Make WordPress Core


Ignore:
Timestamp:
11/18/2016 09:12:03 PM (8 years ago)
Author:
rachelbaker
Message:

REST API: On Comment create, limit the ability to set the author_ip value directly.

Users without the moderate_comments capability can no longer set the author_ip property directly, and instead receive a WP_Error if they attempt to do so. Otherwise, the author_ip property is populated from $_SERVER['REMOTE_ADDR'] if present and a valid IP value. Finally, fallback to 127.0.0.1 as a last resort.

Props dd32, rachelbaker, joehoyle.
Fixes #38819.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39295 r39302  
    77 */
    88
    9  /**
    10   * @group restapi
    11   */
     9/**
     10 * @group restapi
     11 */
    1212class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase {
    1313    protected static $superadmin_id;
     
    13081308    }
    13091309
     1310    public function test_create_comment_author_ip() {
     1311        wp_set_current_user( self::$admin_id );
     1312
     1313        $params = array(
     1314            'post'         => self::$post_id,
     1315            'author_name'  => 'Comic Book Guy',
     1316            'author_email' => 'cbg@androidsdungeon.com',
     1317            'author_url'   => 'http://androidsdungeon.com',
     1318            'author_ip'    => '127.0.0.3',
     1319            'content'      => 'Worst Comment Ever!',
     1320            'status'       => 'approved',
     1321        );
     1322        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1323        $request->add_header( 'content-type', 'application/json' );
     1324        $request->set_body( wp_json_encode( $params ) );
     1325        $response = $this->server->dispatch( $request );
     1326        $data = $response->get_data();
     1327        $new_comment = get_comment( $data['id'] );
     1328        $this->assertEquals( '127.0.0.3', $new_comment->comment_author_IP );
     1329    }
     1330
    13101331    public function test_create_comment_invalid_author_IP() {
    13111332        wp_set_current_user( self::$admin_id );
    13121333
    13131334        $params = array(
     1335            'post'         => self::$post_id,
    13141336            'author_name'  => 'Comic Book Guy',
    13151337            'author_email' => 'cbg@androidsdungeon.com',
     
    13241346
    13251347        $response = $this->server->dispatch( $request );
    1326 
    13271348        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     1349    }
     1350
     1351    public function test_create_comment_author_ip_no_permission() {
     1352        $params = array(
     1353            'author_name'  => 'Comic Book Guy',
     1354            'author_email' => 'cbg@androidsdungeon.com',
     1355            'author_url'   => 'http://androidsdungeon.com',
     1356            'author_ip'    => '10.0.10.1',
     1357            'content'      => 'Worst Comment Ever!',
     1358            'status'       => 'approved',
     1359        );
     1360        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1361        $request->add_header( 'content-type', 'application/json' );
     1362        $request->set_body( wp_json_encode( $params ) );
     1363        $response = $this->server->dispatch( $request );
     1364        $this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 401 );
     1365    }
     1366
     1367    public function test_create_comment_author_ip_defaults_to_remote_addr() {
     1368        $_SERVER['REMOTE_ADDR'] = '127.0.0.2';
     1369        $params = array(
     1370            'post'         => self::$post_id,
     1371            'author_name'  => 'Comic Book Guy',
     1372            'author_email' => 'cbg@androidsdungeon.com',
     1373            'author_url'   => 'http://androidsdungeon.com',
     1374            'content'      => 'Worst Comment Ever!',
     1375        );
     1376        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1377        $request->add_header( 'content-type', 'application/json' );
     1378        $request->set_body( wp_json_encode( $params ) );
     1379        $response = $this->server->dispatch( $request );
     1380        $data = $response->get_data();
     1381        $new_comment = get_comment( $data['id'] );
     1382        $this->assertEquals( '127.0.0.2', $new_comment->comment_author_IP );
    13281383    }
    13291384
     
    22692324        $this->assertArrayHasKey( 'status', $properties );
    22702325        $this->assertArrayHasKey( 'type', $properties );
    2271 
    2272         $this->assertEquals( '127.0.0.1', $properties['author_ip']['default'] );
    2273 
    22742326        $this->assertEquals( 'comment', $properties['type']['default'] );
    22752327
Note: See TracChangeset for help on using the changeset viewer.