WordPress.org

Make WordPress Core

Changeset 39288


Ignore:
Timestamp:
11/18/16 16:55:03 (9 months ago)
Author:
rachelbaker
Message:

REST API: On comment create, return an error if the post parameter does not relate to a valid WP_Post object.

Return a WP_Error object for attempts to create a comment without an empty or invalid post ID.

Props dd32, jnylen0, rachelbaker.
Fixes #38816.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39287 r39288  
    386386        } 
    387387 
    388         if ( empty( $request['post'] ) && ! current_user_can( 'moderate_comments' ) ) { 
    389             return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => rest_authorization_required_code() ) ); 
    390         } 
    391  
    392         if ( ! empty( $request['post'] ) && $post = get_post( (int) $request['post'] ) ) { 
    393             if ( 'draft' === $post->post_status ) { 
    394                 return new WP_Error( 'rest_comment_draft_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); 
    395             } 
    396  
    397             if ( 'trash' === $post->post_status ) { 
    398                 return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); 
    399             } 
    400  
    401             if ( ! $this->check_read_post_permission( $post ) ) { 
    402                 return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 
    403             } 
    404  
    405             if ( ! comments_open( $post->ID ) ) { 
    406                 return new WP_Error( 'rest_comment_closed', __( 'Sorry, comments are closed on this post.' ), array( 'status' => 403 ) ); 
    407             } 
     388        if ( empty( $request['post'] ) ) { 
     389            return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => 403 ) ); 
     390        } 
     391 
     392        $post = get_post( (int) $request['post'] ); 
     393        if ( ! $post ) { 
     394            return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => 403 ) ); 
     395        } 
     396 
     397        if ( 'draft' === $post->post_status ) { 
     398            return new WP_Error( 'rest_comment_draft_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); 
     399        } 
     400 
     401        if ( 'trash' === $post->post_status ) { 
     402            return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); 
     403        } 
     404 
     405        if ( ! $this->check_read_post_permission( $post ) ) { 
     406            return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); 
     407        } 
     408 
     409        if ( ! comments_open( $post->ID ) ) { 
     410            return new WP_Error( 'rest_comment_closed', __( 'Sorry, comments are closed on this post.' ), array( 'status' => 403 ) ); 
    408411        } 
    409412 
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39287 r39288  
    13071307 
    13081308        $response = $this->server->dispatch( $request ); 
    1309         $this->assertEquals( 201, $response->get_status() ); 
     1309 
     1310        $this->assertErrorResponse( 'rest_comment_invalid_post_id', $response, 403 ); 
    13101311    } 
    13111312 
Note: See TracChangeset for help on using the changeset viewer.