| 109 | 109 | $post = get_post( $post_id ); |
| 110 | 110 | |
| 111 | 111 | if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post ) ) { |
| 112 | 112 | return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); |
| 113 | 113 | } elseif ( 0 === $post_id && ! current_user_can( 'moderate_comments' ) ) { |
| 114 | 114 | return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read comments without a post.' ), array( 'status' => rest_authorization_required_code() ) ); |
| 115 | 115 | } |
| 116 | 116 | } |
| 117 | 117 | } |
| 118 | 118 | |
| 119 | 119 | if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'moderate_comments' ) ) { |
| 120 | 120 | return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to view comments with edit context.' ), array( 'status' => rest_authorization_required_code() ) ); |
| 121 | 121 | } |
| 122 | 122 | |
| 123 | 123 | if ( ! current_user_can( 'edit_posts' ) ) { |
| 125 | 125 | $forbidden_params = array(); |
| 126 | 126 | |
| 127 | 127 | foreach ( $protected_params as $param ) { |
| 128 | 128 | if ( 'status' === $param ) { |
| 129 | 129 | if ( 'approve' !== $request[ $param ] ) { |
| 130 | 130 | $forbidden_params[] = $param; |
| 131 | 131 | } |
| 132 | 132 | } elseif ( 'type' === $param ) { |
| 133 | 133 | if ( 'comment' !== $request[ $param ] ) { |
| 134 | 134 | $forbidden_params[] = $param; |
| 135 | 135 | } |
| 136 | 136 | } elseif ( ! empty( $request[ $param ] ) ) { |
| 137 | 137 | $forbidden_params[] = $param; |
| 138 | 138 | } |
| 139 | 139 | } |
| 160 | 160 | // Retrieve the list of registered collection query parameters. |
| 161 | 161 | $registered = $this->get_collection_params(); |
| 162 | 162 | |
| 163 | 163 | /* |
| 164 | 164 | * This array defines mappings between public API query parameters whose |
| 165 | 165 | * values are accepted as-passed, and their internal WP_Query parameter |
| 166 | 166 | * name equivalents (some are the same). Only values which are also |
| 167 | 167 | * present in $registered will be set. |
| 168 | 168 | */ |
| 169 | 169 | $parameter_mappings = array( |
| 170 | 170 | 'author' => 'author__in', |
| 171 | 171 | 'author_email' => 'author_email', |
| 172 | 172 | 'author_exclude' => 'author__not_in', |
| 173 | 173 | 'exclude' => 'comment__not_in', |
| 174 | 174 | 'include' => 'comment__in', |
| 176 | 175 | 'offset' => 'offset', |
| 177 | 176 | 'order' => 'order', |
| 178 | 177 | 'parent' => 'parent__in', |
| 179 | 178 | 'parent_exclude' => 'parent__not_in', |
| 180 | 179 | 'per_page' => 'number', |
| 181 | 180 | 'post' => 'post__in', |
| 182 | 181 | 'search' => 'search', |
| 183 | 182 | 'status' => 'status', |
| 184 | 183 | 'type' => 'type', |
| 185 | 184 | ); |
| 186 | 185 | |
| 187 | 186 | $prepared_args = array(); |
| 188 | 187 | |
| 189 | 188 | /* |
| 190 | 189 | * For each known parameter which is both registered and present in the request, |
| 191 | 190 | * set the parameter's value on the query $prepared_args. |
| 192 | 191 | */ |
| 193 | 192 | foreach ( $parameter_mappings as $api_param => $wp_param ) { |
| 194 | 193 | if ( isset( $registered[ $api_param ], $request[ $api_param ] ) ) { |
| 195 | 194 | $prepared_args[ $wp_param ] = $request[ $api_param ]; |
| 196 | 195 | } |
| 197 | 196 | } |
| 198 | 197 | |
| 199 | 198 | // Ensure certain parameter values default to empty strings. |
| 201 | 200 | if ( ! isset( $prepared_args[ $param ] ) ) { |
| 202 | 201 | $prepared_args[ $param ] = ''; |
| 203 | 202 | } |
| 204 | 203 | } |
| 205 | 204 | |
| 206 | 205 | if ( isset( $registered['orderby'] ) ) { |
| 207 | 206 | $prepared_args['orderby'] = $this->normalize_query_param( $request['orderby'] ); |
| 208 | 207 | } |
| 209 | 208 | |
| 210 | 209 | $prepared_args['no_found_rows'] = false; |
| 211 | 210 | |
| 212 | 211 | $prepared_args['date_query'] = array(); |
| 213 | 212 | |
| 214 | 213 | // Set before into date query. Date query must be specified as an array of an array. |
| 215 | 214 | if ( isset( $registered['before'], $request['before'] ) ) { |
| 360 | 359 | /** |
| 361 | 360 | * Checks if a given request has access to create a comment. |
| 362 | 361 | * |
| 363 | 362 | * @since 4.7.0 |
| 364 | 363 | * @access public |
| 365 | 364 | * |
| 366 | 365 | * @param WP_REST_Request $request Full details about the request. |
| 367 | 366 | * @return WP_Error|bool True if the request has access to create items, error object otherwise. |
| 368 | 367 | */ |
| 369 | 368 | public function create_item_permissions_check( $request ) { |
| 370 | 369 | |
| 371 | 370 | if ( ! is_user_logged_in() && get_option( 'comment_registration' ) ) { |
| 372 | 371 | return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) ); |
| 373 | 372 | } |
| 374 | 373 | |
| 384 | 379 | if ( isset( $request['status'] ) && ! current_user_can( 'moderate_comments' ) ) { |
| 385 | 380 | return new WP_Error( 'rest_comment_invalid_status', __( 'Sorry, you are not allowed to set status for comments.' ), array( 'status' => rest_authorization_required_code() ) ); |
| 386 | 381 | } |
| 387 | 382 | |
| 388 | 383 | if ( empty( $request['post'] ) && ! current_user_can( 'moderate_comments' ) ) { |
| 389 | 384 | return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => rest_authorization_required_code() ) ); |
| 390 | 385 | } |
| 391 | 386 | |
| 392 | 387 | if ( ! empty( $request['post'] ) && $post = get_post( (int) $request['post'] ) ) { |
| 393 | 388 | if ( 'draft' === $post->post_status ) { |
| 394 | 389 | return new WP_Error( 'rest_comment_draft_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); |
| 395 | 390 | } |
| 396 | 391 | |
| 397 | 392 | if ( 'trash' === $post->post_status ) { |
| 398 | 393 | return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); |
| 797 | 792 | 'post' => (int) $comment->comment_post_ID, |
| 798 | 793 | 'parent' => (int) $comment->comment_parent, |
| 799 | 794 | 'author' => (int) $comment->user_id, |
| 800 | 795 | 'author_name' => $comment->comment_author, |
| 801 | 796 | 'author_email' => $comment->comment_author_email, |
| 802 | 797 | 'author_url' => $comment->comment_author_url, |
| 803 | 798 | 'author_ip' => $comment->comment_author_IP, |
| 804 | 799 | 'author_user_agent' => $comment->comment_agent, |
| 805 | 800 | 'date' => mysql_to_rfc3339( $comment->comment_date ), |
| 806 | 801 | 'date_gmt' => mysql_to_rfc3339( $comment->comment_date_gmt ), |
| 807 | 802 | 'content' => array( |
| 808 | 803 | /** This filter is documented in wp-includes/comment-template.php */ |
| 809 | 804 | 'rendered' => apply_filters( 'comment_text', $comment->comment_content, $comment ), |
| 810 | 805 | 'raw' => $comment->comment_content, |
| 811 | 806 | ), |
| 813 | 807 | 'link' => get_comment_link( $comment ), |
| 814 | 808 | 'status' => $this->prepare_status_response( $comment->comment_approved ), |
| 815 | 809 | 'type' => get_comment_type( $comment->comment_ID ), |
| 816 | 810 | ); |
| 817 | 811 | |
| 818 | 812 | $schema = $this->get_item_schema(); |
| 819 | 813 | |
| 820 | 814 | if ( ! empty( $schema['properties']['author_avatar_urls'] ) ) { |
| 821 | 815 | $data['author_avatar_urls'] = rest_get_avatar_urls( $comment->comment_author_email ); |
| 822 | 816 | } |
| 823 | 817 | |
| 824 | 818 | if ( ! empty( $schema['properties']['meta'] ) ) { |
| 825 | 819 | $data['meta'] = $this->meta->get_value( $comment->comment_ID, $request ); |
| 826 | 820 | } |
| 827 | 821 | |
| 1057 | 1047 | if ( ! empty( $request['date'] ) ) { |
| 1058 | 1048 | $date_data = rest_get_date_with_gmt( $request['date'] ); |
| 1059 | 1049 | |
| 1060 | 1050 | if ( ! empty( $date_data ) ) { |
| 1061 | 1051 | list( $prepared_comment['comment_date'], $prepared_comment['comment_date_gmt'] ) = $date_data; |
| 1062 | 1052 | } |
| 1063 | 1053 | } elseif ( ! empty( $request['date_gmt'] ) ) { |
| 1064 | 1054 | $date_data = rest_get_date_with_gmt( $request['date_gmt'], true ); |
| 1065 | 1055 | |
| 1066 | 1056 | if ( ! empty( $date_data ) ) { |
| 1067 | 1057 | list( $prepared_comment['comment_date'], $prepared_comment['comment_date_gmt'] ) = $date_data; |
| 1068 | 1058 | } |
| 1069 | 1059 | } |
| 1070 | 1060 | |
| 1071 | 1061 | /** |
| 1182 | 1167 | 'link' => array( |
| 1183 | 1168 | 'description' => __( 'URL to the object.' ), |
| 1184 | 1169 | 'type' => 'string', |
| 1185 | 1170 | 'format' => 'uri', |
| 1186 | 1171 | 'context' => array( 'view', 'edit', 'embed' ), |
| 1187 | 1172 | 'readonly' => true, |
| 1188 | 1173 | ), |
| 1189 | 1174 | 'parent' => array( |
| 1190 | 1175 | 'description' => __( 'The id for the parent of the object.' ), |
| 1191 | 1176 | 'type' => 'integer', |
| 1192 | 1177 | 'context' => array( 'view', 'edit', 'embed' ), |
| 1193 | 1178 | 'default' => 0, |
| 1194 | 1179 | ), |
| 1195 | 1180 | 'post' => array( |
| 1196 | 1181 | 'description' => __( 'The id of the associated post object.' ), |