WordPress.org

Make WordPress Core


Ignore:
Timestamp:
12/02/2016 10:43:03 PM (3 years ago)
Author:
rachelbaker
Message:

REST API: Fix bug where comment author and author email could be an empty string when creating a comment.

If the require_name_email option is true, creating a comment with an empty string for the author name or email should not be accepted. Both values can be an empty string on update.

Props flixos90, hnle, dd32, rachelbaker, jnylen0, ChopinBach, joehoyle, pento.

Fixes #38971.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39349 r39444  
    509509        // Honor the discussion setting that requires a name and email address of the comment author.
    510510        if ( get_option( 'require_name_email' ) ) {
    511             if ( ! isset( $prepared_comment['comment_author'] ) && ! isset( $prepared_comment['comment_author_email'] ) ) {
     511            if ( empty( $prepared_comment['comment_author'] ) || empty( $prepared_comment['comment_author_email'] ) ) {
    512512                return new WP_Error( 'rest_comment_author_data_required', __( 'Creating a comment requires valid author name and email values.' ), array( 'status' => 400 ) );
    513             }
    514 
    515             if ( ! isset( $prepared_comment['comment_author'] ) ) {
    516                 return new WP_Error( 'rest_comment_author_required', __( 'Creating a comment requires a valid author name.' ), array( 'status' => 400 ) );
    517             }
    518 
    519             if ( ! isset( $prepared_comment['comment_author_email'] ) ) {
    520                 return new WP_Error( 'rest_comment_author_email_required', __( 'Creating a comment requires a valid author email.' ), array( 'status' => 400 ) );
    521513            }
    522514        }
     
    11561148                    'format'       => 'email',
    11571149                    'context'      => array( 'edit' ),
     1150                    'arg_options'  => array(
     1151                        'sanitize_callback' => array( $this, 'check_comment_author_email' ),
     1152                        'validate_callback' => null, // skip built-in validation of 'email'.
     1153                    ),
    11581154                ),
    11591155                'author_ip'     => array(
     
    15821578        return current_user_can( 'edit_comment', $comment->comment_ID );
    15831579    }
     1580
     1581    /**
     1582     * Checks a comment author email for validity.
     1583     *
     1584     * Accepts either a valid email address or empty string as a valid comment
     1585     * author email address. Setting the comment author email to an empty
     1586     * string is allowed when a comment is being updated.
     1587     *
     1588     * @since 4.7.0
     1589     *
     1590     * @param string          $value   Author email value submitted.
     1591     * @param WP_REST_Request $request Full details about the request.
     1592     * @param string          $param   The parameter name.
     1593     * @return WP_Error|string The sanitized email address, if valid,
     1594     *                         otherwise an error.
     1595     */
     1596    public function check_comment_author_email( $value, $request, $param ) {
     1597        $email = (string) $value;
     1598        if ( empty( $email ) ) {
     1599            return $email;
     1600        }
     1601
     1602        $check_email = rest_validate_request_arg( $email, $request, $param );
     1603        if ( is_wp_error( $check_email ) ) {
     1604            return $check_email;
     1605        }
     1606
     1607        return $email;
     1608    }
    15841609}
Note: See TracChangeset for help on using the changeset viewer.