REST API: On Comment create, limit the ability to set the author_ip value directly.

Users without the moderate_comments capability can no longer set the `author_ip` property directly, and instead receive a `WP_Error` if they attempt to do so. Otherwise, the `author_ip property` is populated from `$_SERVER['REMOTE_ADDR']` if present and a valid IP value. Finally, fallback to 127.0.0.1 as a last resort. Props dd32, rachelbaker, joehoyle. Fixes #38819. git-svn-id: https://develop.svn.wordpress.org/trunk@39302 602fd350-edb4-49c9-b593-d223f7449a82
2016-11-18 21:12:03 +00:00 · 2016-11-18 21:12:03 +00:00 · aa4af7839e
commit aa4af7839e
parent 9385bda4ce
2 changed files with 71 additions and 10 deletions
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@ -371,12 +371,18 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 			return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) );
 		}

-		// Limit who can set comment `author` or `status` to anything other than the default.
+		// Limit who can set comment `author`, `author_ip` or `status` to anything other than the default.
 		if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) {
 			/* translators: %s: request parameter */
 			return new WP_Error( 'rest_comment_invalid_author', sprintf( __( "Sorry, you are not allowed to edit '%s' for comments." ), 'author' ), array( 'status' => rest_authorization_required_code() ) );
 		}

+		if ( isset( $request['author_ip'] ) && ! current_user_can( 'moderate_comments' ) ) {
+			if ( empty( $_SERVER['REMOTE_ADDR'] ) || $request['author_ip'] !== $_SERVER['REMOTE_ADDR'] ) {
+				return new WP_Error( 'rest_comment_invalid_author_ip', __( 'Sorry, you are not allowed to set author_ip for comments.' ), array( 'status' => rest_authorization_required_code() ) );
+			}
+		}
+
 		if ( isset( $request['status'] ) && ! current_user_can( 'moderate_comments' ) ) {
 			/* translators: %s: request parameter */
 			return new WP_Error( 'rest_comment_invalid_status', sprintf( __( "Sorry, you are not allowed to edit '%s' for comments." ), 'status' ), array( 'status' => rest_authorization_required_code() ) );
@ -1041,8 +1047,12 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 			$prepared_comment['comment_author_url'] = $request['author_url'];
 		}

-		if ( isset( $request['author_ip'] ) ) {
+		if ( isset( $request['author_ip'] ) && current_user_can( 'moderate_comments' ) ) {
 			$prepared_comment['comment_author_IP'] = $request['author_ip'];
+		} elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) && rest_is_ip_address( $_SERVER['REMOTE_ADDR'] ) ) {
+			$prepared_comment['comment_author_IP'] = $_SERVER['REMOTE_ADDR'];
+		} else {
+			$prepared_comment['comment_author_IP'] = '127.0.0.1';
 		}

 		if ( ! empty( $request['author_user_agent'] ) ) {
@ -1119,7 +1129,6 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 					'type'         => 'string',
 					'format'       => 'ip',
 					'context'      => array( 'edit' ),
-					'default'      => '127.0.0.1',
 				),
 				'author_name'     => array(
 					'description'  => __( 'Display name for the object author.' ),
--- a/tests/phpunit/tests/rest-api/rest-comments-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-comments-controller.php
@ -6,9 +6,9 @@
 * @subpackage REST API
 */

- /**
-  * @group restapi
-  */
+/**
+ * @group restapi
+ */
 class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase {
 	protected static $superadmin_id;
 	protected static $admin_id;
@ -1307,10 +1307,32 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 		$this->assertEquals( 'Mozilla/4.0 (compatible; MSIE 5.5; AOL 4.0; Windows 95)', $new_comment->comment_agent );
 	}

+	public function test_create_comment_author_ip() {
+		wp_set_current_user( self::$admin_id );
+
+		$params = array(
+			'post'         => self::$post_id,
+			'author_name'  => 'Comic Book Guy',
+			'author_email' => 'cbg@androidsdungeon.com',
+			'author_url'   => 'http://androidsdungeon.com',
+			'author_ip'    => '127.0.0.3',
+			'content'      => 'Worst Comment Ever!',
+			'status'       => 'approved',
+		);
+		$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
+		$request->add_header( 'content-type', 'application/json' );
+		$request->set_body( wp_json_encode( $params ) );
+		$response = $this->server->dispatch( $request );
+		$data = $response->get_data();
+		$new_comment = get_comment( $data['id'] );
+		$this->assertEquals( '127.0.0.3', $new_comment->comment_author_IP );
+	}
+
 	public function test_create_comment_invalid_author_IP() {
 		wp_set_current_user( self::$admin_id );

 		$params = array(
+			'post'         => self::$post_id,
 			'author_name'  => 'Comic Book Guy',
 			'author_email' => 'cbg@androidsdungeon.com',
 			'author_url'   => 'http://androidsdungeon.com',
@ -1323,10 +1345,43 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 		$request->set_body( wp_json_encode( $params ) );

 		$response = $this->server->dispatch( $request );
-
 		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
 	}

+	public function test_create_comment_author_ip_no_permission() {
+		$params = array(
+			'author_name'  => 'Comic Book Guy',
+			'author_email' => 'cbg@androidsdungeon.com',
+			'author_url'   => 'http://androidsdungeon.com',
+			'author_ip'    => '10.0.10.1',
+			'content'      => 'Worst Comment Ever!',
+			'status'       => 'approved',
+		);
+		$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
+		$request->add_header( 'content-type', 'application/json' );
+		$request->set_body( wp_json_encode( $params ) );
+		$response = $this->server->dispatch( $request );
+		$this->assertErrorResponse( 'rest_comment_invalid_author_ip', $response, 401 );
+	}
+
+	public function test_create_comment_author_ip_defaults_to_remote_addr() {
+		$_SERVER['REMOTE_ADDR'] = '127.0.0.2';
+		$params = array(
+			'post'         => self::$post_id,
+			'author_name'  => 'Comic Book Guy',
+			'author_email' => 'cbg@androidsdungeon.com',
+			'author_url'   => 'http://androidsdungeon.com',
+			'content'      => 'Worst Comment Ever!',
+		);
+		$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
+		$request->add_header( 'content-type', 'application/json' );
+		$request->set_body( wp_json_encode( $params ) );
+		$response = $this->server->dispatch( $request );
+		$data = $response->get_data();
+		$new_comment = get_comment( $data['id'] );
+		$this->assertEquals( '127.0.0.2', $new_comment->comment_author_IP );
+	}
+
 	public function test_create_comment_no_post_id() {
 		wp_set_current_user( self::$admin_id );

@ -2268,9 +2323,6 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 		$this->assertArrayHasKey( 'post', $properties );
 		$this->assertArrayHasKey( 'status', $properties );
 		$this->assertArrayHasKey( 'type', $properties );
-
-		$this->assertEquals( '127.0.0.1', $properties['author_ip']['default'] );
-
 		$this->assertEquals( 'comment', $properties['type']['default'] );

 		$this->assertEquals( 0, $properties['parent']['default'] );