Changeset 39302
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
r39298 r39302 372 372 } 373 373 374 // Limit who can set comment `author` or `status` to anything other than the default.374 // Limit who can set comment `author`, `author_ip` or `status` to anything other than the default. 375 375 if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) { 376 376 /* translators: %s: request parameter */ 377 377 return new WP_Error( 'rest_comment_invalid_author', sprintf( __( "Sorry, you are not allowed to edit '%s' for comments." ), 'author' ), array( 'status' => rest_authorization_required_code() ) ); 378 } 379 380 if ( isset( $request['author_ip'] ) && ! current_user_can( 'moderate_comments' ) ) { 381 if ( empty( $_SERVER['REMOTE_ADDR'] ) || $request['author_ip'] !== $_SERVER['REMOTE_ADDR'] ) { 382 return new WP_Error( 'rest_comment_invalid_author_ip', __( 'Sorry, you are not allowed to set author_ip for comments.' ), array( 'status' => rest_authorization_required_code() ) ); 383 } 378 384 } 379 385 … … 1042 1048 } 1043 1049 1044 if ( isset( $request['author_ip'] ) ) {1050 if ( isset( $request['author_ip'] ) && current_user_can( 'moderate_comments' ) ) { 1045 1051 $prepared_comment['comment_author_IP'] = $request['author_ip']; 1052 } elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) && rest_is_ip_address( $_SERVER['REMOTE_ADDR'] ) ) { 1053 $prepared_comment['comment_author_IP'] = $_SERVER['REMOTE_ADDR']; 1054 } else { 1055 $prepared_comment['comment_author_IP'] = '127.0.0.1'; 1046 1056 } 1047 1057 … … 1120 1130 'format' => 'ip', 1121 1131 'context' => array( 'edit' ), 1122 'default' => '127.0.0.1',1123 1132 ), 1124 1133 'author_name' => array( -
trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php
r39295 r39302 7 7 */ 8 8 9 10 11 9 /** 10 * @group restapi 11 */ 12 12 class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase { 13 13 protected static $superadmin_id; … … 1308 1308 } 1309 1309 1310 public function test_create_comment_author_ip() { 1311 wp_set_current_user( self::$admin_id ); 1312 1313 $params = array( 1314 'post' => self::$post_id, 1315 'author_name' => 'Comic Book Guy', 1316 'author_email' => 'cbg@androidsdungeon.com', 1317 'author_url' => 'http://androidsdungeon.com', 1318 'author_ip' => '127.0.0.3', 1319 'content' => 'Worst Comment Ever!', 1320 'status' => 'approved', 1321 ); 1322 $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 1323 $request->add_header( 'content-type', 'application/json' ); 1324 $request->set_body( wp_json_encode( $params ) ); 1325 $response = $this->server->dispatch( $request ); 1326 $data = $response->get_data(); 1327 $new_comment = get_comment( $data['id'] ); 1328 $this->assertEquals( '127.0.0.3', $new_comment->comment_author_IP ); 1329 } 1330 1310 1331 public function test_create_comment_invalid_author_IP() { 1311 1332 wp_set_current_user( self::$admin_id ); 1312 1333 1313 1334 $params = array( 1335 'post' => self::$post_id, 1314 1336 'author_name' => 'Comic Book Guy', 1315 1337 'author_email' => 'cbg@androidsdungeon.com', … … 1324 1346 1325 1347 $response = $this->server->dispatch( $request ); 1326 1327 1348 $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 1349 } 1350 1351 public function test_create_comment_author_ip_no_permission() { 1352 $params = array( 1353 'author_name' => 'Comic Book Guy', 1354 'author_email' => 'cbg@androidsdungeon.com', 1355 'author_url' => 'http://androidsdungeon.com', 1356 'author_ip' => '10.0.10.1', 1357 'content' => 'Worst Comment Ever!', 1358 'status' => 'approved', 1359 ); 1360 $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 1361 $request->add_header( 'content-type', 'application/json' ); 1362 $request->set_body( wp_json_encode( $params ) ); 1363 $response = $this->server->dispatch( $request ); 1364 $this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 401 ); 1365 } 1366 1367 public function test_create_comment_author_ip_defaults_to_remote_addr() { 1368 $_SERVER['REMOTE_ADDR'] = '127.0.0.2'; 1369 $params = array( 1370 'post' => self::$post_id, 1371 'author_name' => 'Comic Book Guy', 1372 'author_email' => 'cbg@androidsdungeon.com', 1373 'author_url' => 'http://androidsdungeon.com', 1374 'content' => 'Worst Comment Ever!', 1375 ); 1376 $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 1377 $request->add_header( 'content-type', 'application/json' ); 1378 $request->set_body( wp_json_encode( $params ) ); 1379 $response = $this->server->dispatch( $request ); 1380 $data = $response->get_data(); 1381 $new_comment = get_comment( $data['id'] ); 1382 $this->assertEquals( '127.0.0.2', $new_comment->comment_author_IP ); 1328 1383 } 1329 1384 … … 2269 2324 $this->assertArrayHasKey( 'status', $properties ); 2270 2325 $this->assertArrayHasKey( 'type', $properties ); 2271 2272 $this->assertEquals( '127.0.0.1', $properties['author_ip']['default'] );2273 2274 2326 $this->assertEquals( 'comment', $properties['type']['default'] ); 2275 2327
Note: See TracChangeset
for help on using the changeset viewer.