Opened 10 years ago
Closed 9 years ago
#27471 closed defect (bug) (fixed)
wp.newComment allows to post new comments even if they are closed or not supported
Reported by: | xknown | Owned by: | wonderboymusic |
---|---|---|---|
Milestone: | 4.4 | Priority: | normal |
Severity: | normal | Version: | 3.8.1 |
Component: | XML-RPC | Keywords: | has-patch |
Focuses: | Cc: |
Description
wp_xmlrpc_server::wp_newComment() doesn't check if comments are allowed/supported or not on a given post type.
faineant:wp alex$ curl -s -c /tmp/atoq.cookie -d 'log=test&pwd=1234' 'http://atoq/wp/wp-login.php' | curl -b /tmp/atoq.cookie -sd 'comment_post_ID=1&author=test&email=test@buayacorp.com&comment=test' "http://atoq/wp/wp-comments-post.php" | grep Sorry <p>Sorry, comments are closed for this item.</p></body> faineant:wp alex$ cat test.xml <methodCall> <methodName>wp.newComment</methodName> <params> <param><value>1</value></param> <param><value>test</value></param> <param><value>1234</value></param> <param><value>1</value></param> <param><value>Test comment</value></param> </params> </methodCall> faineant:wp alex$ curl --data @test.xml "http://atoq/wp/xmlrpc.php" <?xml version="1.0" encoding="UTF-8"?> <methodResponse> <params> <param> <value> <int>4</int> </value> </param> </params> </methodResponse>
Attachments (2)
Change History (8)
#1
follow-up:
↓ 3
@
10 years ago
This patch should do the trick, please give it a try.
Not only wp_xmlrpc_server::wp_newComment()
but neither wp_new_comment()
nor wp_insert_comment()
check if comments are allowed on a post before going ahead.
This issue exists even on the current version, haven't checked the previous ones.
#3
in reply to:
↑ 1
@
10 years ago
- Keywords reporter-feedback added
- Version changed from trunk to 3.8.1
The correct workflow may be to retrieve details about the post first, including comment_status
, via wp.getPost
and then make the call with a comment if comments are open. Anonymous comments are disabled by default in wp.newComment
. I think having the XMLRPC call match the current behavior in wp_new_comment()
is expected.
#4
@
10 years ago
I can see why there are no checks in the APIs of WordPress because you can also have custom comment types that would ignore if comments are allowed like status update of your order inside a e-commerce plugin.
Unsure about wp.newComment
tho, since that one is only for comments but I can agree with jeremyfelt to have it match the current behavior of wp_new_comment()
#5
@
9 years ago
- Keywords reporter-feedback removed
- Milestone changed from Awaiting Review to 4.4
- Owner set to wonderboymusic
- Status changed from new to assigned
27471.2.diff adds a unit test
Stop commenting via XML-RPC if comments are closed