Make WordPress Core

Changeset 39302


Ignore:
Timestamp:
11/18/2016 09:12:03 PM (8 years ago)
Author:
rachelbaker
Message:

REST API: On Comment create, limit the ability to set the author_ip value directly.

Users without the moderate_comments capability can no longer set the author_ip property directly, and instead receive a WP_Error if they attempt to do so. Otherwise, the author_ip property is populated from $_SERVER['REMOTE_ADDR'] if present and a valid IP value. Finally, fallback to 127.0.0.1 as a last resort.

Props dd32, rachelbaker, joehoyle.
Fixes #38819.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39298 r39302  
    372372        }
    373373
    374         // Limit who can set comment `author` or `status` to anything other than the default.
     374        // Limit who can set comment `author`, `author_ip` or `status` to anything other than the default.
    375375        if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) {
    376376            /* translators: %s: request parameter */
    377377            return new WP_Error( 'rest_comment_invalid_author', sprintf( __( "Sorry, you are not allowed to edit '%s' for comments." ), 'author' ), array( 'status' => rest_authorization_required_code() ) );
     378        }
     379
     380        if ( isset( $request['author_ip'] ) && ! current_user_can( 'moderate_comments' ) ) {
     381            if ( empty( $_SERVER['REMOTE_ADDR'] ) || $request['author_ip'] !== $_SERVER['REMOTE_ADDR'] ) {
     382                return new WP_Error( 'rest_comment_invalid_author_ip', __( 'Sorry, you are not allowed to set author_ip for comments.' ), array( 'status' => rest_authorization_required_code() ) );
     383            }
    378384        }
    379385
     
    10421048        }
    10431049
    1044         if ( isset( $request['author_ip'] ) ) {
     1050        if ( isset( $request['author_ip'] ) && current_user_can( 'moderate_comments' ) ) {
    10451051            $prepared_comment['comment_author_IP'] = $request['author_ip'];
     1052        } elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) && rest_is_ip_address( $_SERVER['REMOTE_ADDR'] ) ) {
     1053            $prepared_comment['comment_author_IP'] = $_SERVER['REMOTE_ADDR'];
     1054        } else {
     1055            $prepared_comment['comment_author_IP'] = '127.0.0.1';
    10461056        }
    10471057
     
    11201130                    'format'       => 'ip',
    11211131                    'context'      => array( 'edit' ),
    1122                     'default'      => '127.0.0.1',
    11231132                ),
    11241133                'author_name'     => array(
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39295 r39302  
    77 */
    88
    9  /**
    10   * @group restapi
    11   */
     9/**
     10 * @group restapi
     11 */
    1212class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase {
    1313    protected static $superadmin_id;
     
    13081308    }
    13091309
     1310    public function test_create_comment_author_ip() {
     1311        wp_set_current_user( self::$admin_id );
     1312
     1313        $params = array(
     1314            'post'         => self::$post_id,
     1315            'author_name'  => 'Comic Book Guy',
     1316            'author_email' => 'cbg@androidsdungeon.com',
     1317            'author_url'   => 'http://androidsdungeon.com',
     1318            'author_ip'    => '127.0.0.3',
     1319            'content'      => 'Worst Comment Ever!',
     1320            'status'       => 'approved',
     1321        );
     1322        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1323        $request->add_header( 'content-type', 'application/json' );
     1324        $request->set_body( wp_json_encode( $params ) );
     1325        $response = $this->server->dispatch( $request );
     1326        $data = $response->get_data();
     1327        $new_comment = get_comment( $data['id'] );
     1328        $this->assertEquals( '127.0.0.3', $new_comment->comment_author_IP );
     1329    }
     1330
    13101331    public function test_create_comment_invalid_author_IP() {
    13111332        wp_set_current_user( self::$admin_id );
    13121333
    13131334        $params = array(
     1335            'post'         => self::$post_id,
    13141336            'author_name'  => 'Comic Book Guy',
    13151337            'author_email' => 'cbg@androidsdungeon.com',
     
    13241346
    13251347        $response = $this->server->dispatch( $request );
    1326 
    13271348        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     1349    }
     1350
     1351    public function test_create_comment_author_ip_no_permission() {
     1352        $params = array(
     1353            'author_name'  => 'Comic Book Guy',
     1354            'author_email' => 'cbg@androidsdungeon.com',
     1355            'author_url'   => 'http://androidsdungeon.com',
     1356            'author_ip'    => '10.0.10.1',
     1357            'content'      => 'Worst Comment Ever!',
     1358            'status'       => 'approved',
     1359        );
     1360        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1361        $request->add_header( 'content-type', 'application/json' );
     1362        $request->set_body( wp_json_encode( $params ) );
     1363        $response = $this->server->dispatch( $request );
     1364        $this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 401 );
     1365    }
     1366
     1367    public function test_create_comment_author_ip_defaults_to_remote_addr() {
     1368        $_SERVER['REMOTE_ADDR'] = '127.0.0.2';
     1369        $params = array(
     1370            'post'         => self::$post_id,
     1371            'author_name'  => 'Comic Book Guy',
     1372            'author_email' => 'cbg@androidsdungeon.com',
     1373            'author_url'   => 'http://androidsdungeon.com',
     1374            'content'      => 'Worst Comment Ever!',
     1375        );
     1376        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1377        $request->add_header( 'content-type', 'application/json' );
     1378        $request->set_body( wp_json_encode( $params ) );
     1379        $response = $this->server->dispatch( $request );
     1380        $data = $response->get_data();
     1381        $new_comment = get_comment( $data['id'] );
     1382        $this->assertEquals( '127.0.0.2', $new_comment->comment_author_IP );
    13281383    }
    13291384
     
    22692324        $this->assertArrayHasKey( 'status', $properties );
    22702325        $this->assertArrayHasKey( 'type', $properties );
    2271 
    2272         $this->assertEquals( '127.0.0.1', $properties['author_ip']['default'] );
    2273 
    22742326        $this->assertEquals( 'comment', $properties['type']['default'] );
    22752327
Note: See TracChangeset for help on using the changeset viewer.