Make WordPress Core

Opened 3 months ago

Last modified 4 weeks ago

#47024 new defect (bug)

(Comments REST API) Contributor can't update/delete own comment

Reported by: meloniq Owned by:
Milestone: 5.3 Priority: normal
Severity: normal Version: 5.1.1
Component: REST API Keywords: has-patch needs-unit-tests
Focuses: rest-api Cc:


Affected API: https://developer.wordpress.org/rest-api/reference/comments/#update-a-comment

Endpoints: POST /wp/v2/comments/<id> and DELETE /wp/v2/comments/<id>

Case: As a user with Contributor or Author role I'm not able to update/delete a comment that I previously added.

Due to a logical bug in the method check_edit_permission(), a users without the moderate_comments capability aren't able to update or delete own comments as the part of code which checks permission on individual comment is never reached.

Patch correcting mentioned above part has been attached to the ticket.

Attachments (1)

47024.diff (665 bytes) - added by meloniq 3 months ago.

Download all attachments as: .zip

Change History (4)

3 months ago

#1 @SergeyBiryukov
3 months ago

  • Keywords needs-unit-tests added
  • Milestone changed from Awaiting Review to 5.3

#2 @meloniq
3 months ago

Looking a bit more farther, the edit_comment capability fallbacks to edit_post cap, so users with lower roles are not allowed to update/delete own comments at all... but that's an topic for another ticket with expanding permissions to comment authors in the edit_comment cap... Actually that's already reported in #41037

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.

4 weeks ago

Note: See TracTickets for help on using tickets.