WordPress.org

Make WordPress Core

Changeset 39327


Ignore:
Timestamp:
11/21/2016 05:31:07 AM (18 months ago)
Author:
rmccue
Message:

REST API: Disable anonymous commenting by default.

Adding a brand new anonymous comment method is a potential conduit for spam. Since it's still useful functionality, we're now hiding it behind a filter to allow plugins and themes to turn it on if they do want it.

Props helen, rachelbaker, joehoyle.
Fixes #38855.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39321 r39327  
    367367     */
    368368    public function create_item_permissions_check( $request ) {
    369 
    370         if ( ! is_user_logged_in() && get_option( 'comment_registration' ) ) {
    371             return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) );
     369        if ( ! is_user_logged_in() ) {
     370            if ( get_option( 'comment_registration' ) ) {
     371                return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) );
     372            }
     373
     374            /**
     375             * Filter whether comments can be created without authentication.
     376             *
     377             * Enables creating comments for anonymous users.
     378             *
     379             * @since 4.7.0
     380             *
     381             * @param bool $allow_anonymous Whether to allow anonymous comments to
     382             *                              be created. Default `false`.
     383             * @param WP_REST_Request $request Request used to generate the
     384             *                                 response.
     385             */
     386            $allow_anonymous = apply_filters( 'rest_allow_anonymous_comments', false, $request );
     387            if ( false === $allow_anonymous ) {
     388                return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) );
     389            }
    372390        }
    373391
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39302 r39327  
    801801
    802802    public function test_get_comment_not_approved_same_user() {
    803         wp_set_current_user( self::$subscriber_id );
     803        wp_set_current_user( self::$admin_id );
    804804
    805805        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%d', self::$hold_id ) );
     
    843843
    844844    public function test_get_comment_with_password_without_edit_post_permission() {
    845         wp_set_current_user( 0 );
     845        wp_set_current_user( self::$subscriber_id );
    846846        $args = array(
    847847            'comment_approved' => 1,
     
    851851        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%s', $password_comment ) );
    852852        $response = $this->server->dispatch( $request );
    853         $this->assertErrorResponse( 'rest_cannot_read', $response, 401 );
     853        $this->assertErrorResponse( 'rest_cannot_read', $response, 403 );
    854854    }
    855855
    856856    public function test_create_item() {
    857         wp_set_current_user( 0 );
     857        wp_set_current_user( self::$admin_id );
    858858
    859859        $params = array(
     
    874874
    875875        $data = $response->get_data();
    876         $this->check_comment_data( $data, 'view', $response->get_links() );
     876        $this->check_comment_data( $data, 'edit', $response->get_links() );
    877877        $this->assertEquals( 'hold', $data['status'] );
    878878        $this->assertEquals( '2014-11-07T10:14:25', $data['date'] );
     
    881881
    882882    public function test_create_item_using_accepted_content_raw_value() {
    883         wp_set_current_user( 0 );
     883        wp_set_current_user( self::$admin_id );
    884884
    885885        $params = array(
     
    906906
    907907    public function test_create_comment_missing_required_author_name_and_email_per_option_value() {
     908        add_filter( 'rest_allow_anonymous_comments', '__return_true' );
    908909        update_option( 'require_name_email', 1 );
    909910
     
    918919
    919920        $response = $this->server->dispatch( $request );
     921
    920922        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
    921923
     
    924926
    925927    public function test_create_comment_missing_required_author_name_per_option_value() {
     928        wp_set_current_user( self::$admin_id );
    926929        update_option( 'require_name_email', 1 );
    927930
     
    943946
    944947    public function test_create_comment_missing_required_author_email_per_option_value() {
     948        wp_set_current_user( self::$admin_id );
    945949        update_option( 'require_name_email', 1 );
    946950
     
    962966
    963967    public function test_create_comment_author_email_too_short() {
    964         wp_set_current_user( 0 );
     968        wp_set_current_user( self::$admin_id );
    965969
    966970        $params = array(
     
    983987
    984988    public function test_create_item_invalid_no_content() {
    985         wp_set_current_user( 0 );
     989        wp_set_current_user( self::$admin_id );
    986990
    987991        $params = array(
     
    10061010
    10071011    public function test_create_item_invalid_date() {
    1008         wp_set_current_user( 0 );
     1012        wp_set_current_user( self::$admin_id );
    10091013
    10101014        $params = array(
     
    13501354
    13511355    public function test_create_comment_author_ip_no_permission() {
     1356        wp_set_current_user( self::$subscriber_id );
    13521357        $params = array(
    13531358            'author_name'  => 'Comic Book Guy',
     
    13621367        $request->set_body( wp_json_encode( $params ) );
    13631368        $response = $this->server->dispatch( $request );
    1364         $this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 401 );
     1369        $this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 403 );
    13651370    }
    13661371
    13671372    public function test_create_comment_author_ip_defaults_to_remote_addr() {
     1373        wp_set_current_user( self::$admin_id );
    13681374        $_SERVER['REMOTE_ADDR'] = '127.0.0.2';
    13691375        $params = array(
     
    15011507
    15021508    public function test_create_item_duplicate() {
     1509        wp_set_current_user( self::$subscriber_id );
    15031510        $this->factory->comment->create(
    15041511            array(
     
    15091516            )
    15101517        );
    1511         wp_set_current_user( 0 );
    15121518
    15131519        $params = array(
     
    15301536            'comment_status' => 'closed',
    15311537        ));
    1532         wp_set_current_user( 0 );
     1538        wp_set_current_user( self::$subscriber_id );
    15331539
    15341540        $params = array(
     
    15471553        wp_set_current_user( 0 );
    15481554        update_option( 'comment_registration', 1 );
     1555        add_filter( 'rest_allow_anonymous_comments', '__return_true' );
    15491556        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
    15501557        $request->set_param( 'post', self::$post_id );
     
    15961603
    15971604    public function test_create_comment_two_times() {
    1598         wp_set_current_user( 0 );
     1605        add_filter( 'rest_allow_anonymous_comments', '__return_true' );
    15991606
    16001607        $params = array(
     
    16331640     */
    16341641    public function test_create_comment_author_name_too_long() {
    1635         wp_set_current_user( 0 );
     1642        wp_set_current_user( self::$subscriber_id );
    16361643
    16371644        $params = array(
     
    16561663     */
    16571664    public function test_create_comment_author_email_too_long() {
    1658         wp_set_current_user( 0 );
     1665        wp_set_current_user( self::$subscriber_id );
    16591666
    16601667        $params = array(
     
    16791686     */
    16801687    public function test_create_comment_author_url_too_long() {
    1681         wp_set_current_user( 0 );
     1688        wp_set_current_user( self::$subscriber_id );
    16821689
    16831690        $params = array(
     
    17021709     */
    17031710    public function test_create_comment_content_too_long() {
    1704         wp_set_current_user( 0 );
     1711        wp_set_current_user( self::$subscriber_id );
    17051712
    17061713        $params = array(
     
    19141921
    19151922    public function test_update_comment_invalid_id() {
    1916         wp_set_current_user( 0 );
     1923        wp_set_current_user( self::$subscriber_id );
    19171924
    19181925        $params = array(
     
    19281935
    19291936    public function test_update_comment_invalid_permission() {
    1930         wp_set_current_user( 0 );
     1937        add_filter( 'rest_allow_anonymous_comments', '__return_true' );
    19311938
    19321939        $params = array(
Note: See TracChangeset for help on using the changeset viewer.