Opened 8 years ago
Closed 8 years ago
#38816 closed defect (bug) (fixed)
REST API: logic error in comments post ID
Reported by: | dd32 | Owned by: | rachelbaker |
---|---|---|---|
Milestone: | 4.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Comments | Keywords: | has-patch needs-unit-tests |
Focuses: | rest-api | Cc: |
Description
The rest API currently requires that a comment from a non-privileged user be added to a post which the user can read (ie. not trashed, private, draft, etc).
However the checks miss a case where the user attempts to add a comment for a future post which does not yet exist (ie. max_post_id + 1). This should be prevented, to prevent a comment being added to a not-yet-created post (which would then inherit it).
I'm not sure I understand the logic behind allowing comment creation for a non-existent post_id if the user has moderate_comments
cap though.. that doesn't appear to be something which we would need to support.
Attachments (3)
Change History (14)
#2
@
8 years ago
I don't think this is a permissions issue, so it shouldn't be addressed in the permission_callback
It can go both ways, the user doesn't have permission to add a comment to something that doesn't exist, but the user also should not be able to add a post to something that doesn't exist.
I'd err on the side of permissions myself.
#3
@
8 years ago
38816.2.diff is possibly a more logical permissions-based patch.
#4
@
8 years ago
Looks fine to me (I guess where the check lives doesn't matter as long as we are not sending a 401 for this).
#5
@
8 years ago
I'm not sure I understand the logic behind allowing comment creation for a non-existent post_id if the user has moderate_comments cap though
@jnylen0 @dd32 We support this with the REST API because wp_insert_comment()
supports adding comments without an attached post_ID - and our endpoints are intended to mirror the underlying WordPress API functions. I am open to changing the cap check here, if you have other ideas.
#6
@
8 years ago
We support this with the REST API because wp_insert_comment() supports adding comments without an attached post_ID - and our endpoints are intended to mirror the underlying WordPress API functions.
Yeah, I strongly disagree with that on this count at least. Even though the underlying API allows it, doesn't mean it should be possible. Some things just shouldn't be done through a generic endpoint, if a plugin wanted the ability to create those for some reason, why should it not have to add it's own endpoint for that specific use-case?
I also dislike the moderate_comments
cap being re-used for things that it doesn't represent - It represents the ability to moderate comments.. it doesn't mean that the user is a higher privileged user who can create special content (AFAIK)
#7
follow-up:
↓ 8
@
8 years ago
our endpoints are intended to mirror the underlying WordPress API functions
I think this is worth discussing a bit more.
wp_insert_comment
doesn't call wp_filter_comment
(or wp_slash
), which we definitely need to do, so this is one fairly obvious way the API needs to be more restrictive than the underlying functions.
There are important validation checks for users that are not performed in wp_insert_user
(#38739). We shouldn't skip those either.
I think we need to be really careful about exposing totally new functionality (in terms of "things an end user can do") via the API. If we're thinking about allowing something new, these seem like good questions to ask:
- Is this going to break anything?
- Is this a valuable feature?
- Do we have time to think through questions 1 and 2 properly?
Creating comments with a post_id of 0 might enable interesting ways to store data within WP. I don't know if it would break things beyond what has already been discussed in this ticket.
Similarly, comment karma (#38821) might enable themes to sort/rank comments in interesting new ways. But allowing clients to set the karma value to any integer probably isn't the right way to go there.
#8
in reply to:
↑ 7
;
follow-up:
↓ 9
@
8 years ago
Replying to jnylen0:
wp_insert_comment
doesn't callwp_filter_comment
(orwp_slash
), which we definitely need to do, so this is one fairly obvious way the API needs to be more restrictive than the underlying functions.
There are important validation checks for users that are not performed in
wp_insert_user
(#38739). We shouldn't skip those either.
Do these needed changes have tickets yet?
#9
in reply to:
↑ 8
@
8 years ago
Replying to rachelbaker:
Do these needed changes have tickets yet?
Yes, both of those are fixed (comments in #38704; users in #38739). I brought them up as specific examples where we shouldn't mirror the underlying WP functions, rather we should mirror the existing functionality instead.
This is closely related to #38700. Currently, creating a comment with an invalid post ID fails. However, when updating a comment, this is caught in
wp_update_comment
which leads to a 500 error.I agree, we shouldn't support this either.
I don't think this is a permissions issue, so it shouldn't be addressed in the
permission_callback
. 38700.5.diff fixes this for comment updates, and we should add this check increate_item
also.Finally I think 404 is a better status code here.