Ticket #38855: 38855.2.diff

src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

@@ -366 +366 @@
          * @return WP_Error|bool True if the request has access to create items, error object otherwise.
          */
         public function create_item_permissions_check( $request ) {
-
                 if ( ! is_user_logged_in() && get_option( 'comment_registration' ) ) {
                         return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) );
                 }
 
+                /**
+                 * Filters whether comments can be created without authentication.
+                 *
+                 * Enables creating comments for anonymous users.
+                 *
+                 * @since 4.7.0
+                 *
+                 * @param bool            $allow_anonymous Whether to allow anonymous
+                 *                                         comments to be created.
+                 *                                         Default `false`.
+                 * @param WP_REST_Request $request         Request used to generate the
+                 *                                         response.
+                 */
+                $allow_anonymous = apply_filters( 'rest_allow_anonymous_comments', false, $request );
+                if ( ! is_user_logged_in() && false === $allow_anonymous ) {
+                        return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) );
+                }
+
                 // Limit who can set comment `author`, `author_ip` or `status` to anything other than the default.
                 if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) {
                         return new WP_Error( 'rest_comment_invalid_author',

tests/phpunit/tests/rest-api/rest-comments-controller.php

@@ -800 +800 @@
         }
 
         public function test_get_comment_not_approved_same_user() {
-                wp_set_current_user( self::$subscriber_id );
+                wp_set_current_user( self::$admin_id );
 
                 $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%d', self::$hold_id ) );
 
@@ -842 +842 @@
         }
 
         public function test_get_comment_with_password_without_edit_post_permission() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$subscriber_id );
                 $args = array(
                         'comment_approved' => 1,
                         'comment_post_ID'  => self::$password_id,
@@ -850 +850 @@
                 $password_comment = $this->factory->comment->create( $args );
                 $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%s', $password_comment ) );
                 $response = $this->server->dispatch( $request );
-                $this->assertErrorResponse( 'rest_cannot_read', $response, 401 );
+                $this->assertErrorResponse( 'rest_cannot_read', $response, 403 );
         }
 
         public function test_create_item() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$admin_id );
 
                 $params = array(
                         'post'    => self::$post_id,
@@ -873 +873 @@
                 $this->assertEquals( 201, $response->get_status() );
 
                 $data = $response->get_data();
-                $this->check_comment_data( $data, 'view', $response->get_links() );
+                $this->check_comment_data( $data, 'edit', $response->get_links() );
                 $this->assertEquals( 'hold', $data['status'] );
                 $this->assertEquals( '2014-11-07T10:14:25', $data['date'] );
                 $this->assertEquals( self::$post_id, $data['post'] );
@@ -880 +880 @@
         }
 
         public function test_create_item_using_accepted_content_raw_value() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$admin_id );
 
                 $params = array(
                         'post'         => self::$post_id,
@@ -905 +905 @@
         }
 
         public function test_create_comment_missing_required_author_name_and_email_per_option_value() {
+                add_filter( 'rest_allow_anonymous_comments', '__return_true' );
                 update_option( 'require_name_email', 1 );
 
                 $params = array(
@@ -917 +918 @@
                 $request->set_body( wp_json_encode( $params ) );
 
                 $response = $this->server->dispatch( $request );
+
                 $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
 
                 update_option( 'require_name_email', 0 );
@@ -923 +925 @@
         }
 
         public function test_create_comment_missing_required_author_name_per_option_value() {
+                wp_set_current_user( self::$admin_id );
                 update_option( 'require_name_email', 1 );
 
                 $params = array(
@@ -942 +945 @@
         }
 
         public function test_create_comment_missing_required_author_email_per_option_value() {
+                wp_set_current_user( self::$admin_id );
                 update_option( 'require_name_email', 1 );
 
                 $params = array(
@@ -961 +965 @@
         }
 
         public function test_create_comment_author_email_too_short() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$admin_id );
 
                 $params = array(
                         'post'         => self::$post_id,
@@ -982 +986 @@
         }
 
         public function test_create_item_invalid_no_content() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$admin_id );
 
                 $params = array(
                         'post'         => self::$post_id,
@@ -1005 +1009 @@
         }
 
         public function test_create_item_invalid_date() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$admin_id );
 
                 $params = array(
                         'post'         => self::$post_id,
@@ -1349 +1353 @@
         }
 
         public function test_create_comment_author_ip_no_permission() {
+                wp_set_current_user( self::$subscriber_id );
                 $params = array(
                         'author_name'  => 'Comic Book Guy',
                         'author_email' => 'cbg@androidsdungeon.com',
@@ -1361 +1366 @@
                 $request->add_header( 'content-type', 'application/json' );
                 $request->set_body( wp_json_encode( $params ) );
                 $response = $this->server->dispatch( $request );
-                $this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 401 );
+                $this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 403 );
         }
 
         public function test_create_comment_author_ip_defaults_to_remote_addr() {
+                wp_set_current_user( self::$admin_id );
                 $_SERVER['REMOTE_ADDR'] = '127.0.0.2';
                 $params = array(
                         'post'         => self::$post_id,
@@ -1500 +1506 @@
         }
 
         public function test_create_item_duplicate() {
+                wp_set_current_user( self::$subscriber_id );
                 $this->factory->comment->create(
                         array(
                                 'comment_post_ID'      => self::$post_id,
@@ -1508 +1515 @@
                                 'comment_content'      => 'Homer? Who is Homer? My name is Guy N. Cognito.',
                         )
                 );
-                wp_set_current_user( 0 );
 
                 $params = array(
                         'post'    => self::$post_id,
@@ -1529 +1535 @@
                 $post_id = $this->factory->post->create( array(
                         'comment_status' => 'closed',
                 ));
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$subscriber_id );
 
                 $params = array(
                         'post'      => $post_id,
@@ -1546 +1552 @@
         public function test_create_comment_require_login() {
                 wp_set_current_user( 0 );
                 update_option( 'comment_registration', 1 );
+                add_filter( 'rest_allow_anonymous_comments', '__return_true' );
                 $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
                 $request->set_param( 'post', self::$post_id );
                 $response = $this->server->dispatch( $request );
@@ -1595 +1602 @@
         }
 
         public function test_create_comment_two_times() {
-                wp_set_current_user( 0 );
+                add_filter( 'rest_allow_anonymous_comments', '__return_true' );
 
                 $params = array(
                         'post'    => self::$post_id,
@@ -1632 +1639 @@
          * @ticket 38477
          */
         public function test_create_comment_author_name_too_long() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$subscriber_id );
 
                 $params = array(
                         'post'         => self::$post_id,
@@ -1655 +1662 @@
          * @ticket 38477
          */
         public function test_create_comment_author_email_too_long() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$subscriber_id );
 
                 $params = array(
                         'post'         => self::$post_id,
@@ -1678 +1685 @@
          * @ticket 38477
          */
         public function test_create_comment_author_url_too_long() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$subscriber_id );
 
                 $params = array(
                         'post'         => self::$post_id,
@@ -1701 +1708 @@
          * @ticket 38477
          */
         public function test_create_comment_content_too_long() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$subscriber_id );
 
                 $params = array(
                         'post'         => self::$post_id,
@@ -1913 +1920 @@
         }
 
         public function test_update_comment_invalid_id() {
-                wp_set_current_user( 0 );
+                wp_set_current_user( self::$subscriber_id );
 
                 $params = array(
                         'content' => 'Oh, they have the internet on computers now!',
@@ -1927 +1934 @@
         }
 
         public function test_update_comment_invalid_permission() {
-                wp_set_current_user( 0 );
+                add_filter( 'rest_allow_anonymous_comments', '__return_true' );
 
                 $params = array(
                         'content' => 'Disco Stu likes disco music.',