Ensure the correct error message is returned when a user attempts to comment on a post to which they do not have access.

Adds more tests.


git-svn-id: https://develop.svn.wordpress.org/trunk@35745 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
John Blackbourn 2015-11-28 18:28:54 +00:00
parent 4476731011
commit a8ea7d98b5
2 changed files with 63 additions and 2 deletions

View File

@ -2670,6 +2670,10 @@ function wp_handle_comment_submission( $comment_data ) {
// get_post_status() will get the parent status for attachments.
$status = get_post_status( $post );
if ( ( 'private' == $status ) && ! current_user_can( 'read_post', $comment_post_ID ) ) {
return new WP_Error( 'comment_id_not_found' );
}
$status_obj = get_post_status_object( $status );
if ( ! comments_open( $comment_post_ID ) ) {
@ -2756,7 +2760,7 @@ function wp_handle_comment_submission( $comment_data ) {
}
}
} else {
if ( get_option( 'comment_registration' ) || 'private' == $status ) {
if ( get_option( 'comment_registration' ) ) {
return new WP_Error( 'not_logged_in', __( 'Sorry, you must be logged in to post a comment.' ), 403 );
}
}

View File

@ -230,7 +230,7 @@ class Tests_Comment_Submission extends WP_UnitTestCase {
public function test_submitting_comment_anonymously_to_private_post_returns_error() {
$error = 'not_logged_in';
$error = 'comment_id_not_found';
$post = self::factory()->post->create_and_get( array(
'post_status' => 'private',
@ -246,6 +246,63 @@ class Tests_Comment_Submission extends WP_UnitTestCase {
}
public function test_submitting_comment_as_logged_in_user_to_inaccessible_private_post_returns_error() {
$error = 'comment_id_not_found';
$author = self::factory()->user->create_and_get( array(
'role' => 'author',
) );
$user = self::factory()->user->create_and_get( array(
'role' => 'author',
) );
wp_set_current_user( $user->ID );
$post = self::factory()->post->create_and_get( array(
'post_status' => 'private',
'post_author' => $author->ID,
) );
$data = array(
'comment_post_ID' => $post->ID,
);
$comment = wp_handle_comment_submission( $data );
$this->assertFalse( current_user_can( 'read_post', $post->ID ) );
$this->assertWPError( $comment );
$this->assertSame( $error, $comment->get_error_code() );
}
public function test_submitting_comment_to_private_post_with_closed_comments_returns_correct_error() {
$error = 'comment_id_not_found';
$author = self::factory()->user->create_and_get( array(
'role' => 'author',
) );
$user = self::factory()->user->create_and_get( array(
'role' => 'author',
) );
wp_set_current_user( $user->ID );
$post = self::factory()->post->create_and_get( array(
'post_status' => 'private',
'post_author' => $author->ID,
'comment_status' => 'closed',
) );
$data = array(
'comment_post_ID' => $post->ID,
);
$comment = wp_handle_comment_submission( $data );
$this->assertFalse( current_user_can( 'read_post', $post->ID ) );
$this->assertWPError( $comment );
$this->assertSame( $error, $comment->get_error_code() );
}
public function test_submitting_comment_to_own_private_post_succeeds() {
$user = self::factory()->user->create_and_get();