Ticket #38819: 38819.4.diff
| File 38819.4.diff, 6.1 KB (added by , 3 years ago) |
|---|
-
src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
371 371 return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) ); 372 372 } 373 373 374 // Limit who can set comment `author` or `status` to anything other than the default.374 // Limit who can set comment `author`, `author_ip` or `status` to anything other than the default. 375 375 if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) { 376 376 return new WP_Error( 'rest_comment_invalid_author', __( 'Comment author invalid.' ), array( 'status' => rest_authorization_required_code() ) ); 377 377 } 378 378 379 if ( isset( $request['author_ip'] ) && ! current_user_can( 'moderate_comments' ) ) { 380 if ( empty( $_SERVER['REMOTE_ADDR'] ) || $request['author_ip'] !== $_SERVER['REMOTE_ADDR'] ) { 381 return new WP_Error( 'rest_comment_invalid_author_ip', __( 'Sorry, you are not allowed to set author_ip for comments.' ), array( 'status' => rest_authorization_required_code() ) ); 382 } 383 } 384 379 385 if ( isset( $request['status'] ) && ! current_user_can( 'moderate_comments' ) ) { 380 386 return new WP_Error( 'rest_comment_invalid_status', __( 'Sorry, you are not allowed to set status for comments.' ), array( 'status' => rest_authorization_required_code() ) ); 381 387 } … … 1041 1047 1042 1048 if ( isset( $request['author_ip'] ) ) { 1043 1049 $prepared_comment['comment_author_IP'] = $request['author_ip']; 1050 } elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) && rest_is_ip_address( $_SERVER['REMOTE_ADDR'] ) ) { 1051 $prepared_comment['comment_author_IP'] = $_SERVER['REMOTE_ADDR']; 1052 } else { 1053 $prepared_comment['comment_author_IP'] = '127.0.0.1'; 1044 1054 } 1045 1055 1046 1056 if ( ! empty( $request['author_user_agent'] ) ) { … … 1117 1127 'type' => 'string', 1118 1128 'format' => 'ip', 1119 1129 'context' => array( 'edit' ), 1120 'default' => '127.0.0.1',1121 1130 ), 1122 1131 'author_name' => array( 1123 1132 'description' => __( 'Display name for the object author.' ), -
tests/phpunit/tests/rest-api/rest-comments-controller.php
6 6 * @subpackage REST API 7 7 */ 8 8 9 10 11 9 /** 10 * @group restapi 11 */ 12 12 class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase { 13 13 protected static $superadmin_id; 14 14 protected static $admin_id; … … 1307 1307 $this->assertEquals( 'Mozilla/4.0 (compatible; MSIE 5.5; AOL 4.0; Windows 95)', $new_comment->comment_agent ); 1308 1308 } 1309 1309 1310 public function test_create_comment_author_ip() { 1311 wp_set_current_user( self::$admin_id ); 1312 1313 $params = array( 1314 'post' => self::$post_id, 1315 'author_name' => 'Comic Book Guy', 1316 'author_email' => 'cbg@androidsdungeon.com', 1317 'author_url' => 'http://androidsdungeon.com', 1318 'author_ip' => '127.0.0.3', 1319 'content' => 'Worst Comment Ever!', 1320 'status' => 'approved', 1321 ); 1322 $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 1323 $request->add_header( 'content-type', 'application/json' ); 1324 $request->set_body( wp_json_encode( $params ) ); 1325 $response = $this->server->dispatch( $request ); 1326 $data = $response->get_data(); 1327 $new_comment = get_comment( $data['id'] ); 1328 $this->assertEquals( '127.0.0.3', $new_comment->comment_author_IP ); 1329 } 1330 1310 1331 public function test_create_comment_invalid_author_IP() { 1311 1332 wp_set_current_user( self::$admin_id ); 1312 1333 1313 1334 $params = array( 1335 'post' => self::$post_id, 1314 1336 'author_name' => 'Comic Book Guy', 1315 1337 'author_email' => 'cbg@androidsdungeon.com', 1316 1338 'author_url' => 'http://androidsdungeon.com', … … 1323 1345 $request->set_body( wp_json_encode( $params ) ); 1324 1346 1325 1347 $response = $this->server->dispatch( $request ); 1326 1327 1348 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 1328 1349 } 1329 1350 1351 public function test_create_comment_author_ip_no_permission() { 1352 $params = array( 1353 'author_name' => 'Comic Book Guy', 1354 'author_email' => 'cbg@androidsdungeon.com', 1355 'author_url' => 'http://androidsdungeon.com', 1356 'author_ip' => '10.0.10.1', 1357 'content' => 'Worst Comment Ever!', 1358 'status' => 'approved', 1359 ); 1360 $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 1361 $request->add_header( 'content-type', 'application/json' ); 1362 $request->set_body( wp_json_encode( $params ) ); 1363 $response = $this->server->dispatch( $request ); 1364 $this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 401 ); 1365 } 1366 1367 public function test_create_comment_author_ip_defaults_to_remote_addr() { 1368 $_SERVER['REMOTE_ADDR'] = '127.0.0.2'; 1369 $params = array( 1370 'post' => self::$post_id, 1371 'author_name' => 'Comic Book Guy', 1372 'author_email' => 'cbg@androidsdungeon.com', 1373 'author_url' => 'http://androidsdungeon.com', 1374 'content' => 'Worst Comment Ever!', 1375 ); 1376 $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 1377 $request->add_header( 'content-type', 'application/json' ); 1378 $request->set_body( wp_json_encode( $params ) ); 1379 $response = $this->server->dispatch( $request ); 1380 $data = $response->get_data(); 1381 $new_comment = get_comment( $data['id'] ); 1382 $this->assertEquals( '127.0.0.2', $new_comment->comment_author_IP ); 1383 } 1384 1330 1385 public function test_create_comment_no_post_id() { 1331 1386 wp_set_current_user( self::$admin_id ); 1332 1387 … … 2268 2323 $this->assertArrayHasKey( 'post', $properties ); 2269 2324 $this->assertArrayHasKey( 'status', $properties ); 2270 2325 $this->assertArrayHasKey( 'type', $properties ); 2271 2272 $this->assertEquals( '127.0.0.1', $properties['author_ip']['default'] );2273 2274 2326 $this->assertEquals( 'comment', $properties['type']['default'] ); 2275 2327 2276 2328 $this->assertEquals( 0, $properties['parent']['default'] );