WordPress.org

Make WordPress Core

Opened 5 months ago

Closed 4 months ago

#38692 closed defect (bug) (fixed)

REST API: Add support for comments of password-protected posts

Reported by: jnylen0 Owned by: joehoyle
Milestone: 4.7 Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

Migrated from https://github.com/WP-API/WP-API/issues/2791. Current status from @rachelbaker:


The Comments Controller does not have a password param to support viewing/editing/creating/deleting comments on password protected posts. Attempting to interact with a comment on a password protected post returns a WP_Error because without the proper post password the permission checks fail.

Action items:

  • Add the password param to allow users to pass the password for the related Post to a Comment.
  • Modify our permission checks to support handling the password param
  • Add unit tests

I think this parameter should be called post_password and we should try to get this into 4.7 for consistency and completeness. Arguable whether this is a bug, but it's unexpected behavior to me.

Attachments (2)

38692.diff (6.2 KB) - added by flixos90 4 months ago.
38692.2.diff (8.0 KB) - added by flixos90 4 months ago.

Download all attachments as: .zip

Change History (10)

#1 @jnylen0
5 months ago

  • Keywords needs-patch added

This ticket was mentioned in Slack in #core-restapi by joehoyle. View the logs.


4 months ago

This ticket was mentioned in Slack in #core by helen. View the logs.


4 months ago

@flixos90
4 months ago

#4 @flixos90
4 months ago

  • Keywords has-patch needs-unit-tests added; needs-patch removed

38692.diff allows to read comments of password-protected posts when passing the correct password parameter with the request. It works by making the WP_REST_Posts_Controller::can_access_password_content() method public and calling it from WP_REST_Comments_Controller::check_read_post_permission(). In order for it to work, the $request object is passed to that method.

Thoughts / questsions:

  • The password check is also applied when querying for multiple comments. Should we deal with passing multiple passwords? At the moment you can only pass that parameter once, so it won't be possible to query comments of multiple password-protected posts. My personal thought is that, since this is rather edge-case, let's no handle it for now and maybe open an enhancement ticket at some point as necessary.
  • Should this the parent post check be built into WP_REST_Comments_Controller::check_edit_permission() as well? I don't think this makes sense since I don't see how someone that can edit the comment wouldn't be able to read the password-protected post. Correct me if I'm wrong.

@flixos90
4 months ago

#5 @flixos90
4 months ago

  • Keywords has-unit-tests added; needs-unit-tests removed

38692.2.diff adds unit tests for the changes.

#6 @jnylen0
4 months ago

  • Milestone changed from Awaiting Review to 4.7
  • "Should we deal with passing multiple passwords?" Probably not, neither core nor the API supports this for listing posts.
  • Based on the logic in the posts controller ("Edit context always gets access to password-protected posts") we should be fine here.

This ticket was mentioned in Slack in #core-restapi by helen. View the logs.


4 months ago

#8 @joehoyle
4 months ago

  • Owner set to joehoyle
  • Resolution set to fixed
  • Status changed from new to closed

In 39349:

REST API: Add support for comments of password-protected posts.

Core requires the post password to view and create comments on password protected posts, so we must support a “password” param on the comments endpoint when fetch comments for a specific post and creating a comment on a password protected post.

Props flixos90, jnylen0.
Fixes #38692.

Note: See TracTickets for help on using tickets.