REST API: Limit what users can set `author_ip` in the Comments endpoint
|Reported by:||dd32||Owned by:||rachelbaker|
The Comments endpoint currently requires the caller to set the author_ip field, including for unauthed anonymous comments.
The API should not allow an anonymous user to set the IP address of the comment.
Furthermore, the documentation suggests that the default IP of 127.0.0.1 will be used if not presented - This should default to $_SERVER['REMOTE_ADDR'] instead, and only authorized users should be able to override that.
I personally do not believe any cap should be able to override the field, and that it should be hard-coded to always use REMOTE_ADDR unless a plugin allows otherwise (or REMOTE_ADDR is unavailable in the environment), however, in following with the other API designs in the endpoint, it would make sense to limit it to users with the moderate_comments cap.
The attached patch is a movement towards this, but fails as I couldn't see how to make the defaults play nicely together with the cap check. Further checks probably are needed to prevent the field being edited as well.