WordPress.org

Make WordPress Core

Changeset 39444


Ignore:
Timestamp:
12/02/2016 10:43:03 PM (18 months ago)
Author:
rachelbaker
Message:

REST API: Fix bug where comment author and author email could be an empty string when creating a comment.

If the require_name_email option is true, creating a comment with an empty string for the author name or email should not be accepted. Both values can be an empty string on update.

Props flixos90, hnle, dd32, rachelbaker, jnylen0, ChopinBach, joehoyle, pento.

Fixes #38971.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39349 r39444  
    509509        // Honor the discussion setting that requires a name and email address of the comment author.
    510510        if ( get_option( 'require_name_email' ) ) {
    511             if ( ! isset( $prepared_comment['comment_author'] ) && ! isset( $prepared_comment['comment_author_email'] ) ) {
     511            if ( empty( $prepared_comment['comment_author'] ) || empty( $prepared_comment['comment_author_email'] ) ) {
    512512                return new WP_Error( 'rest_comment_author_data_required', __( 'Creating a comment requires valid author name and email values.' ), array( 'status' => 400 ) );
    513             }
    514 
    515             if ( ! isset( $prepared_comment['comment_author'] ) ) {
    516                 return new WP_Error( 'rest_comment_author_required', __( 'Creating a comment requires a valid author name.' ), array( 'status' => 400 ) );
    517             }
    518 
    519             if ( ! isset( $prepared_comment['comment_author_email'] ) ) {
    520                 return new WP_Error( 'rest_comment_author_email_required', __( 'Creating a comment requires a valid author email.' ), array( 'status' => 400 ) );
    521513            }
    522514        }
     
    11561148                    'format'       => 'email',
    11571149                    'context'      => array( 'edit' ),
     1150                    'arg_options'  => array(
     1151                        'sanitize_callback' => array( $this, 'check_comment_author_email' ),
     1152                        'validate_callback' => null, // skip built-in validation of 'email'.
     1153                    ),
    11581154                ),
    11591155                'author_ip'     => array(
     
    15821578        return current_user_can( 'edit_comment', $comment->comment_ID );
    15831579    }
     1580
     1581    /**
     1582     * Checks a comment author email for validity.
     1583     *
     1584     * Accepts either a valid email address or empty string as a valid comment
     1585     * author email address. Setting the comment author email to an empty
     1586     * string is allowed when a comment is being updated.
     1587     *
     1588     * @since 4.7.0
     1589     *
     1590     * @param string          $value   Author email value submitted.
     1591     * @param WP_REST_Request $request Full details about the request.
     1592     * @param string          $param   The parameter name.
     1593     * @return WP_Error|string The sanitized email address, if valid,
     1594     *                         otherwise an error.
     1595     */
     1596    public function check_comment_author_email( $value, $request, $param ) {
     1597        $email = (string) $value;
     1598        if ( empty( $email ) ) {
     1599            return $email;
     1600        }
     1601
     1602        $check_email = rest_validate_request_arg( $email, $request, $param );
     1603        if ( is_wp_error( $check_email ) ) {
     1604            return $check_email;
     1605        }
     1606
     1607        return $email;
     1608    }
    15841609}
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39375 r39444  
    9696            update_site_option( 'site_admins', array( 'superadmin' ) );
    9797        }
    98     }
    99 
    100     public function tearDown() {
    101         parent::tearDown();
    10298    }
    10399
     
    988984    }
    989985
    990     public function test_create_comment_missing_required_author_name_and_email_per_option_value() {
     986    public function test_create_comment_missing_required_author_name() {
    991987        add_filter( 'rest_allow_anonymous_comments', '__return_true' );
    992         update_option( 'require_name_email', 1 );
    993 
    994         $params = array(
    995             'post'    => self::$post_id,
    996             'content' => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
    997         );
    998 
    999         $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
    1000         $request->add_header( 'content-type', 'application/json' );
    1001         $request->set_body( wp_json_encode( $params ) );
    1002 
    1003         $response = $this->server->dispatch( $request );
    1004 
    1005         $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
    1006 
    1007         update_option( 'require_name_email', 0 );
    1008     }
    1009 
    1010     public function test_create_comment_missing_required_author_name_per_option_value() {
    1011         wp_set_current_user( self::$admin_id );
    1012988        update_option( 'require_name_email', 1 );
    1013989
     
    1023999
    10241000        $response = $this->server->dispatch( $request );
    1025         $this->assertErrorResponse( 'rest_comment_author_required', $response, 400 );
    1026 
    1027         update_option( 'require_name_email', 0 );
    1028     }
    1029 
    1030     public function test_create_comment_missing_required_author_email_per_option_value() {
     1001
     1002        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
     1003    }
     1004
     1005    public function test_create_comment_empty_required_author_name() {
     1006        add_filter( 'rest_allow_anonymous_comments', '__return_true' );
     1007        update_option( 'require_name_email', 1 );
     1008
     1009        $params = array(
     1010            'author_name'  => '',
     1011            'author_email' => 'ekrabappel@springfield-elementary.edu',
     1012            'post'         => self::$post_id,
     1013            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     1014        );
     1015
     1016        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1017        $request->add_header( 'content-type', 'application/json' );
     1018        $request->set_body( wp_json_encode( $params ) );
     1019
     1020        $response = $this->server->dispatch( $request );
     1021
     1022        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
     1023    }
     1024
     1025    public function test_create_comment_missing_required_author_email() {
    10311026        wp_set_current_user( self::$admin_id );
    10321027        update_option( 'require_name_email', 1 );
     
    10431038
    10441039        $response = $this->server->dispatch( $request );
    1045         $this->assertErrorResponse( 'rest_comment_author_email_required', $response, 400 );
    1046 
    1047         update_option( 'require_name_email', 0 );
     1040        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
     1041    }
     1042
     1043    public function test_create_comment_empty_required_author_email() {
     1044        wp_set_current_user( self::$admin_id );
     1045        update_option( 'require_name_email', 1 );
     1046
     1047        $params = array(
     1048            'post'         => self::$post_id,
     1049            'author_name'  => 'Edna Krabappel',
     1050            'author_email' => '',
     1051            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     1052        );
     1053
     1054        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1055        $request->add_header( 'content-type', 'application/json' );
     1056        $request->set_body( wp_json_encode( $params ) );
     1057
     1058        $response = $this->server->dispatch( $request );
     1059        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
    10481060    }
    10491061
     
    19912003        $this->assertEquals( $params['date_gmt'], $comment['date_gmt'] );
    19922004        $this->assertEquals( $params['date_gmt'], mysql_to_rfc3339( $updated->comment_date_gmt ) );
     2005    }
     2006
     2007    public function test_update_comment_author_email_only() {
     2008        wp_set_current_user( self::$editor_id );
     2009        update_option( 'require_name_email', 1 );
     2010
     2011        $params = array(
     2012            'post'         => self::$post_id,
     2013            'author_email' => 'ekrabappel@springfield-elementary.edu',
     2014            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     2015        );
     2016
     2017        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     2018        $request->add_header( 'content-type', 'application/json' );
     2019        $request->set_body( wp_json_encode( $params ) );
     2020
     2021        $response = $this->server->dispatch( $request );
     2022        $this->assertEquals( 200, $response->get_status() );
     2023    }
     2024
     2025    public function test_update_comment_empty_author_name() {
     2026        wp_set_current_user( self::$editor_id );
     2027        update_option( 'require_name_email', 1 );
     2028
     2029        $params = array(
     2030            'author_name'  => '',
     2031            'author_email' => 'ekrabappel@springfield-elementary.edu',
     2032            'post'         => self::$post_id,
     2033            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     2034        );
     2035
     2036        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     2037        $request->add_header( 'content-type', 'application/json' );
     2038        $request->set_body( wp_json_encode( $params ) );
     2039
     2040        $response = $this->server->dispatch( $request );
     2041        $this->assertEquals( 200, $response->get_status() );
     2042    }
     2043
     2044    public function test_update_comment_author_name_only() {
     2045        wp_set_current_user( self::$admin_id );
     2046        update_option( 'require_name_email', 1 );
     2047
     2048        $params = array(
     2049            'post'        => self::$post_id,
     2050            'author_name' => 'Edna Krabappel',
     2051            'content'     => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     2052        );
     2053
     2054        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     2055        $request->add_header( 'content-type', 'application/json' );
     2056        $request->set_body( wp_json_encode( $params ) );
     2057
     2058        $response = $this->server->dispatch( $request );
     2059        $this->assertEquals( 200, $response->get_status() );
     2060    }
     2061
     2062    public function test_update_comment_empty_author_email() {
     2063        wp_set_current_user( self::$admin_id );
     2064        update_option( 'require_name_email', 1 );
     2065
     2066        $params = array(
     2067            'post'         => self::$post_id,
     2068            'author_name'  => 'Edna Krabappel',
     2069            'author_email' => '',
     2070            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     2071        );
     2072
     2073        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     2074        $request->add_header( 'content-type', 'application/json' );
     2075        $request->set_body( wp_json_encode( $params ) );
     2076
     2077        $response = $this->server->dispatch( $request );
     2078        $this->assertEquals( 200, $response->get_status() );
     2079    }
     2080
     2081    public function test_update_comment_author_email_too_short() {
     2082        wp_set_current_user( self::$admin_id );
     2083
     2084        $params = array(
     2085            'post'         => self::$post_id,
     2086            'author_name'  => 'Homer J. Simpson',
     2087            'author_email' => 'a@b',
     2088            'content'      => 'in this house, we obey the laws of thermodynamics!',
     2089        );
     2090
     2091        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     2092        $request->add_header( 'content-type', 'application/json' );
     2093        $request->set_body( wp_json_encode( $params ) );
     2094        $response = $this->server->dispatch( $request );
     2095
     2096        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     2097        $data = $response->get_data();
     2098        $this->assertArrayHasKey( 'author_email', $data['data']['params'] );
    19932099    }
    19942100
Note: See TracChangeset for help on using the changeset viewer.