WordPress.org

Make WordPress Core

Changeset 39446


Ignore:
Timestamp:
12/02/16 22:45:06 (9 months ago)
Author:
rachelbaker
Message:

REST API: Fix bug where comment author and author email could be an empty string when creating a comment.

If the require_name_email option is true, creating a comment with an empty string for the author name or email should not be accepted. Both values can be an empty string on update.

Merges [39444] into the 4.7 branch.
Props flixos90, hnle, dd32, rachelbaker, jnylen0, ChopinBach, joehoyle, pento.

Fixes #38971 for 4.7.

Location:
branches/4.7
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39349 r39446  
    509509        // Honor the discussion setting that requires a name and email address of the comment author. 
    510510        if ( get_option( 'require_name_email' ) ) { 
    511             if ( ! isset( $prepared_comment['comment_author'] ) && ! isset( $prepared_comment['comment_author_email'] ) ) { 
     511            if ( empty( $prepared_comment['comment_author'] ) || empty( $prepared_comment['comment_author_email'] ) ) { 
    512512                return new WP_Error( 'rest_comment_author_data_required', __( 'Creating a comment requires valid author name and email values.' ), array( 'status' => 400 ) ); 
    513             } 
    514  
    515             if ( ! isset( $prepared_comment['comment_author'] ) ) { 
    516                 return new WP_Error( 'rest_comment_author_required', __( 'Creating a comment requires a valid author name.' ), array( 'status' => 400 ) ); 
    517             } 
    518  
    519             if ( ! isset( $prepared_comment['comment_author_email'] ) ) { 
    520                 return new WP_Error( 'rest_comment_author_email_required', __( 'Creating a comment requires a valid author email.' ), array( 'status' => 400 ) ); 
    521513            } 
    522514        } 
     
    11561148                    'format'       => 'email', 
    11571149                    'context'      => array( 'edit' ), 
     1150                    'arg_options'  => array( 
     1151                        'sanitize_callback' => array( $this, 'check_comment_author_email' ), 
     1152                        'validate_callback' => null, // skip built-in validation of 'email'. 
     1153                    ), 
    11581154                ), 
    11591155                'author_ip'     => array( 
     
    15821578        return current_user_can( 'edit_comment', $comment->comment_ID ); 
    15831579    } 
     1580 
     1581    /** 
     1582     * Checks a comment author email for validity. 
     1583     * 
     1584     * Accepts either a valid email address or empty string as a valid comment 
     1585     * author email address. Setting the comment author email to an empty 
     1586     * string is allowed when a comment is being updated. 
     1587     * 
     1588     * @since 4.7.0 
     1589     * 
     1590     * @param string          $value   Author email value submitted. 
     1591     * @param WP_REST_Request $request Full details about the request. 
     1592     * @param string          $param   The parameter name. 
     1593     * @return WP_Error|string The sanitized email address, if valid, 
     1594     *                         otherwise an error. 
     1595     */ 
     1596    public function check_comment_author_email( $value, $request, $param ) { 
     1597        $email = (string) $value; 
     1598        if ( empty( $email ) ) { 
     1599            return $email; 
     1600        } 
     1601 
     1602        $check_email = rest_validate_request_arg( $email, $request, $param ); 
     1603        if ( is_wp_error( $check_email ) ) { 
     1604            return $check_email; 
     1605        } 
     1606 
     1607        return $email; 
     1608    } 
    15841609} 
  • branches/4.7/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39408 r39446  
    9696            update_site_option( 'site_admins', array( 'superadmin' ) ); 
    9797        } 
    98     } 
    99  
    100     public function tearDown() { 
    101         parent::tearDown(); 
    10298    } 
    10399 
     
    988984    } 
    989985 
    990     public function test_create_comment_missing_required_author_name_and_email_per_option_value() { 
     986    public function test_create_comment_missing_required_author_name() { 
    991987        add_filter( 'rest_allow_anonymous_comments', '__return_true' ); 
    992         update_option( 'require_name_email', 1 ); 
    993  
    994         $params = array( 
    995             'post'    => self::$post_id, 
    996             'content' => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
    997         ); 
    998  
    999         $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 
    1000         $request->add_header( 'content-type', 'application/json' ); 
    1001         $request->set_body( wp_json_encode( $params ) ); 
    1002  
    1003         $response = $this->server->dispatch( $request ); 
    1004  
    1005         $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 ); 
    1006  
    1007         update_option( 'require_name_email', 0 ); 
    1008     } 
    1009  
    1010     public function test_create_comment_missing_required_author_name_per_option_value() { 
    1011         wp_set_current_user( self::$admin_id ); 
    1012988        update_option( 'require_name_email', 1 ); 
    1013989 
     
    1023999 
    10241000        $response = $this->server->dispatch( $request ); 
    1025         $this->assertErrorResponse( 'rest_comment_author_required', $response, 400 ); 
    1026  
    1027         update_option( 'require_name_email', 0 ); 
    1028     } 
    1029  
    1030     public function test_create_comment_missing_required_author_email_per_option_value() { 
     1001 
     1002        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 ); 
     1003    } 
     1004 
     1005    public function test_create_comment_empty_required_author_name() { 
     1006        add_filter( 'rest_allow_anonymous_comments', '__return_true' ); 
     1007        update_option( 'require_name_email', 1 ); 
     1008 
     1009        $params = array( 
     1010            'author_name'  => '', 
     1011            'author_email' => 'ekrabappel@springfield-elementary.edu', 
     1012            'post'         => self::$post_id, 
     1013            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     1014        ); 
     1015 
     1016        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 
     1017        $request->add_header( 'content-type', 'application/json' ); 
     1018        $request->set_body( wp_json_encode( $params ) ); 
     1019 
     1020        $response = $this->server->dispatch( $request ); 
     1021 
     1022        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 ); 
     1023    } 
     1024 
     1025    public function test_create_comment_missing_required_author_email() { 
    10311026        wp_set_current_user( self::$admin_id ); 
    10321027        update_option( 'require_name_email', 1 ); 
     
    10431038 
    10441039        $response = $this->server->dispatch( $request ); 
    1045         $this->assertErrorResponse( 'rest_comment_author_email_required', $response, 400 ); 
    1046  
    1047         update_option( 'require_name_email', 0 ); 
     1040        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 ); 
     1041    } 
     1042 
     1043    public function test_create_comment_empty_required_author_email() { 
     1044        wp_set_current_user( self::$admin_id ); 
     1045        update_option( 'require_name_email', 1 ); 
     1046 
     1047        $params = array( 
     1048            'post'         => self::$post_id, 
     1049            'author_name'  => 'Edna Krabappel', 
     1050            'author_email' => '', 
     1051            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     1052        ); 
     1053 
     1054        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); 
     1055        $request->add_header( 'content-type', 'application/json' ); 
     1056        $request->set_body( wp_json_encode( $params ) ); 
     1057 
     1058        $response = $this->server->dispatch( $request ); 
     1059        $this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 ); 
    10481060    } 
    10491061 
     
    19912003        $this->assertEquals( $params['date_gmt'], $comment['date_gmt'] ); 
    19922004        $this->assertEquals( $params['date_gmt'], mysql_to_rfc3339( $updated->comment_date_gmt ) ); 
     2005    } 
     2006 
     2007    public function test_update_comment_author_email_only() { 
     2008        wp_set_current_user( self::$editor_id ); 
     2009        update_option( 'require_name_email', 1 ); 
     2010 
     2011        $params = array( 
     2012            'post'         => self::$post_id, 
     2013            'author_email' => 'ekrabappel@springfield-elementary.edu', 
     2014            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     2015        ); 
     2016 
     2017        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); 
     2018        $request->add_header( 'content-type', 'application/json' ); 
     2019        $request->set_body( wp_json_encode( $params ) ); 
     2020 
     2021        $response = $this->server->dispatch( $request ); 
     2022        $this->assertEquals( 200, $response->get_status() ); 
     2023    } 
     2024 
     2025    public function test_update_comment_empty_author_name() { 
     2026        wp_set_current_user( self::$editor_id ); 
     2027        update_option( 'require_name_email', 1 ); 
     2028 
     2029        $params = array( 
     2030            'author_name'  => '', 
     2031            'author_email' => 'ekrabappel@springfield-elementary.edu', 
     2032            'post'         => self::$post_id, 
     2033            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     2034        ); 
     2035 
     2036        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); 
     2037        $request->add_header( 'content-type', 'application/json' ); 
     2038        $request->set_body( wp_json_encode( $params ) ); 
     2039 
     2040        $response = $this->server->dispatch( $request ); 
     2041        $this->assertEquals( 200, $response->get_status() ); 
     2042    } 
     2043 
     2044    public function test_update_comment_author_name_only() { 
     2045        wp_set_current_user( self::$admin_id ); 
     2046        update_option( 'require_name_email', 1 ); 
     2047 
     2048        $params = array( 
     2049            'post'        => self::$post_id, 
     2050            'author_name' => 'Edna Krabappel', 
     2051            'content'     => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     2052        ); 
     2053 
     2054        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); 
     2055        $request->add_header( 'content-type', 'application/json' ); 
     2056        $request->set_body( wp_json_encode( $params ) ); 
     2057 
     2058        $response = $this->server->dispatch( $request ); 
     2059        $this->assertEquals( 200, $response->get_status() ); 
     2060    } 
     2061 
     2062    public function test_update_comment_empty_author_email() { 
     2063        wp_set_current_user( self::$admin_id ); 
     2064        update_option( 'require_name_email', 1 ); 
     2065 
     2066        $params = array( 
     2067            'post'         => self::$post_id, 
     2068            'author_name'  => 'Edna Krabappel', 
     2069            'author_email' => '', 
     2070            'content'      => 'Now, I don\'t want you to worry class. These tests will have no affect on your grades. They merely determine your future social status and financial success. If any.', 
     2071        ); 
     2072 
     2073        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); 
     2074        $request->add_header( 'content-type', 'application/json' ); 
     2075        $request->set_body( wp_json_encode( $params ) ); 
     2076 
     2077        $response = $this->server->dispatch( $request ); 
     2078        $this->assertEquals( 200, $response->get_status() ); 
     2079    } 
     2080 
     2081    public function test_update_comment_author_email_too_short() { 
     2082        wp_set_current_user( self::$admin_id ); 
     2083 
     2084        $params = array( 
     2085            'post'         => self::$post_id, 
     2086            'author_name'  => 'Homer J. Simpson', 
     2087            'author_email' => 'a@b', 
     2088            'content'      => 'in this house, we obey the laws of thermodynamics!', 
     2089        ); 
     2090 
     2091        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); 
     2092        $request->add_header( 'content-type', 'application/json' ); 
     2093        $request->set_body( wp_json_encode( $params ) ); 
     2094        $response = $this->server->dispatch( $request ); 
     2095 
     2096        $this->assertErrorResponse( 'rest_invalid_param', $response, 400 ); 
     2097        $data = $response->get_data(); 
     2098        $this->assertArrayHasKey( 'author_email', $data['data']['params'] ); 
    19932099    } 
    19942100 
Note: See TracChangeset for help on using the changeset viewer.