Changeset 61089

Timestamp:

10/30/2025 11:54:22 AM (7 weeks ago)

Author:

wildworks

Message:

Editor: Add auth_callback to _wp_note_status comment meta.

Adds an auth_callback to the _wp_note_status comment meta so that only users with the edit_comment capability can update this meta field via the REST API.

This is necessary to ensure that users can properly resolve or reopen Notes.

Props wildworks, adamsilverstein, westonruter, mamaduka, desrosj.
Fixes #64153.

Location:

trunk

Files:

• src/wp-includes/comment.php (modified) (1 diff)
• src/wp-includes/default-filters.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/rest-comments-controller.php (modified) (2 diffs)

trunk/src/wp-includes/comment.php

@@ -4130 +4130 @@
                 ),
             ),
+            'auth_callback' => function ( $allowed, $meta_key, $object_id ) {
+                return current_user_can( 'edit_comment', $object_id );
+            },
         )
     );
 }
-add_action( 'init', 'wp_create_initial_comment_meta' );

trunk/src/wp-includes/default-filters.php

@@ -152 +152 @@
 add_action( 'updated_comment_meta', 'wp_cache_set_comments_last_changed' );
 add_action( 'deleted_comment_meta', 'wp_cache_set_comments_last_changed' );
+add_action( 'init', 'wp_create_initial_comment_meta' );
 
 // Places to balance tags on input.

trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

@@ -171 +171 @@
         parent::set_up();
         $this->endpoint = new WP_REST_Comments_Controller();
+        wp_create_initial_comment_meta();
+
         if ( is_multisite() ) {
             update_site_option( 'site_admins', array( 'superadmin' ) );
@@ -3889 +3891 @@
         $response = rest_get_server()->dispatch( $request );
         $this->assertSame( 201, $response->get_status() );
+
+        $data = $response->get_data();
+        $this->assertArrayHasKey( 'meta', $data );
+        $this->assertArrayHasKey( '_wp_note_status', $data['meta'] );
+        $this->assertSame( $status, $data['meta']['_wp_note_status'] );
     }