WordPress.org

Make WordPress Core

Changeset 35745


Ignore:
Timestamp:
11/28/2015 06:28:54 PM (3 years ago)
Author:
johnbillion
Message:

Ensure the correct error message is returned when a user attempts to comment on a post to which they do not have access.

Adds more tests.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/comment.php

    r35725 r35745  
    26712671    $status = get_post_status( $post );
    26722672
     2673    if ( ( 'private' == $status ) && ! current_user_can( 'read_post', $comment_post_ID ) ) {
     2674        return new WP_Error( 'comment_id_not_found' );
     2675    }
     2676
    26732677    $status_obj = get_post_status_object( $status );
    26742678
     
    27572761        }
    27582762    } else {
    2759         if ( get_option( 'comment_registration' ) || 'private' == $status ) {
     2763        if ( get_option( 'comment_registration' ) ) {
    27602764            return new WP_Error( 'not_logged_in', __( 'Sorry, you must be logged in to post a comment.' ), 403 );
    27612765        }
  • trunk/tests/phpunit/tests/comment-submission.php

    r35435 r35745  
    231231    public function test_submitting_comment_anonymously_to_private_post_returns_error() {
    232232
    233         $error = 'not_logged_in';
     233        $error = 'comment_id_not_found';
    234234
    235235        $post = self::factory()->post->create_and_get( array(
     
    242242
    243243        $this->assertFalse( is_user_logged_in() );
     244        $this->assertWPError( $comment );
     245        $this->assertSame( $error, $comment->get_error_code() );
     246
     247    }
     248
     249    public function test_submitting_comment_as_logged_in_user_to_inaccessible_private_post_returns_error() {
     250
     251        $error  = 'comment_id_not_found';
     252
     253        $author = self::factory()->user->create_and_get( array(
     254            'role' => 'author',
     255        ) );
     256        $user   = self::factory()->user->create_and_get( array(
     257            'role' => 'author',
     258        ) );
     259
     260        wp_set_current_user( $user->ID );
     261
     262        $post = self::factory()->post->create_and_get( array(
     263            'post_status' => 'private',
     264            'post_author' => $author->ID,
     265        ) );
     266        $data = array(
     267            'comment_post_ID' => $post->ID,
     268        );
     269        $comment = wp_handle_comment_submission( $data );
     270
     271        $this->assertFalse( current_user_can( 'read_post', $post->ID ) );
     272        $this->assertWPError( $comment );
     273        $this->assertSame( $error, $comment->get_error_code() );
     274
     275    }
     276
     277    public function test_submitting_comment_to_private_post_with_closed_comments_returns_correct_error() {
     278
     279        $error  = 'comment_id_not_found';
     280
     281        $author = self::factory()->user->create_and_get( array(
     282            'role' => 'author',
     283        ) );
     284        $user   = self::factory()->user->create_and_get( array(
     285            'role' => 'author',
     286        ) );
     287
     288        wp_set_current_user( $user->ID );
     289
     290        $post = self::factory()->post->create_and_get( array(
     291            'post_status'    => 'private',
     292            'post_author'    => $author->ID,
     293            'comment_status' => 'closed',
     294        ) );
     295        $data = array(
     296            'comment_post_ID' => $post->ID,
     297        );
     298        $comment = wp_handle_comment_submission( $data );
     299
     300        $this->assertFalse( current_user_can( 'read_post', $post->ID ) );
    244301        $this->assertWPError( $comment );
    245302        $this->assertSame( $error, $comment->get_error_code() );
Note: See TracChangeset for help on using the changeset viewer.