WordPress.org

Make WordPress Core

Changeset 39446


Ignore:
Timestamp:
12/02/2016 10:45:06 PM (18 months ago)
Author:
rachelbaker
Message:

REST API: Fix bug where comment author and author email could be an empty string when creating a comment.

If the require_name_email option is true, creating a comment with an empty string for the author name or email should not be accepted. Both values can be an empty string on update.

Merges [39444] into the 4.7 branch.
Props flixos90, hnle, dd32, rachelbaker, jnylen0, ChopinBach, joehoyle, pento.

Fixes #38971 for 4.7.

Location:
branches/4.7
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39349 r39446  
    509509        // Honor the discussion setting that requires a name and email address of the comment author.
    510510        if ( get_option( 'require_name_email' ) ) {
    511             if ( ! isset( $prepared_comment['comment_author'] ) && ! isset( $prepared_comment['comment_author_email'] ) ) {
     511            if ( empty( $prepared_comment['comment_author'] ) || empty( $prepared_comment['comment_author_email'] ) ) {
    512512                return new WP_Error( 'rest_comment_author_data_required', __( 'Creating a comment requires valid author name and email values.' ), array( 'status' => 400 ) );
    513             }
    514 
    515             if ( ! isset( $prepared_comment['comment_author'] ) ) {
    516                 return new WP_Error( 'rest_comment_author_required', __( 'Creating a comment requires a valid author name.' ), array( 'status' => 400 ) );
    517             }
    518 
    519             if ( ! isset( $prepared_comment['comment_author_email'] ) ) {
    520                 return new WP_Error( 'rest_comment_author_email_required', __( 'Creating a comment requires a valid author email.' ), array( 'status' => 400 ) );
    521513            }
    522514        }
     
    11561148                    'format'       => 'email',
    11571149                    'context'      => array( 'edit' ),
     1150                    'arg_options'  => array(
     1151                        'sanitize_callback' => array( $this, 'check_comment_author_email' ),
     1152                        'validate_callback' => null, // skip built-in validation of 'email'.
     1153                    ),
    11581154                ),
    11591155                'author_ip'     => array(
     
    15821578        return current_user_can( 'edit_comment', $comment->comment_ID );
    15831579    }
     1580
     1581    /**
     1582     * Checks a comment author email for validity.
     1583     *
     1584     * Accepts either a valid email address or empty string as a valid comment
     1585     * author email address. Setting the comment author email to an empty
     1586     * string is allowed when a comment is being updated.
     1587     *
     1588     * @since 4.7.0
     1589     *
     1590     * @param string          $value   Author email value submitted.
     1591     * @param WP_REST_Request $request Full details about the request.
     1592     * @param string          $param   The parameter name.
     1593     * @return WP_Error|string The sanitized email address, if valid,
     1594     *                         otherwise an error.
     1595     */
     1596    public function check_comment_author_email( $value, $request, $param ) {
     1597        $email = (string) $value;
     1598        if ( empty( $email ) ) {
     1599            return $email;
     1600        }
     1601
     1602        $check_email = rest_validate_request_arg( $email, $request, $param );
     1603        if ( is_wp_error( $check_email ) ) {
     1604            return $check_email;
     1605        }
     1606
     1607        return $email;
     1608    }
    15841609}
  • branches/4.7/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39408 r39446  
    9696            update_site_option( 'site_admins', array( 'superadmin' ) );
    9797        }
    98     }
    99 
    100     public function tearDown() {
    101         parent::tearDown();
    10298    }
    10399
     
    988984    }
    989985
    990     public function test_create_comment_missing_required_author_name_and_email_per_option_value() {
     986    public function test_create_comment_missing_required_author_name() {
    991987        add_filter( 'rest_allow_anonymous_comments', '__return_true' );
    992         update_option( 'require_name_email', 1 );
    993 
    994         $params = array(
    995             'post'    => self::$post_id,
    996             'content' => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
    997         );
    998 
    999         $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
    1000         $request->add_header( 'content-type', 'application/json' );
    1001         $request->set_body( wp_json_encode( $params ) );
    1002 
    1003         $response = $this->server->dispatch( $request );
    1004 
    1005         $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
    1006 
    1007         update_option( 'require_name_email', 0 );
    1008     }
    1009 
    1010     public function test_create_comment_missing_required_author_name_per_option_value() {
    1011         wp_set_current_user( self::$admin_id );
    1012988        update_option( 'require_name_email', 1 );
    1013989
     
    1023999
    10241000        $response = $this->server->dispatch( $request );
    1025         $this->assertErrorResponse( 'rest_comment_author_required', $response, 400 );
    1026 
    1027         update_option( 'require_name_email', 0 );
    1028     }
    1029 
    1030     public function test_create_comment_missing_required_author_email_per_option_value() {
     1001
     1002        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
     1003    }
     1004
     1005    public function test_create_comment_empty_required_author_name() {
     1006        add_filter( 'rest_allow_anonymous_comments', '__return_true' );
     1007        update_option( 'require_name_email', 1 );
     1008
     1009        $params = array(
     1010            'author_name'  => '',
     1011            'author_email' => 'ekrabappel@springfield-elementary.edu',
     1012            'post'         => self::$post_id,
     1013            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     1014        );
     1015
     1016        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1017        $request->add_header( 'content-type', 'application/json' );
     1018        $request->set_body( wp_json_encode( $params ) );
     1019
     1020        $response = $this->server->dispatch( $request );
     1021
     1022        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
     1023    }
     1024
     1025    public function test_create_comment_missing_required_author_email() {
    10311026        wp_set_current_user( self::$admin_id );
    10321027        update_option( 'require_name_email', 1 );
     
    10431038
    10441039        $response = $this->server->dispatch( $request );
    1045         $this->assertErrorResponse( 'rest_comment_author_email_required', $response, 400 );
    1046 
    1047         update_option( 'require_name_email', 0 );
     1040        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
     1041    }
     1042
     1043    public function test_create_comment_empty_required_author_email() {
     1044        wp_set_current_user( self::$admin_id );
     1045        update_option( 'require_name_email', 1 );
     1046
     1047        $params = array(
     1048            'post'         => self::$post_id,
     1049            'author_name'  => 'Edna Krabappel',
     1050            'author_email' => '',
     1051            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     1052        );
     1053
     1054        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1055        $request->add_header( 'content-type', 'application/json' );
     1056        $request->set_body( wp_json_encode( $params ) );
     1057
     1058        $response = $this->server->dispatch( $request );
     1059        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
    10481060    }
    10491061
     
    19912003        $this->assertEquals( $params['date_gmt'], $comment['date_gmt'] );
    19922004        $this->assertEquals( $params['date_gmt'], mysql_to_rfc3339( $updated->comment_date_gmt ) );
     2005    }
     2006
     2007    public function test_update_comment_author_email_only() {
     2008        wp_set_current_user( self::$editor_id );
     2009        update_option( 'require_name_email', 1 );
     2010
     2011        $params = array(
     2012            'post'         => self::$post_id,
     2013            'author_email' => 'ekrabappel@springfield-elementary.edu',
     2014            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     2015        );
     2016
     2017        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     2018        $request->add_header( 'content-type', 'application/json' );
     2019        $request->set_body( wp_json_encode( $params ) );
     2020
     2021        $response = $this->server->dispatch( $request );
     2022        $this->assertEquals( 200, $response->get_status() );
     2023    }
     2024
     2025    public function test_update_comment_empty_author_name() {
     2026        wp_set_current_user( self::$editor_id );
     2027        update_option( 'require_name_email', 1 );
     2028
     2029        $params = array(
     2030            'author_name'  => '',
     2031            'author_email' => 'ekrabappel@springfield-elementary.edu',
     2032            'post'         => self::$post_id,
     2033            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     2034        );
     2035
     2036        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     2037        $request->add_header( 'content-type', 'application/json' );
     2038        $request->set_body( wp_json_encode( $params ) );
     2039
     2040        $response = $this->server->dispatch( $request );
     2041        $this->assertEquals( 200, $response->get_status() );
     2042    }
     2043
     2044    public function test_update_comment_author_name_only() {
     2045        wp_set_current_user( self::$admin_id );
     2046        update_option( 'require_name_email', 1 );
     2047
     2048        $params = array(
     2049            'post'        => self::$post_id,
     2050            'author_name' => 'Edna Krabappel',
     2051            'content'     => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     2052        );
     2053
     2054        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     2055        $request->add_header( 'content-type', 'application/json' );
     2056        $request->set_body( wp_json_encode( $params ) );
     2057
     2058        $response = $this->server->dispatch( $request );
     2059        $this->assertEquals( 200, $response->get_status() );
     2060    }
     2061
     2062    public function test_update_comment_empty_author_email() {
     2063        wp_set_current_user( self::$admin_id );
     2064        update_option( 'require_name_email', 1 );
     2065
     2066        $params = array(
     2067            'post'         => self::$post_id,
     2068            'author_name'  => 'Edna Krabappel',
     2069            'author_email' => '',
     2070            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.',
     2071        );
     2072
     2073        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     2074        $request->add_header( 'content-type', 'application/json' );
     2075        $request->set_body( wp_json_encode( $params ) );
     2076
     2077        $response = $this->server->dispatch( $request );
     2078        $this->assertEquals( 200, $response->get_status() );
     2079    }
     2080
     2081    public function test_update_comment_author_email_too_short() {
     2082        wp_set_current_user( self::$admin_id );
     2083
     2084        $params = array(
     2085            'post'         => self::$post_id,
     2086            'author_name'  => 'Homer J. Simpson',
     2087            'author_email' => 'a@b',
     2088            'content'      => 'in this house, we obey the laws of thermodynamics!',
     2089        );
     2090
     2091        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     2092        $request->add_header( 'content-type', 'application/json' );
     2093        $request->set_body( wp_json_encode( $params ) );
     2094        $response = $this->server->dispatch( $request );
     2095
     2096        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
     2097        $data = $response->get_data();
     2098        $this->assertArrayHasKey( 'author_email', $data['data']['params'] );
    19932099    }
    19942100
Note: See TracChangeset for help on using the changeset viewer.