From 0087500d9ce210cba4c7ba20b3291703704e0821 Mon Sep 17 00:00:00 2001 From: Dion Hulse Date: Mon, 12 Dec 2016 01:39:13 +0000 Subject: [PATCH] REST API: Treat any falsy value as `false` in 'rest_allow_anonymous_comments'. Extend the check in 'rest_allow_anonymous_comments' to accept any falsy value (previously this was an explicit check for `false`). One possible failure case is that a plugin developer forgets to include a return value for some code path in their callback for this filter, leading to a value of null which is currently treated like `true`. Props joehoyle, jnylen0. Merges [39487] to the 4.7 branch. Fixes #39010. git-svn-id: https://develop.svn.wordpress.org/branches/4.7@39566 602fd350-edb4-49c9-b593-d223f7449a82 --- .../class-wp-rest-comments-controller.php | 2 +- .../rest-api/rest-comments-controller.php | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index 9d61294b58..94d75cf42a 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -392,7 +392,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { * response. */ $allow_anonymous = apply_filters( 'rest_allow_anonymous_comments', false, $request ); - if ( false === $allow_anonymous ) { + if ( ! $allow_anonymous ) { return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) ); } } diff --git a/tests/phpunit/tests/rest-api/rest-comments-controller.php b/tests/phpunit/tests/rest-api/rest-comments-controller.php index a103d21c5c..27e7e4e813 100644 --- a/tests/phpunit/tests/rest-api/rest-comments-controller.php +++ b/tests/phpunit/tests/rest-api/rest-comments-controller.php @@ -1749,6 +1749,33 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase $this->assertEquals( 400, $response->get_status() ); } + public function anonymous_comments_callback_null() { + // I'm a plugin developer who forgot to include a return value for some + // code path in my 'rest_allow_anonymous_comments' filter. + } + + public function test_allow_anonymous_comments_null() { + add_filter( 'rest_allow_anonymous_comments', array( $this, 'anonymous_comments_callback_null' ), 10, 2 ); + + $params = array( + 'post' => self::$post_id, + 'author_name' => 'Comic Book Guy', + 'author_email' => 'cbg@androidsdungeon.com', + 'author_url' => 'http://androidsdungeon.com', + 'content' => 'Worst Comment Ever!', + ); + + $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); + $request->add_header( 'content-type', 'application/json' ); + $request->set_body( wp_json_encode( $params ) ); + + $response = $this->server->dispatch( $request ); + + remove_filter( 'rest_allow_anonymous_comments', array( $this, 'anonymous_comments_callback_null' ), 10, 2 ); + + $this->assertErrorResponse( 'rest_comment_login_required', $response, 401 ); + } + /** * @ticket 38477 */