WordPress.org

Make WordPress Core

Ticket #38816: 38816.2.diff

File 38816.2.diff, 3.0 KB (added by dd32, 4 years ago)

  • src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    class WP_REST_Comments_Controller extend 
    373373                }
    374374
    375375                // Limit who can set comment `author`, `karma` or `status` to anything other than the default.
    376376                if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) {
    377377                        return new WP_Error( 'rest_comment_invalid_author', __( 'Comment author invalid.' ), array( 'status' => rest_authorization_required_code() ) );
    378378                }
    379379
    380380                if ( isset( $request['karma'] ) && $request['karma'] > 0 && ! current_user_can( 'moderate_comments' ) ) {
    381381                        return new WP_Error( 'rest_comment_invalid_karma', __( 'Sorry, you are not allowed to set karma for comments.' ), array( 'status' => rest_authorization_required_code() ) );
    382382                }
    383383
    384384                if ( isset( $request['status'] ) && ! current_user_can( 'moderate_comments' ) ) {
    385385                        return new WP_Error( 'rest_comment_invalid_status', __( 'Sorry, you are not allowed to set status for comments.' ), array( 'status' => rest_authorization_required_code() ) );
    386386                }
    387387
    388                 if ( empty( $request['post'] ) && ! current_user_can( 'moderate_comments' ) ) {
    389                         return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => rest_authorization_required_code() ) );
     388                if ( empty( $request['post'] ) ) {
     389                        return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => 403 ) );
    390390                }
    391391
    392                 if ( ! empty( $request['post'] ) && $post = get_post( (int) $request['post'] ) ) {
     392                if ( ! empty( $request['post'] ) ) {
     393                        $post = get_post( (int) $request['post'] );
     394
     395                        if ( ! $post ) {
     396                                return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => 403 ) );                             
     397                        }
     398
    393399                        if ( 'draft' === $post->post_status ) {
    394400                                return new WP_Error( 'rest_comment_draft_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) );
    395401                        }
    396402
    397403                        if ( 'trash' === $post->post_status ) {
    398404                                return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) );
    399405                        }
    400406
    401407                        if ( ! $this->check_read_post_permission( $post ) ) {
    402408                                return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
    403409                        }
    404410
    405411                        if ( ! comments_open( $post->ID ) ) {
    406412                                return new WP_Error( 'rest_comment_closed', __( 'Sorry, comments are closed on this post.' ), array( 'status' => 403 ) );
    407413                        }