REST API: logic error in comments post ID
|Reported by:||dd32||Owned by:||rachelbaker|
The rest API currently requires that a comment from a non-privileged user be added to a post which the user can read (ie. not trashed, private, draft, etc).
However the checks miss a case where the user attempts to add a comment for a future post which does not yet exist (ie. max_post_id + 1). This should be prevented, to prevent a comment being added to a not-yet-created post (which would then inherit it).
I'm not sure I understand the logic behind allowing comment creation for a non-existent post_id if the user has moderate_comments cap though.. that doesn't appear to be something which we would need to support.