From 735fa34d429b3a2c19728c8977afd316ac19d37d Mon Sep 17 00:00:00 2001 From: Rachel Baker Date: Fri, 18 Nov 2016 16:56:30 +0000 Subject: [PATCH] REST API: On comment create, return an error if the `post` parameter does not relate to a valid WP_Post object. Return a `WP_Error` object for attempts to create a comment without an empty or invalid `post` ID. Props dd32, jnylen0, rachelbaker. Fixes #38816. Built from https://develop.svn.wordpress.org/trunk@39288 git-svn-id: http://core.svn.wordpress.org/trunk@39228 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../class-wp-rest-comments-controller.php | 33 ++++++++++--------- wp-includes/version.php | 2 +- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index 61fb0442540..ccd172fbe52 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -385,26 +385,29 @@ public function create_item_permissions_check( $request ) { return new WP_Error( 'rest_comment_invalid_status', __( 'Sorry, you are not allowed to set status for comments.' ), array( 'status' => rest_authorization_required_code() ) ); } - if ( empty( $request['post'] ) && ! current_user_can( 'moderate_comments' ) ) { - return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => rest_authorization_required_code() ) ); + if ( empty( $request['post'] ) ) { + return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => 403 ) ); } - if ( ! empty( $request['post'] ) && $post = get_post( (int) $request['post'] ) ) { - if ( 'draft' === $post->post_status ) { - return new WP_Error( 'rest_comment_draft_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); - } + $post = get_post( (int) $request['post'] ); + if ( ! $post ) { + return new WP_Error( 'rest_comment_invalid_post_id', __( 'Sorry, you are not allowed to create this comment without a post.' ), array( 'status' => 403 ) ); + } - if ( 'trash' === $post->post_status ) { - return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); - } + if ( 'draft' === $post->post_status ) { + return new WP_Error( 'rest_comment_draft_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); + } - if ( ! $this->check_read_post_permission( $post ) ) { - return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); - } + if ( 'trash' === $post->post_status ) { + return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); + } - if ( ! comments_open( $post->ID ) ) { - return new WP_Error( 'rest_comment_closed', __( 'Sorry, comments are closed on this post.' ), array( 'status' => 403 ) ); - } + if ( ! $this->check_read_post_permission( $post ) ) { + return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); + } + + if ( ! comments_open( $post->ID ) ) { + return new WP_Error( 'rest_comment_closed', __( 'Sorry, comments are closed on this post.' ), array( 'status' => 403 ) ); } return true; diff --git a/wp-includes/version.php b/wp-includes/version.php index bcfc3dbee1d..18d4737f3d4 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta4-39287'; +$wp_version = '4.7-beta4-39288'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.