WordPress.org

Make WordPress Core

Changeset 38738


Ignore:
Timestamp:
10/06/16 15:50:55 (14 months ago)
Author:
rachelbaker
Message:

Comments: Improve check for previous comments for authenticated users in check_comment().

When the 'comment_whitelist' option is enabled and the commenter is an authenticated user, query for the existence of an approved comment with a matching user_id. This allows authenticated users that have changed their email address to bypass having their comment held for moderation.

Props voldemortensen, rachelbaker.
Fixes #28603.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/comment.php

    r38674 r38738  
    111111    if ( 1 == get_option('comment_whitelist')) { 
    112112        if ( 'trackback' != $comment_type && 'pingback' != $comment_type && $author != '' && $email != '' ) { 
    113             // expected_slashed ($author, $email) 
    114             $ok_to_comment = $wpdb->get_var("SELECT comment_approved FROM $wpdb->comments WHERE comment_author = '$author' AND comment_author_email = '$email' and comment_approved = '1' LIMIT 1"); 
     113            $comment_user = get_user_by( 'email', wp_unslash( $email ) ); 
     114            if ( ! empty( $comment_user->ID ) ) { 
     115                $ok_to_comment = $wpdb->get_var( $wpdb->prepare( "SELECT comment_approved FROM $wpdb->comments WHERE user_id = %d AND comment_approved = '1' LIMIT 1", $comment_user->ID ) ); 
     116            } else { 
     117                // expected_slashed ($author, $email) 
     118                $ok_to_comment = $wpdb->get_var( $wpdb->prepare( "SELECT comment_approved FROM $wpdb->comments WHERE comment_author = %s AND comment_author_email = %s and comment_approved = '1' LIMIT 1", $author, $email ) ); 
     119            } 
    115120            if ( ( 1 == $ok_to_comment ) && 
    116121                ( empty($mod_keys) || false === strpos( $email, $mod_keys) ) ) 
  • trunk/tests/phpunit/tests/comment/checkComment.php

    r38114 r38738  
    128128        $this->assertTrue( $results ); 
    129129    } 
     130 
     131    /** 
     132     * @ticket 28603 
     133     */ 
     134    public function test_should_return_true_when_comment_whitelist_is_enabled_and_user_has_previously_approved_comments_with_different_email() { 
     135        $subscriber_id = $this->factory()->user->create( array( 
     136            'role' => 'subscriber', 
     137            'email' => 'sub@example.com', 
     138        ) ); 
     139 
     140        // Make sure comment author has an approved comment. 
     141        $this->factory->comment->create( array( 'user_id' => $subscriber_id, 'comment_approved' => '1', 'comment_author' => 'foo', 'comment_author_email' => 'sub@example.com' ) ); 
     142 
     143        $subscriber_user = new WP_User( $subscriber_id ); 
     144        $subscriber_user->user_email = 'newsub@example.com'; 
     145 
     146        wp_update_user( $subscriber_user ); 
     147 
     148        update_option( 'comment_whitelist', 1 ); 
     149 
     150        $results = check_comment( 'foo', 'newsub@example.com', 'http://example.com', 'This is a comment.', '66.155.40.249', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0', 'comment', 4 ); 
     151        $this->assertTrue( $results ); 
     152    } 
     153 
     154    /** 
     155     * @ticket 28603 
     156     */ 
     157    public function test_should_return_false_when_comment_whitelist_is_enabled_and_user_does_not_have_a_previously_approved_comment_with_any_email() { 
     158        $subscriber_id = $this->factory()->user->create( array( 
     159            'role' => 'subscriber', 
     160            'email' => 'zig@example.com', 
     161        ) ); 
     162 
     163        $subscriber_user = new WP_User( $subscriber_id ); 
     164        $subscriber_user->user_email = 'zag@example.com'; 
     165 
     166        wp_update_user( $subscriber_user ); 
     167 
     168        update_option( 'comment_whitelist', 1 ); 
     169 
     170        $results = check_comment( 'bar', 'zag@example.com', 'http://example.com', 'This is my first comment.', '66.155.40.249', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0', 'comment', 4 ); 
     171        $this->assertFalse( $results ); 
     172    } 
    130173} 
Note: See TracChangeset for help on using the changeset viewer.