WordPress.org

Make WordPress Core

Changeset 39444


Ignore:
Timestamp:
12/02/16 22:43:03 (11 months ago)
Author:
rachelbaker
Message:

REST API: Fix bug where comment author and author email could be an empty string when creating a comment.

If the require_name_email option is true, creating a comment with an empty string for the author name or email should not be accepted. Both values can be an empty string on update.

Props flixos90, hnle, dd32, rachelbaker, jnylen0, ChopinBach, joehoyle, pento.

Fixes #38971.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39349 r39444  
    509509        // Honor the discussion setting that requires a name and email address of the comment author. 
    510510        if ( get_option( 'require_name_email' ) ) { 
    511             if ( ! isset( $prepared_comment['comment_author'] ) && ! isset( $prepared_comment['comment_author_email'] ) ) { 
     511            if ( empty( $prepared_comment['comment_author'] ) || empty( $prepared_comment['comment_author_email'] ) ) { 
    512512                return new WP_Error( 'rest_comment_author_data_required', __( 'Creating a comment requires valid author name and email values.' ), array( 'status' => 400 ) ); 
    513             } 
    514  
    515             if ( ! isset( $prepared_comment['comment_author'] ) ) { 
    516                 return new WP_Error( 'rest_comment_author_required', __( 'Creating a comment requires a valid author name.' ), array( 'status' => 400 ) ); 
    517             } 
    518  
    519             if ( ! isset( $prepared_comment['comment_author_email'] ) ) { 
    520                 return new WP_Error( 'rest_comment_author_email_required', __( 'Creating a comment requires a valid author email.' ), array( 'status' => 400 ) ); 
    521513            } 
    522514        } 
     
    11561148                    'format'       => 'email', 
    11571149                    'context'      => array( 'edit' ), 
     1150                    'arg_options'  => array( 
     1151                        'sanitize_callback' => array( $this, 'check_comment_author_email' ), 
     1152                        'validate_callback' => null, // skip built-in validation of 'email'. 
     1153                    ), 
    11581154                ), 
    11591155                'author_ip'     => array( 
     
    15821578        return current_user_can( 'edit_comment', $comment->comment_ID ); 
    15831579    } 
     1580 
     1581    /** 
     1582     * Checks a comment author email for validity. 
     1583     * 
     1584     * Accepts either a valid email address or empty string as a valid comment 
     1585     * author email address. Setting the comment author email to an empty 
     1586     * string is allowed when a comment is being updated. 
     1587     * 
     1588     * @since 4.7.0 
     1589     * 
     1590     * @param string          $value   Author email value submitted. 
     1591     * @param WP_REST_Request $request Full details about the request. 
     1592     * @param string          $param   The parameter name. 
     1593     * @return WP_Error|string The sanitized email address, if valid, 
     1594     *                         otherwise an error. 
     1595     */ 
     1596    public function check_comment_author_email( $value, $request, $param ) { 
     1597        $email = (string) $value; 
     1598        if ( empty( $email ) ) { 
     1599            return $email; 
     1600        } 
     1601 
     1602        $check_email = rest_validate_request_arg( $email, $request, $param ); 
     1603        if ( is_wp_error( $check_email ) ) { 
     1604            return $check_email; 
     1605        } 
     1606 
     1607        return $email; 
     1608    } 
    15841609} 
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39375 r39444  
    9696            update_site_option( 'site_admins', array( 'superadmin' ) ); 
    9797        } 
    98     } 
    99  
    100     public function tearDown() { 
    101         parent::tearDown(); 
    10298    } 
    10399 
     
    988984    } 
    989985 
    990     public function test_create_comment_missing_required_author_name_and_email_per_option_value() { 
     986    public function test_create_comment_missing_required_author_name() { 
    991987        add_filter( 'rest_allow_anonymous_comments', '__return_true' ); 
    992         update_option( 'require_name_email', 1 ); 
    993  
    994         $params = array( 
    995             'post'    => self::$post_id, 
    996             'content' => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
    997         ); 
    998  
    999         $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 
    1000         $request->add_header( 'content-type', 'application/json' ); 
    1001         $request->set_body( wp_json_encode( $params ) ); 
    1002  
    1003         $response = $this->server->dispatch( $request ); 
    1004  
    1005         $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 ); 
    1006  
    1007         update_option( 'require_name_email', 0 ); 
    1008     } 
    1009  
    1010     public function test_create_comment_missing_required_author_name_per_option_value() { 
    1011         wp_set_current_user( self::$admin_id ); 
    1012988        update_option( 'require_name_email', 1 ); 
    1013989 
     
    1023999 
    10241000        $response = $this->server->dispatch( $request ); 
    1025         $this->assertErrorResponse( 'rest_comment_author_required', $response, 400 ); 
    1026  
    1027         update_option( 'require_name_email', 0 ); 
    1028     } 
    1029  
    1030     public function test_create_comment_missing_required_author_email_per_option_value() { 
     1001 
     1002        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 ); 
     1003    } 
     1004 
     1005    public function test_create_comment_empty_required_author_name() { 
     1006        add_filter( 'rest_allow_anonymous_comments', '__return_true' ); 
     1007        update_option( 'require_name_email', 1 ); 
     1008 
     1009        $params = array( 
     1010            'author_name'  => '', 
     1011            'author_email' => 'ekrabappel@springfield-elementary.edu', 
     1012            'post'         => self::$post_id, 
     1013            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     1014        ); 
     1015 
     1016        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 
     1017        $request->add_header( 'content-type', 'application/json' ); 
     1018        $request->set_body( wp_json_encode( $params ) ); 
     1019 
     1020        $response = $this->server->dispatch( $request ); 
     1021 
     1022        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 ); 
     1023    } 
     1024 
     1025    public function test_create_comment_missing_required_author_email() { 
    10311026        wp_set_current_user( self::$admin_id ); 
    10321027        update_option( 'require_name_email', 1 ); 
     
    10431038 
    10441039        $response = $this->server->dispatch( $request ); 
    1045         $this->assertErrorResponse( 'rest_comment_author_email_required', $response, 400 ); 
    1046  
    1047         update_option( 'require_name_email', 0 ); 
     1040        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 ); 
     1041    } 
     1042 
     1043    public function test_create_comment_empty_required_author_email() { 
     1044        wp_set_current_user( self::$admin_id ); 
     1045        update_option( 'require_name_email', 1 ); 
     1046 
     1047        $params = array( 
     1048            'post'         => self::$post_id, 
     1049            'author_name'  => 'Edna Krabappel', 
     1050            'author_email' => '', 
     1051            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     1052        ); 
     1053 
     1054        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 
     1055        $request->add_header( 'content-type', 'application/json' ); 
     1056        $request->set_body( wp_json_encode( $params ) ); 
     1057 
     1058        $response = $this->server->dispatch( $request ); 
     1059        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 ); 
    10481060    } 
    10491061 
     
    19912003        $this->assertEquals( $params['date_gmt'], $comment['date_gmt'] ); 
    19922004        $this->assertEquals( $params['date_gmt'], mysql_to_rfc3339( $updated->comment_date_gmt ) ); 
     2005    } 
     2006 
     2007    public function test_update_comment_author_email_only() { 
     2008        wp_set_current_user( self::$editor_id ); 
     2009        update_option( 'require_name_email', 1 ); 
     2010 
     2011        $params = array( 
     2012            'post'         => self::$post_id, 
     2013            'author_email' => 'ekrabappel@springfield-elementary.edu', 
     2014            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     2015        ); 
     2016 
     2017        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); 
     2018        $request->add_header( 'content-type', 'application/json' ); 
     2019        $request->set_body( wp_json_encode( $params ) ); 
     2020 
     2021        $response = $this->server->dispatch( $request ); 
     2022        $this->assertEquals( 200, $response->get_status() ); 
     2023    } 
     2024 
     2025    public function test_update_comment_empty_author_name() { 
     2026        wp_set_current_user( self::$editor_id ); 
     2027        update_option( 'require_name_email', 1 ); 
     2028 
     2029        $params = array( 
     2030            'author_name'  => '', 
     2031            'author_email' => 'ekrabappel@springfield-elementary.edu', 
     2032            'post'         => self::$post_id, 
     2033            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     2034        ); 
     2035 
     2036        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); 
     2037        $request->add_header( 'content-type', 'application/json' ); 
     2038        $request->set_body( wp_json_encode( $params ) ); 
     2039 
     2040        $response = $this->server->dispatch( $request ); 
     2041        $this->assertEquals( 200, $response->get_status() ); 
     2042    } 
     2043 
     2044    public function test_update_comment_author_name_only() { 
     2045        wp_set_current_user( self::$admin_id ); 
     2046        update_option( 'require_name_email', 1 ); 
     2047 
     2048        $params = array( 
     2049            'post'        => self::$post_id, 
     2050            'author_name' => 'Edna Krabappel', 
     2051            'content'     => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     2052        ); 
     2053 
     2054        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); 
     2055        $request->add_header( 'content-type', 'application/json' ); 
     2056        $request->set_body( wp_json_encode( $params ) ); 
     2057 
     2058        $response = $this->server->dispatch( $request ); 
     2059        $this->assertEquals( 200, $response->get_status() ); 
     2060    } 
     2061 
     2062    public function test_update_comment_empty_author_email() { 
     2063        wp_set_current_user( self::$admin_id ); 
     2064        update_option( 'require_name_email', 1 ); 
     2065 
     2066        $params = array( 
     2067            'post'         => self::$post_id, 
     2068            'author_name'  => 'Edna Krabappel', 
     2069            'author_email' => '', 
     2070            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     2071        ); 
     2072 
     2073        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); 
     2074        $request->add_header( 'content-type', 'application/json' ); 
     2075        $request->set_body( wp_json_encode( $params ) ); 
     2076 
     2077        $response = $this->server->dispatch( $request ); 
     2078        $this->assertEquals( 200, $response->get_status() ); 
     2079    } 
     2080 
     2081    public function test_update_comment_author_email_too_short() { 
     2082        wp_set_current_user( self::$admin_id ); 
     2083 
     2084        $params = array( 
     2085            'post'         => self::$post_id, 
     2086            'author_name'  => 'Homer J. Simpson', 
     2087            'author_email' => 'a@b', 
     2088            'content'      => 'in this house, we obey the laws of thermodynamics!', 
     2089        ); 
     2090 
     2091        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); 
     2092        $request->add_header( 'content-type', 'application/json' ); 
     2093        $request->set_body( wp_json_encode( $params ) ); 
     2094        $response = $this->server->dispatch( $request ); 
     2095 
     2096        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 
     2097        $data = $response->get_data(); 
     2098        $this->assertArrayHasKey( 'author_email', $data['data']['params'] ); 
    19932099    } 
    19942100 
Note: See TracChangeset for help on using the changeset viewer.