Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#47024 closed defect (bug) (fixed)

(Comments REST API) User with "moderate_comments" can't update/delete comments

Reported by: meloniq's profile meloniq Owned by: kadamwhite's profile kadamwhite
Milestone: 5.3 Priority: normal
Severity: normal Version: 5.1.1
Component: REST API Keywords: has-patch commit has-unit-tests
Focuses: rest-api Cc:

Description

Affected API: https://developer.wordpress.org/rest-api/reference/comments/#update-a-comment

Endpoints: POST /wp/v2/comments/<id> and DELETE /wp/v2/comments/<id>

Case: As a user with Contributor or Author role I'm not able to update/delete a comment that I previously added.

Due to a logical bug in the method check_edit_permission(), a users without the moderate_comments capability aren't able to update or delete own comments as the part of code which checks permission on individual comment is never reached.

Patch correcting mentioned above part has been attached to the ticket.

Attachments (4)

47024.diff (665 bytes) - added by meloniq 4 years ago.
47024.2.diff (2.7 KB) - added by kadamwhite 4 years ago.
Add basic unit tests to try to validate issue
47024.3.diff (3.6 KB) - added by kadamwhite 4 years ago.
Adjust new tests to correctly test the condition being changed
47024.4.diff (3.6 KB) - added by kadamwhite 4 years ago.
phpcbf

Download all attachments as: .zip

Change History (18)

@meloniq
4 years ago

#1 @SergeyBiryukov
4 years ago

  • Keywords needs-unit-tests added
  • Milestone changed from Awaiting Review to 5.3

#2 @meloniq
4 years ago

Looking a bit more farther, the edit_comment capability fallbacks to edit_post cap, so users with lower roles are not allowed to update/delete own comments at all... but that's an topic for another ticket with expanding permissions to comment authors in the edit_comment cap... Actually that's already reported in #41037

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


4 years ago

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


4 years ago

This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.


4 years ago

This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.


4 years ago

This ticket was mentioned in Slack in #core-comments by kadamwhite. View the logs.


4 years ago

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


4 years ago

This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.


4 years ago

This ticket was mentioned in Slack in #core-restapi by david.baumwald. View the logs.


4 years ago

#11 @kadamwhite
4 years ago

  • Keywords commit added
  • Owner set to kadamwhite
  • Status changed from new to accepted

While it doesn't seem like the logic error here is strictly as-described in the original post, per the follow-up indicating the new comment to address the original described issue. However, this seems like a reasonable change to improve handling of comment editing for requests authenticated as moderator-level users.

In the absence of any active comments component maintainers I'm going to commit this for 5.3.

@kadamwhite
4 years ago

Add basic unit tests to try to validate issue

@kadamwhite
4 years ago

Adjust new tests to correctly test the condition being changed

@kadamwhite
4 years ago

phpcbf

#12 @kadamwhite
4 years ago

  • Keywords has-unit-tests added; needs-unit-tests removed

After implementing tests, I successfully demonstrated that the condition this patch changes did not previously permit any moderate_comments users (not just the post author) from editing an existing comment, despite several places in core comments code where we treat moderate_comments as synonymous with admin-level privileges. I've added a test to validate that a user with moderate_comments is permitted to do just that.

#13 @kadamwhite
4 years ago

  • Summary changed from (Comments REST API) Contributor can't update/delete own comment to (Comments REST API) User with "moderate_comments" can't update/delete comments

Editing title for better disambiguation from #41037

#14 @kadamwhite
4 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 46433:

REST API: Ensure users with "moderate_comments" capability may edit comments.

Props meloniq.
Fixes #47024.

Note: See TracTickets for help on using tickets.