WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
11/23/2016 04:14:08 PM (7 years ago)
Author:
joehoyle
Message:

REST API: Add support for comments of password-protected posts.

Core requires the post password to view and create comments on password protected posts, so we must support a “password” param on the comments endpoint when fetch comments for a specific post and creating a comment on a password protected post.

Props flixos90, jnylen0.
Fixes #38692.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39348 r39349  
    7070                'args'     => array(
    7171                    'context'          => $this->get_context_param( array( 'default' => 'view' ) ),
     72                    'password' => array(
     73                        'description' => __( 'The password for the post if it is password protected.' ),
     74                        'type'        => 'string',
     75                    ),
    7276                ),
    7377            ),
     
    8892                        'description' => __( 'Whether to bypass trash and force deletion.' ),
    8993                    ),
     94                    'password' => array(
     95                        'description' => __( 'The password for the post if it is password protected.' ),
     96                        'type'        => 'string',
     97                    ),
    9098                ),
    9199            ),
     
    109117                $post = get_post( $post_id );
    110118
    111                 if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post ) ) {
     119                if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post, $request ) ) {
    112120                    return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
    113121                } elseif ( 0 === $post_id && ! current_user_can( 'moderate_comments' ) ) {
     
    243251
    244252        foreach ( $query_result as $comment ) {
    245             if ( ! $this->check_read_permission( $comment ) ) {
     253            if ( ! $this->check_read_permission( $comment, $request ) ) {
    246254                continue;
    247255            }
     
    310318        }
    311319
    312         if ( ! $this->check_read_permission( $comment ) ) {
    313             return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read this comment.' ), array( 'status' => rest_authorization_required_code() ) );
    314         }
    315 
    316         $post = get_post( $comment->comment_post_ID );
    317 
    318         if ( $post && ! $this->check_read_post_permission( $post ) ) {
    319             return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
    320         }
    321 
    322320        if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'moderate_comments' ) ) {
    323321            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit comments.' ), array( 'status' => rest_authorization_required_code() ) );
     322        }
     323
     324        $post = get_post( $comment->comment_post_ID );
     325
     326        if ( ! $this->check_read_permission( $comment, $request ) ) {
     327            return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read this comment.' ), array( 'status' => rest_authorization_required_code() ) );
     328        }
     329
     330        if ( $post && ! $this->check_read_post_permission( $post, $request ) ) {
     331            return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
    324332        }
    325333
     
    434442        }
    435443
    436         if ( ! $this->check_read_post_permission( $post ) ) {
     444        if ( ! $this->check_read_post_permission( $post, $request ) ) {
    437445            return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
    438446        }
     
    14111419            'type'              => 'string',
    14121420            'validate_callback' => 'rest_validate_request_arg',
     1421        );
     1422
     1423        $query_params['password'] = array(
     1424            'description' => __( 'The password for the post if it is password protected.' ),
     1425            'type'        => 'string',
    14131426        );
    14141427
     
    14821495     * @access protected
    14831496     *
    1484      * @param WP_Post $post Post Object.
     1497     * @param WP_Post         $post    Post object.
     1498     * @param WP_REST_Request $request Request data to check.
    14851499     * @return bool Whether post can be read.
    14861500     */
    1487     protected function check_read_post_permission( $post ) {
     1501    protected function check_read_post_permission( $post, $request ) {
    14881502        $posts_controller = new WP_REST_Posts_Controller( $post->post_type );
    14891503        $post_type = get_post_type_object( $post->post_type );
    14901504
     1505        $has_password_filter = false;
     1506
     1507        // Only check password if a specific post was queried for or a single comment
     1508        $requested_post = ! empty( $request['post'] ) && 1 === count( $request['post'] );
     1509        $requested_comment = ! empty( $request['id'] );
     1510        if ( ( $requested_post || $requested_comment ) && $posts_controller->can_access_password_content( $post, $request ) ) {
     1511            add_filter( 'post_password_required', '__return_false' );
     1512
     1513            $has_password_filter = true;
     1514        }
     1515
    14911516        if ( post_password_required( $post ) ) {
    1492             return current_user_can( $post_type->cap->edit_post, $post->ID );
    1493         }
    1494 
    1495         return $posts_controller->check_read_permission( $post );
     1517            $result = current_user_can( $post_type->cap->edit_post, $post->ID );
     1518        } else {
     1519            $result = $posts_controller->check_read_permission( $post );
     1520        }
     1521
     1522        if ( $has_password_filter ) {
     1523            remove_filter( 'post_password_required', '__return_false' );
     1524        }
     1525
     1526        return $result;
    14961527    }
    14971528
     
    15021533     * @access protected
    15031534     *
    1504      * @param WP_Comment $comment Comment object.
     1535     * @param WP_Comment      $comment Comment object.
     1536     * @param WP_REST_Request $request Request data to check.
    15051537     * @return bool Whether the comment can be read.
    15061538     */
    1507     protected function check_read_permission( $comment ) {
     1539    protected function check_read_permission( $comment, $request ) {
    15081540        if ( ! empty( $comment->comment_post_ID ) ) {
    15091541            $post = get_post( $comment->comment_post_ID );
    15101542            if ( $post ) {
    1511                 if ( $this->check_read_post_permission( $post ) && 1 === (int) $comment->comment_approved ) {
     1543                if ( $this->check_read_post_permission( $post, $request ) && 1 === (int) $comment->comment_approved ) {
    15121544                    return true;
    15131545                }
Note: See TracChangeset for help on using the changeset viewer.