Make WordPress Core


Ignore:
Timestamp:
12/02/2016 10:45:06 PM (7 years ago)
Author:
rachelbaker
Message:

REST API: Fix bug where comment author and author email could be an empty string when creating a comment.

If the require_name_email option is true, creating a comment with an empty string for the author name or email should not be accepted. Both values can be an empty string on update.

Merges [39444] into the 4.7 branch.
Props flixos90, hnle, dd32, rachelbaker, jnylen0, ChopinBach, joehoyle, pento.

Fixes #38971 for 4.7.

Location:
branches/4.7
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39349 r39446  
    509509        // Honor the discussion setting that requires a name and email address of the comment author.
    510510        if ( get_option( 'require_name_email' ) ) {
    511             if ( ! isset( $prepared_comment['comment_author'] ) && ! isset( $prepared_comment['comment_author_email'] ) ) {
     511            if ( empty( $prepared_comment['comment_author'] ) || empty( $prepared_comment['comment_author_email'] ) ) {
    512512                return new WP_Error( 'rest_comment_author_data_required', __( 'Creating a comment requires valid author name and email values.' ), array( 'status' => 400 ) );
    513             }
    514 
    515             if ( ! isset( $prepared_comment['comment_author'] ) ) {
    516                 return new WP_Error( 'rest_comment_author_required', __( 'Creating a comment requires a valid author name.' ), array( 'status' => 400 ) );
    517             }
    518 
    519             if ( ! isset( $prepared_comment['comment_author_email'] ) ) {
    520                 return new WP_Error( 'rest_comment_author_email_required', __( 'Creating a comment requires a valid author email.' ), array( 'status' => 400 ) );
    521513            }
    522514        }
     
    11561148                    'format'       => 'email',
    11571149                    'context'      => array( 'edit' ),
     1150                    'arg_options'  => array(
     1151                        'sanitize_callback' => array( $this, 'check_comment_author_email' ),
     1152                        'validate_callback' => null, // skip built-in validation of 'email'.
     1153                    ),
    11581154                ),
    11591155                'author_ip'     => array(
     
    15821578        return current_user_can( 'edit_comment', $comment->comment_ID );
    15831579    }
     1580
     1581    /**
     1582     * Checks a comment author email for validity.
     1583     *
     1584     * Accepts either a valid email address or empty string as a valid comment
     1585     * author email address. Setting the comment author email to an empty
     1586     * string is allowed when a comment is being updated.
     1587     *
     1588     * @since 4.7.0
     1589     *
     1590     * @param string          $value   Author email value submitted.
     1591     * @param WP_REST_Request $request Full details about the request.
     1592     * @param string          $param   The parameter name.
     1593     * @return WP_Error|string The sanitized email address, if valid,
     1594     *                         otherwise an error.
     1595     */
     1596    public function check_comment_author_email( $value, $request, $param ) {
     1597        $email = (string) $value;
     1598        if ( empty( $email ) ) {
     1599            return $email;
     1600        }
     1601
     1602        $check_email = rest_validate_request_arg( $email, $request, $param );
     1603        if ( is_wp_error( $check_email ) ) {
     1604            return $check_email;
     1605        }
     1606
     1607        return $email;
     1608    }
    15841609}
Note: See TracChangeset for help on using the changeset viewer.