WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

Last modified 4 years ago

#30307 closed defect (bug) (fixed)

wp_update_comment does not update user_id column

Reported by: jphase Owned by: SergeyBiryukov
Milestone: 4.2 Priority: normal
Severity: normal Version: 2.0
Component: Comments Keywords: has-patch commit
Focuses: Cc:

Description

wp_update_comment() does not allow the update of the user_id column. This is caused from the $keys array on line 2233 of wp-includes/comment.php not containing the 'user_id' key before wp_array_slice_assoc() is ran on the following line. It's a very simple fix so I'll be posting a diff to this here momentarily.

Before the fix:

        $keys = array( 'comment_content', 'comment_author', 'comment_author_email', 'comment_approved', 'comment_karma', 'comment_author_url', 'comment_date', 'comment_date_gmt', 'comment_parent' );
        $data = wp_array_slice_assoc( $data, $keys );
        $rval = $wpdb->update( $wpdb->comments, $data, compact( 'comment_ID' ) );

After the fix:

        $keys = array( 'comment_content', 'comment_author', 'comment_author_email', 'comment_approved', 'comment_karma', 'comment_author_url', 'comment_date', 'comment_date_gmt', 'comment_parent', 'user_id' );
        $data = wp_array_slice_assoc( $data, $keys );
        $rval = $wpdb->update( $wpdb->comments, $data, compact( 'comment_ID' ) );

Attached is a diff for this that fixed trunk for me. Let me know if I missed something obvious or am not understanding some basic usage.

Attachments (6)

comment_update_user_id.diff (836 bytes) - added by jphase 5 years ago.
Diff to allow user_id to be updated through wp_update_comment()
30307.patch (2.0 KB) - added by SergeyBiryukov 5 years ago.
30307.2.patch (2.3 KB) - added by SergeyBiryukov 5 years ago.
30307.3.patch (3.2 KB) - added by rachelbaker 5 years ago.
Updated unit test to confirm user_id is not the current user.
30307.4.patch (653 bytes) - added by SergeyBiryukov 5 years ago.
comment-reply-template.patch (530 bytes) - added by dllh 4 years ago.
Removes user_ID hidden field from quick edit form

Download all attachments as: .zip

Change History (21)

@jphase
5 years ago

Diff to allow user_id to be updated through wp_update_comment()

#1 @johnbillion
5 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to Future Release
  • Version changed from trunk to 2.0

Thanks for the patch!

This ticket was mentioned in Slack in #core by desaiuditd. View the logs.


5 years ago

#4 @SergeyBiryukov
5 years ago

  • Milestone changed from Future Release to 4.2

#5 @SergeyBiryukov
5 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 31172:

Add 'user_id' to the list of fields wp_update_comment() can update.

props jphase.
fixes #30307.

#6 follow-up: @SergeyBiryukov
5 years ago

  • Keywords needs-testing added
  • Resolution fixed deleted
  • Status changed from closed to reopened

As noted by ocean90, the user_id is now set to the user who edits a comment.

30307.2.patch should fix that.

#7 in reply to: ↑ 6 @rachelbaker
5 years ago

  • Keywords needs-testing removed

Tested 30307.2.patch successfully. Comments can be updated with the user_id set to someone other than the current user's id.

@rachelbaker
5 years ago

Updated unit test to confirm user_id is not the current user.

#8 @SergeyBiryukov
5 years ago

The unit test probably doesn't need updating, since the issue here doesn't necessary have to do with the current user, but rather with unintended passing of $_POST['user_id'] to wp_update_comment() on Edit Comment screen.

#9 @SergeyBiryukov
5 years ago

Actually, not sure why there's a hidden user_id input in the first place (introduced in [658]).

edit_comment() and wp_ajax_edit_comment() don't depend on it, and it appears to be unused.

See 30307.4.patch.

#10 @DrewAPicture
5 years ago

  • Keywords commit added
  • Priority changed from normal to high

It would be helpful to get the fix in for not changing the user_id on edit. We're running into this issue on the WP.org Code Reference right now with edited examples (comments).

Patch still applies.

#11 @SergeyBiryukov
5 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 31776:

Remove hidden user_id input from Edit Comment screen.

Since [31172], it caused the comment's user_id field to be unexpectedly changed to the user who edits the comment.

fixes #30307.

#12 @dllh
4 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

The hidden field also exists on the Quick Edit form. Patch to remove it forthcoming.

@dllh
4 years ago

Removes user_ID hidden field from quick edit form

#13 @SergeyBiryukov
4 years ago

Introduced in [8720], apparently as a copy/paste from edit-form-comment.php.

#14 @SergeyBiryukov
4 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 31999:

Remove hidden user_id input from wp_comment_reply().

Since [31172], it caused the comment's user_id field to be unexpectedly changed to the user who edits the comment.

See [31776] for Edit Comment screen.

props dllh.
fixes #30307.

#15 @DrewAPicture
4 years ago

  • Priority changed from high to normal
Note: See TracTickets for help on using tickets.