From 4b275bf861d0b4f322c0542e3384a70058b1b74a Mon Sep 17 00:00:00 2001
From: Ryan McCue <rmccue@git.wordpress.org>
Date: Mon, 21 Nov 2016 05:31:07 +0000
Subject: [PATCH] REST API: Disable anonymous commenting by default.

Adding a brand new anonymous comment method is a potential conduit for spam. Since it's still useful functionality, we're now hiding it behind a filter to allow plugins and themes to turn it on if they do want it.

Props helen, rachelbaker, joehoyle.
Fixes #38855.


git-svn-id: https://develop.svn.wordpress.org/trunk@39327 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../class-wp-rest-comments-controller.php     | 22 ++++++++-
 .../rest-api/rest-comments-controller.php     | 45 +++++++++++--------
 2 files changed, 46 insertions(+), 21 deletions(-)

diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
index 9071697f9a..0ddd023605 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@@ -366,9 +366,27 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 	 * @return WP_Error|bool True if the request has access to create items, error object otherwise.
 	 */
 	public function create_item_permissions_check( $request ) {
+		if ( ! is_user_logged_in() ) {
+			if ( get_option( 'comment_registration' ) ) {
+				return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) );
+			}
 
-		if ( ! is_user_logged_in() && get_option( 'comment_registration' ) ) {
-			return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) );
+			/**
+			 * Filter whether comments can be created without authentication.
+			 *
+			 * Enables creating comments for anonymous users.
+			 *
+			 * @since 4.7.0
+			 *
+			 * @param bool $allow_anonymous Whether to allow anonymous comments to
+			 *                              be created. Default `false`.
+			 * @param WP_REST_Request $request Request used to generate the
+			 *                                 response.
+			 */
+			$allow_anonymous = apply_filters( 'rest_allow_anonymous_comments', false, $request );
+			if ( false === $allow_anonymous ) {
+				return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) );
+			}
 		}
 
 		// Limit who can set comment `author`, `author_ip` or `status` to anything other than the default.
diff --git a/tests/phpunit/tests/rest-api/rest-comments-controller.php b/tests/phpunit/tests/rest-api/rest-comments-controller.php
index fbc414155a..72be605a8e 100644
--- a/tests/phpunit/tests/rest-api/rest-comments-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-comments-controller.php
@@ -800,7 +800,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_get_comment_not_approved_same_user() {
-		wp_set_current_user( self::$subscriber_id );
+		wp_set_current_user( self::$admin_id );
 
 		$request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%d', self::$hold_id ) );
 
@@ -842,7 +842,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_get_comment_with_password_without_edit_post_permission() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$subscriber_id );
 		$args = array(
 			'comment_approved' => 1,
 			'comment_post_ID'  => self::$password_id,
@@ -850,11 +850,11 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 		$password_comment = $this->factory->comment->create( $args );
 		$request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/comments/%s', $password_comment ) );
 		$response = $this->server->dispatch( $request );
-		$this->assertErrorResponse( 'rest_cannot_read', $response, 401 );
+		$this->assertErrorResponse( 'rest_cannot_read', $response, 403 );
 	}
 
 	public function test_create_item() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$admin_id );
 
 		$params = array(
 			'post'    => self::$post_id,
@@ -873,14 +873,14 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 		$this->assertEquals( 201, $response->get_status() );
 
 		$data = $response->get_data();
-		$this->check_comment_data( $data, 'view', $response->get_links() );
+		$this->check_comment_data( $data, 'edit', $response->get_links() );
 		$this->assertEquals( 'hold', $data['status'] );
 		$this->assertEquals( '2014-11-07T10:14:25', $data['date'] );
 		$this->assertEquals( self::$post_id, $data['post'] );
 	}
 
 	public function test_create_item_using_accepted_content_raw_value() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$admin_id );
 
 		$params = array(
 			'post'         => self::$post_id,
@@ -905,6 +905,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_create_comment_missing_required_author_name_and_email_per_option_value() {
+		add_filter( 'rest_allow_anonymous_comments', '__return_true' );
 		update_option( 'require_name_email', 1 );
 
 		$params = array(
@@ -917,12 +918,14 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 		$request->set_body( wp_json_encode( $params ) );
 
 		$response = $this->server->dispatch( $request );
+
 		$this->assertErrorResponse( 'rest_comment_author_data_required', $response, 400 );
 
 		update_option( 'require_name_email', 0 );
 	}
 
 	public function test_create_comment_missing_required_author_name_per_option_value() {
+		wp_set_current_user( self::$admin_id );
 		update_option( 'require_name_email', 1 );
 
 		$params = array(
@@ -942,6 +945,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_create_comment_missing_required_author_email_per_option_value() {
+		wp_set_current_user( self::$admin_id );
 		update_option( 'require_name_email', 1 );
 
 		$params = array(
@@ -961,7 +965,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_create_comment_author_email_too_short() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$admin_id );
 
 		$params = array(
 			'post'         => self::$post_id,
@@ -982,7 +986,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_create_item_invalid_no_content() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$admin_id );
 
 		$params = array(
 			'post'         => self::$post_id,
@@ -1005,7 +1009,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_create_item_invalid_date() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$admin_id );
 
 		$params = array(
 			'post'         => self::$post_id,
@@ -1349,6 +1353,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_create_comment_author_ip_no_permission() {
+		wp_set_current_user( self::$subscriber_id );
 		$params = array(
 			'author_name'  => 'Comic Book Guy',
 			'author_email' => 'cbg@androidsdungeon.com',
@@ -1361,10 +1366,11 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 		$request->add_header( 'content-type', 'application/json' );
 		$request->set_body( wp_json_encode( $params ) );
 		$response = $this->server->dispatch( $request );
-		$this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 401 );
+		$this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 403 );
 	}
 
 	public function test_create_comment_author_ip_defaults_to_remote_addr() {
+		wp_set_current_user( self::$admin_id );
 		$_SERVER['REMOTE_ADDR'] = '127.0.0.2';
 		$params = array(
 			'post'         => self::$post_id,
@@ -1500,6 +1506,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_create_item_duplicate() {
+		wp_set_current_user( self::$subscriber_id );
 		$this->factory->comment->create(
 			array(
 				'comment_post_ID'      => self::$post_id,
@@ -1508,7 +1515,6 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 				'comment_content'      => 'Homer? Who is Homer? My name is Guy N. Cognito.',
 			)
 		);
-		wp_set_current_user( 0 );
 
 		$params = array(
 			'post'    => self::$post_id,
@@ -1529,7 +1535,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 		$post_id = $this->factory->post->create( array(
 			'comment_status' => 'closed',
 		));
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$subscriber_id );
 
 		$params = array(
 			'post'      => $post_id,
@@ -1546,6 +1552,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	public function test_create_comment_require_login() {
 		wp_set_current_user( 0 );
 		update_option( 'comment_registration', 1 );
+		add_filter( 'rest_allow_anonymous_comments', '__return_true' );
 		$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
 		$request->set_param( 'post', self::$post_id );
 		$response = $this->server->dispatch( $request );
@@ -1595,7 +1602,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_create_comment_two_times() {
-		wp_set_current_user( 0 );
+		add_filter( 'rest_allow_anonymous_comments', '__return_true' );
 
 		$params = array(
 			'post'    => self::$post_id,
@@ -1632,7 +1639,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	 * @ticket 38477
 	 */
 	public function test_create_comment_author_name_too_long() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$subscriber_id );
 
 		$params = array(
 			'post'         => self::$post_id,
@@ -1655,7 +1662,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	 * @ticket 38477
 	 */
 	public function test_create_comment_author_email_too_long() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$subscriber_id );
 
 		$params = array(
 			'post'         => self::$post_id,
@@ -1678,7 +1685,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	 * @ticket 38477
 	 */
 	public function test_create_comment_author_url_too_long() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$subscriber_id );
 
 		$params = array(
 			'post'         => self::$post_id,
@@ -1701,7 +1708,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	 * @ticket 38477
 	 */
 	public function test_create_comment_content_too_long() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$subscriber_id );
 
 		$params = array(
 			'post'         => self::$post_id,
@@ -1913,7 +1920,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_update_comment_invalid_id() {
-		wp_set_current_user( 0 );
+		wp_set_current_user( self::$subscriber_id );
 
 		$params = array(
 			'content' => 'Oh, they have the internet on computers now!',
@@ -1927,7 +1934,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public function test_update_comment_invalid_permission() {
-		wp_set_current_user( 0 );
+		add_filter( 'rest_allow_anonymous_comments', '__return_true' );
 
 		$params = array(
 			'content' => 'Disco Stu likes disco music.',