Opened 6 years ago
Closed 6 years ago
#47024 closed defect (bug) (fixed)
(Comments REST API) User with "moderate_comments" can't update/delete comments
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 5.3 | Priority: | normal |
Severity: | normal | Version: | 5.1.1 |
Component: | REST API | Keywords: | has-patch commit has-unit-tests |
Focuses: | rest-api | Cc: |
Description
Affected API: https://developer.wordpress.org/rest-api/reference/comments/#update-a-comment
Endpoints: POST /wp/v2/comments/<id>
and DELETE /wp/v2/comments/<id>
Case: As a user with Contributor or Author role I'm not able to update/delete a comment that I previously added.
Due to a logical bug in the method check_edit_permission()
, a users without the moderate_comments
capability aren't able to update or delete own comments as the part of code which checks permission on individual comment is never reached.
Patch correcting mentioned above part has been attached to the ticket.
Attachments (4)
Change History (18)
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-comments by kadamwhite. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-restapi by david.baumwald. View the logs.
6 years ago
#11
@
6 years ago
- Keywords commit added
- Owner set to kadamwhite
- Status changed from new to accepted
While it doesn't seem like the logic error here is strictly as-described in the original post, per the follow-up indicating the new comment to address the original described issue. However, this seems like a reasonable change to improve handling of comment editing for requests authenticated as moderator-level users.
In the absence of any active comments component maintainers I'm going to commit this for 5.3.
#12
@
6 years ago
- Keywords has-unit-tests added; needs-unit-tests removed
After implementing tests, I successfully demonstrated that the condition this patch changes did not previously permit any moderate_comments
users (not just the post author) from editing an existing comment, despite several places in core comments code where we treat moderate_comments
as synonymous with admin-level privileges. I've added a test to validate that a user with moderate_comments
is permitted to do just that.
Looking a bit more farther, the
edit_comment
capability fallbacks toedit_post
cap, so users with lower roles are not allowed to update/delete own comments at all... but that's an topic for another ticket with expanding permissions to comment authors in theedit_comment
cap... Actually that's already reported in #41037