Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#53008 new defect (bug)

Creating an anonymous comment with custom fields via REST API

Reported by: dawgawel's profile dawgawel Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords:
Focuses: rest-api Cc:



When rest_allow_anonymous_comments filter is enabled, I'm able to successfully create anonymous comments via REST API POST /comments method, without any authorization. Unfortunately, when trying to create a comment with a registered, non-protected meta field, I got a 401 error (details below). Even when auth_callback is forced to return true for that field, things don't change. I think that by default, when rest_allow_anonymous_comments is enabled, one should be able to create a comment with meta fields.

Field definition:


add_filter( 'rest_allow_anonymous_comments', '__return_true' );

register_meta('comment', 'twitter_handle', [
  'single' => true,
  'type' => 'string',
  'show_in_rest' => true,


curl --request POST \
  --url '' \
  --header 'Content-Type: application/json' \
  --data '{
	"post": 1,
	"content": "Lorem ipsum",
	"author_name": "Dawid",
	"author_email": "",
	"meta": {
		"twitter_handle": "dmgawel"


  "code": "rest_cannot_update",
  "message": "Sorry, you are not allowed to edit the twitter_handle custom field.",
  "data": {
    "key": "twitter_handle",
    "status": 401

I got the same response for the following meta field definition:


add_filter( 'rest_allow_anonymous_comments', '__return_true' );

register_meta('comment', 'twitter_handle', [
  'single' => true,
  'type' => 'string',
  'show_in_rest' => true,
  'auth_callback' => function(){ return true; }

Change History (2)

#1 @TimothyBlynJacobs
3 years ago

  • Version changed from 5.7 to 4.7

Thanks for the ticket @dawgawel and welcome to trac!

The issue is that the auth_callback for a meta key is applied on top of verifying that the user has access to edit the object itself,

I don't think we could really change this without opening up security issues. Instead, I'd recommend to use register_rest_field which will allow you to use any updating logic you'd like.

#2 @dawgawel
3 years ago

Hi @TimothyBlynJacobs, thanks for a quick response :)

While I still think that permission for creating comments with meta, when rest_allow_anonymous_comments is enabled, is a more intuitive behavior, I totally understand that underlying architecture may not allow such implementation or make it complicated/unsecure.

I'll implement creation logic with register_rest_field then. Thank you.

You can close the ticket (I'm not sure which resolution status you'd like to select).

Note: See TracTickets for help on using tickets.