Make WordPress Core


Ignore:
Timestamp:
10/06/2016 03:50:55 PM (8 years ago)
Author:
rachelbaker
Message:

Comments: Improve check for previous comments for authenticated users in check_comment().

When the 'comment_whitelist' option is enabled and the commenter is an authenticated user, query for the existence of an approved comment with a matching user_id. This allows authenticated users that have changed their email address to bypass having their comment held for moderation.

Props voldemortensen, rachelbaker.
Fixes #28603.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/comment.php

    r38674 r38738  
    111111    if ( 1 == get_option('comment_whitelist')) {
    112112        if ( 'trackback' != $comment_type && 'pingback' != $comment_type && $author != '' && $email != '' ) {
    113             // expected_slashed ($author, $email)
    114             $ok_to_comment = $wpdb->get_var("SELECT comment_approved FROM $wpdb->comments WHERE comment_author = '$author' AND comment_author_email = '$email' and comment_approved = '1' LIMIT 1");
     113            $comment_user = get_user_by( 'email', wp_unslash( $email ) );
     114            if ( ! empty( $comment_user->ID ) ) {
     115                $ok_to_comment = $wpdb->get_var( $wpdb->prepare( "SELECT comment_approved FROM $wpdb->comments WHERE user_id = %d AND comment_approved = '1' LIMIT 1", $comment_user->ID ) );
     116            } else {
     117                // expected_slashed ($author, $email)
     118                $ok_to_comment = $wpdb->get_var( $wpdb->prepare( "SELECT comment_approved FROM $wpdb->comments WHERE comment_author = %s AND comment_author_email = %s and comment_approved = '1' LIMIT 1", $author, $email ) );
     119            }
    115120            if ( ( 1 == $ok_to_comment ) &&
    116121                ( empty($mod_keys) || false === strpos( $email, $mod_keys) ) )
Note: See TracChangeset for help on using the changeset viewer.