diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index 78581cbfab..e7b8d64fbe 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -3453,19 +3453,29 @@ class wp_xmlrpc_server extends IXR_Server { else $post_id = url_to_postid($post); - if ( ! $post_id ) + if ( ! $post_id ) { return new IXR_Error( 404, __( 'Invalid post ID.' ) ); + } - if ( ! get_post($post_id) ) + if ( ! get_post( $post_id ) ) { return new IXR_Error( 404, __( 'Invalid post ID.' ) ); + } + + if ( ! comments_open( $post_id ) ) { + return new IXR_Error( 403, __( 'Sorry, comments are closed for this item.' ) ); + } $comment = array(); $comment['comment_post_ID'] = $post_id; if ( $logged_in ) { - $comment['comment_author'] = $this->escape( $user->display_name ); - $comment['comment_author_email'] = $this->escape( $user->user_email ); - $comment['comment_author_url'] = $this->escape( $user->user_url ); + $display_name = $user->display_name; + $user_email = $user->user_email; + $user_url = $user->user_url; + + $comment['comment_author'] = $this->escape( $display_name ); + $comment['comment_author_email'] = $this->escape( $user_email ); + $comment['comment_author_url'] = $this->escape( $user_url ); $comment['user_ID'] = $user->ID; } else { $comment['comment_author'] = ''; diff --git a/tests/phpunit/tests/xmlrpc/wp/newComment.php b/tests/phpunit/tests/xmlrpc/wp/newComment.php new file mode 100644 index 0000000000..3cb9eddec8 --- /dev/null +++ b/tests/phpunit/tests/xmlrpc/wp/newComment.php @@ -0,0 +1,23 @@ +make_user_by_role( 'administrator' ); + $post = $this->factory->post->create_and_get( array( + 'comment_status' => 'closed' + ) ); + + $this->assertEquals( 'closed', $post->comment_status ); + + $result = $this->myxmlrpcserver->wp_newComment( array( 1, 'administrator', 'administrator', $post->ID, array( + 'comment_content' => rand_str( 100 ), + 'status' => 'approved' + ) ) ); + + $this->assertInstanceOf( 'IXR_Error', $result ); + $this->assertEquals( 403, $result->code ); + } +} \ No newline at end of file