Make WordPress Core


Ignore:
Timestamp:
02/21/2023 01:43:33 AM (16 months ago)
Author:
peterwilsoncc
Message:

Comments: Prevent replying to unapproved comments.

Introduces client and server side validation to ensure the replytocom query string parameter can not be exploited to reply to an unapproved comment or display the name of an unapproved commenter.

This only affects commenting via the front end of the site. Comment replies via the dashboard continue their current behaviour of logging the reply and approving the parent comment.

Introduces the $post parameter, defaulting to the current global post, to get_cancel_comment_reply_link() and comment_form_title().

Introduces _get_comment_reply_id() for determining the comment reply ID based on the replytocom query string parameter.

Renames the parameter $post_id to $post in get_comment_id_fields() and comment_id_fields() to accept either a post ID or WP_Post object.

Adds a new WP_Error return state to wp_handle_comment_submission() to prevent replies to unapproved comments. The error code is comment_reply_to_unapproved_comment with the message Sorry, replies to unapproved comments are not allowed..

Props costdev, jrf, hellofromtonya, fasuto, boniu91, milana_cap.
Fixes #53962.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/comment/wpHandleCommentSubmission.php

    r54701 r55369  
    883883        $this->assertEquals( self::$post->ID, $second_comment->comment_post_ID );
    884884    }
     885
     886    /**
     887     * Tests that wp_handle_comment_submission() only allows replying to
     888     * an approved parent comment.
     889     *
     890     * @ticket 53962
     891     *
     892     * @dataProvider data_should_only_allow_replying_to_an_approved_parent_comment
     893     *
     894     * @param int $approved Whether the parent comment is approved.
     895     */
     896    public function test_should_only_allow_replying_to_an_approved_parent_comment( $approved ) {
     897        wp_set_current_user( self::$editor_id );
     898
     899        $comment_parent = self::factory()->comment->create(
     900            array(
     901                'comment_post_ID'  => self::$post->ID,
     902                'comment_approved' => $approved,
     903            )
     904        );
     905
     906        $comment = wp_handle_comment_submission(
     907            array(
     908                'comment_post_ID'      => self::$post->ID,
     909                'comment_author'       => 'A comment author',
     910                'comment_author_email' => 'comment_author@example.org',
     911                'comment'              => 'Howdy, comment!',
     912                'comment_parent'       => $comment_parent,
     913            )
     914        );
     915
     916        if ( $approved ) {
     917            $this->assertInstanceOf(
     918                'WP_Comment',
     919                $comment,
     920                'The comment was not submitted.'
     921            );
     922        } else {
     923            $this->assertWPError( $comment, 'The comment was submitted.' );
     924            $this->assertSame(
     925                'comment_reply_to_unapproved_comment',
     926                $comment->get_error_code(),
     927                'The wrong error code was returned.'
     928            );
     929        }
     930    }
     931
     932    /**
     933     * Data provider.
     934     *
     935     * @return array[]
     936     */
     937    public function data_should_only_allow_replying_to_an_approved_parent_comment() {
     938        return array(
     939            'an approved parent comment'   => array( 'approved' => 1 ),
     940            'an unapproved parent comment' => array( 'approved' => 0 ),
     941        );
     942    }
     943
     944    /**
     945     * Tests that wp_handle_comment_submission() only allows replying to
     946     * an existing parent comment.
     947     *
     948     * @ticket 53962
     949     *
     950     * @dataProvider data_should_only_allow_replying_to_an_existing_parent_comment
     951     *
     952     * @param bool $exists Whether the parent comment exists.
     953     */
     954    public function test_should_only_allow_replying_to_an_existing_parent_comment( $exists ) {
     955        wp_set_current_user( self::$editor_id );
     956
     957        $parent_comment = -99999;
     958
     959        if ( $exists ) {
     960            $parent_comment = self::factory()->comment->create(
     961                array(
     962                    'comment_post_ID'  => self::$post->ID,
     963                    'comment_approved' => 1,
     964                )
     965            );
     966        }
     967
     968        $comment = wp_handle_comment_submission(
     969            array(
     970                'comment_post_ID'      => self::$post->ID,
     971                'comment_author'       => 'A comment author',
     972                'comment_author_email' => 'comment_author@example.org',
     973                'comment'              => 'Howdy, comment!',
     974                'comment_parent'       => $parent_comment,
     975            )
     976        );
     977
     978        if ( $exists ) {
     979            $this->assertInstanceOf(
     980                'WP_Comment',
     981                $comment,
     982                'The comment was not submitted.'
     983            );
     984        } else {
     985            $this->assertWPError( $comment, 'The comment was submitted.' );
     986            $this->assertSame(
     987                'comment_reply_to_unapproved_comment',
     988                $comment->get_error_code(),
     989                'The wrong error code was returned.'
     990            );
     991        }
     992    }
     993
     994    /**
     995     * Data provider.
     996     *
     997     * @return array[]
     998     */
     999    public function data_should_only_allow_replying_to_an_existing_parent_comment() {
     1000        return array(
     1001            'an existing parent comment'    => array( 'exists' => true ),
     1002            'a non-existent parent comment' => array( 'exists' => false ),
     1003        );
     1004    }
    8851005}
Note: See TracChangeset for help on using the changeset viewer.