WordPress.org

Make WordPress Core

Changeset 39288


Ignore:
Timestamp:
11/18/2016 04:55:03 PM (18 months ago)
Author:
rachelbaker
Message:

REST API: On comment create, return an error if the post parameter does not relate to a valid WP_Post object.

Return a WP_Error object for attempts to create a comment without an empty or invalid post ID.

Props dd32, jnylen0, rachelbaker.
Fixes #38816.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39287 r39288  
    386386        }
    387387
    388         if ( empty( $request['post'] ) && ! current_user_can( 'moderate_comments' ) ) {
    389             return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => rest_authorization_required_code() ) );
    390         }
    391 
    392         if ( ! empty( $request['post'] ) && $post = get_post( (int) $request['post'] ) ) {
    393             if ( 'draft' === $post->post_status ) {
    394                 return new WP_Error( 'rest_comment_draft_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) );
    395             }
    396 
    397             if ( 'trash' === $post->post_status ) {
    398                 return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) );
    399             }
    400 
    401             if ( ! $this->check_read_post_permission( $post ) ) {
    402                 return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
    403             }
    404 
    405             if ( ! comments_open( $post->ID ) ) {
    406                 return new WP_Error( 'rest_comment_closed', __( 'Sorry, comments are closed on this post.' ), array( 'status' => 403 ) );
    407             }
     388        if ( empty( $request['post'] ) ) {
     389            return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => 403 ) );
     390        }
     391
     392        $post = get_post( (int) $request['post'] );
     393        if ( ! $post ) {
     394            return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => 403 ) );
     395        }
     396
     397        if ( 'draft' === $post->post_status ) {
     398            return new WP_Error( 'rest_comment_draft_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) );
     399        }
     400
     401        if ( 'trash' === $post->post_status ) {
     402            return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) );
     403        }
     404
     405        if ( ! $this->check_read_post_permission( $post ) ) {
     406            return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
     407        }
     408
     409        if ( ! comments_open( $post->ID ) ) {
     410            return new WP_Error( 'rest_comment_closed', __( 'Sorry, comments are closed on this post.' ), array( 'status' => 403 ) );
    408411        }
    409412
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39287 r39288  
    13071307
    13081308        $response = $this->server->dispatch( $request );
    1309         $this->assertEquals( 201, $response->get_status() );
     1309
     1310        $this->assertErrorResponse( 'rest_comment_invalid_post_id', $response, 403 );
    13101311    }
    13111312
Note: See TracChangeset for help on using the changeset viewer.