead of moderate?
  • I was going to change the error in wp.getComments to match wp.getComment, but it's a different error code (401 and 403) and could break something

ericmann15 months ago

Refresh patch to match latest version of trunk.

comment:10   ericmann15 months ago

  • Keywords commit added

comment:11   westi15 months ago

Before we commit these changes I would like us to have some unit tests around the expected behaviour here.

Highest priority are tests for all the cap checks to ensure we have expected behaviour - writing the tests out makes you think a lot about this :)

Second priority are tests for the data returned especially datatypes so we can ensure continuing consistency over time.

I asked koke to see if he could write some of these in IRC today.

koke14 months ago

Unit Tests for wp.getComments and wp.editComment

Note: See TracTickets for help on using tickets.