WordPress.org

Make WordPress Core

Opened 4 months ago

Closed 4 months ago

#38816 closed defect (bug) (fixed)

REST API: logic error in comments post ID

Reported by: dd32 Owned by: rachelbaker
Milestone: 4.7 Priority: normal
Severity: normal Version:
Component: Comments Keywords: has-patch needs-unit-tests
Focuses: rest-api Cc:

Description

The rest API currently requires that a comment from a non-privileged user be added to a post which the user can read (ie. not trashed, private, draft, etc).

However the checks miss a case where the user attempts to add a comment for a future post which does not yet exist (ie. max_post_id + 1). This should be prevented, to prevent a comment being added to a not-yet-created post (which would then inherit it).

I'm not sure I understand the logic behind allowing comment creation for a non-existent post_id if the user has moderate_comments cap though.. that doesn't appear to be something which we would need to support.

Attachments (3)

38816.diff (2.4 KB) - added by dd32 4 months ago.
38816.2.diff (3.0 KB) - added by dd32 4 months ago.
38816.3.diff (1.4 KB) - added by rachelbaker 4 months ago.
restores the ability to create a comment with a post_id of 0

Download all attachments as: .zip

Change History (14)

@dd32
4 months ago

#1 @jnylen0
4 months ago

  • Keywords needs-unit-tests added

This is closely related to #38700. Currently, creating a comment with an invalid post ID fails. However, when updating a comment, this is caught in wp_update_comment which leads to a 500 error.

I'm not sure I understand the logic behind allowing comment creation for a non-existent post_id if the user has moderate_comments cap though

I agree, we shouldn't support this either.

I don't think this is a permissions issue, so it shouldn't be addressed in the permission_callback. 38700.5.diff fixes this for comment updates, and we should add this check in create_item also.

Finally I think 404 is a better status code here.

#2 @dd32
4 months ago

I don't think this is a permissions issue, so it shouldn't be addressed in the permission_callback

It can go both ways, the user doesn't have permission to add a comment to something that doesn't exist, but the user also should not be able to add a post to something that doesn't exist.

I'd err on the side of permissions myself.

@dd32
4 months ago

#3 @dd32
4 months ago

38816.2.diff is possibly a more logical permissions-based patch.

#4 @jnylen0
4 months ago

Looks fine to me (I guess where the check lives doesn't matter as long as we are not sending a 401 for this).

#5 @rachelbaker
4 months ago

I'm not sure I understand the logic behind allowing comment creation for a non-existent post_id if the user has moderate_comments cap though

@jnylen0 @dd32 We support this with the REST API because wp_insert_comment() supports adding comments without an attached post_ID - and our endpoints are intended to mirror the underlying WordPress API functions. I am open to changing the cap check here, if you have other ideas.

@rachelbaker
4 months ago

restores the ability to create a comment with a post_id of 0

#6 @dd32
4 months ago

We support this with the REST API because wp_insert_comment() supports adding comments without an attached post_ID - and our endpoints are intended to mirror the underlying WordPress API functions.

Yeah, I strongly disagree with that on this count at least. Even though the underlying API allows it, doesn't mean it should be possible. Some things just shouldn't be done through a generic endpoint, if a plugin wanted the ability to create those for some reason, why should it not have to add it's own endpoint for that specific use-case?

I also dislike the moderate_comments cap being re-used for things that it doesn't represent - It represents the ability to moderate comments.. it doesn't mean that the user is a higher privileged user who can create special content (AFAIK)

#7 follow-up: @jnylen0
4 months ago

our endpoints are intended to mirror the underlying WordPress API functions

I think this is worth discussing a bit more.

wp_insert_comment doesn't call wp_filter_comment (or wp_slash), which we definitely need to do, so this is one fairly obvious way the API needs to be more restrictive than the underlying functions.

There are important validation checks for users that are not performed in wp_insert_user (#38739). We shouldn't skip those either.

I think we need to be really careful about exposing totally new functionality (in terms of "things an end user can do") via the API. If we're thinking about allowing something new, these seem like good questions to ask:

  1. Is this going to break anything?
  2. Is this a valuable feature?
  3. Do we have time to think through questions 1 and 2 properly?

Creating comments with a post_id of 0 might enable interesting ways to store data within WP. I don't know if it would break things beyond what has already been discussed in this ticket.

Similarly, comment karma (#38821) might enable themes to sort/rank comments in interesting new ways. But allowing clients to set the karma value to any integer probably isn't the right way to go there.

#8 in reply to: ↑ 7 ; follow-up: @rachelbaker
4 months ago

Replying to jnylen0:

wp_insert_comment doesn't call wp_filter_comment (or wp_slash), which we definitely need to do, so this is one fairly obvious way the API needs to be more restrictive than the underlying functions.

There are important validation checks for users that are not performed in wp_insert_user (#38739). We shouldn't skip those either.

Do these needed changes have tickets yet?

#9 in reply to: ↑ 8 @jnylen0
4 months ago

Replying to rachelbaker:

Do these needed changes have tickets yet?

Yes, both of those are fixed (comments in #38704; users in #38739). I brought them up as specific examples where we shouldn't mirror the underlying WP functions, rather we should mirror the existing functionality instead.

#10 @rachelbaker
4 months ago

  • Owner set to rachelbaker
  • Status changed from new to reviewing

#11 @rachelbaker
4 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 39288:

REST API: On comment create, return an error if the post parameter does not relate to a valid WP_Post object.

Return a WP_Error object for attempts to create a comment without an empty or invalid post ID.

Props dd32, jnylen0, rachelbaker.
Fixes #38816.

Note: See TracTickets for help on using tickets.