diff --git a/src/wp-admin/comment.php b/src/wp-admin/comment.php index 0d6af5f17b..4db8c5784f 100644 --- a/src/wp-admin/comment.php +++ b/src/wp-admin/comment.php @@ -339,7 +339,10 @@ switch ( $action ) { check_admin_referer( 'update-comment_' . $comment_id ); - edit_comment(); + $updated = edit_comment(); + if ( is_wp_error( $updated ) ) { + wp_die( $updated->get_error_message() ); + } $location = ( empty( $_POST['referredby'] ) ? "edit-comments.php?p=$comment_post_id" : $_POST['referredby'] ) . '#comment-' . $comment_id; diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php index 54a33e1bf3..5a6c767b5e 100644 --- a/src/wp-admin/includes/ajax-actions.php +++ b/src/wp-admin/includes/ajax-actions.php @@ -1410,7 +1410,11 @@ function wp_ajax_edit_comment() { if ( isset( $_POST['status'] ) ) { $_POST['comment_status'] = $_POST['status']; } - edit_comment(); + + $updated = edit_comment(); + if ( is_wp_error( $updated ) ) { + wp_die( $updated->get_error_message() ); + } $position = ( isset( $_POST['position'] ) && (int) $_POST['position'] ) ? (int) $_POST['position'] : '-1'; $checkbox = ( isset( $_POST['checkbox'] ) && true == $_POST['checkbox'] ) ? 1 : 0; diff --git a/src/wp-admin/includes/comment.php b/src/wp-admin/includes/comment.php index 3f0a2974dc..e006dadd87 100644 --- a/src/wp-admin/includes/comment.php +++ b/src/wp-admin/includes/comment.php @@ -92,7 +92,7 @@ function edit_comment() { $_POST['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss"; } - wp_update_comment( $_POST ); + return wp_update_comment( $_POST, true ); } /** diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index 2a29387fab..d015964f0a 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -3788,8 +3788,8 @@ class wp_xmlrpc_server extends IXR_Server { $comment['comment_author_email'] = $content_struct['author_email']; } - $result = wp_update_comment( $comment ); - if ( is_wp_error( $result ) ) { + $result = wp_update_comment( $comment, true ); + if ( is_wp_error( $result ) || false === $result ) { return new IXR_Error( 500, $result->get_error_message() ); } diff --git a/src/wp-includes/comment.php b/src/wp-includes/comment.php index 15899cba77..158f09840b 100644 --- a/src/wp-includes/comment.php +++ b/src/wp-includes/comment.php @@ -2405,24 +2405,35 @@ function wp_set_comment_status( $comment_id, $comment_status, $wp_error = false * * @since 2.0.0 * @since 4.9.0 Add updating comment meta during comment update. + * @since 5.5.0 Allow returning a WP_Error object on failure. * * @global wpdb $wpdb WordPress database abstraction object. * * @param array $commentarr Contains information on the comment. - * @return int The value 1 if the comment was updated, 0 if not updated. + * @param bool $wp_error Optional. Whether to return a WP_Error on failure. Default false. + * @return int|bool|WP_Error Comment was updated if value is 1, or was not updated if value is 0, + * false, or a WP_Error object. */ -function wp_update_comment( $commentarr ) { +function wp_update_comment( $commentarr, $wp_error = false ) { global $wpdb; // First, get all of the original fields. $comment = get_comment( $commentarr['comment_ID'], ARRAY_A ); if ( empty( $comment ) ) { - return 0; + if ( ! $wp_error ) { + return 0; + } + + return new WP_Error( 'invalid_comment_id', __( 'Invalid comment ID.' ) ); } // Make sure that the comment post ID is valid (if specified). if ( ! empty( $commentarr['comment_post_ID'] ) && ! get_post( $commentarr['comment_post_ID'] ) ) { - return 0; + if ( ! $wp_error ) { + return 0; + } + + return new WP_Error( 'invalid_post_id', __( 'Invalid post ID.' ) ); } // Escape data pulled from DB. @@ -2463,15 +2474,24 @@ function wp_update_comment( $commentarr ) { /** * Filters the comment data immediately before it is updated in the database. * - * Note: data being passed to the filter is already unslashed. + * Note: data being passed to the filter is already unslashed. Returning 0 or a + * WP_Error object is preventing the comment to be updated. * * @since 4.7.0 + * @since 5.5.0 Allow returning a WP_Error object on failure. * * @param array $data The new, processed comment data. * @param array $comment The old, unslashed comment data. * @param array $commentarr The new, raw comment data. + * @param bool $wp_error Optional. Whether to return a WP_Error on failure. + * Default false. */ - $data = apply_filters( 'wp_update_comment_data', $data, $comment, $commentarr ); + $data = apply_filters( 'wp_update_comment_data', $data, $comment, $commentarr, $wp_error ); + + // Do not carry on on failure. + if ( is_wp_error( $data ) || 0 === $data ) { + return $data; + } $keys = array( 'comment_post_ID', 'comment_content', 'comment_author', 'comment_author_email', 'comment_approved', 'comment_karma', 'comment_author_url', 'comment_date', 'comment_date_gmt', 'comment_type', 'comment_parent', 'user_id', 'comment_agent', 'comment_author_IP' ); $data = wp_array_slice_assoc( $data, $keys ); diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index da2457c85a..c3f2f35b8d 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -868,9 +868,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { ); } - $updated = wp_update_comment( wp_slash( (array) $prepared_args ) ); + $updated = wp_update_comment( wp_slash( (array) $prepared_args ), true ); - if ( false === $updated ) { + if ( is_wp_error( $updated ) || false === $updated ) { return new WP_Error( 'rest_comment_failed_edit', __( 'Updating comment failed.' ), diff --git a/tests/phpunit/tests/ajax/EditComment.php b/tests/phpunit/tests/ajax/EditComment.php index 38deb9f160..1024e10c5f 100644 --- a/tests/phpunit/tests/ajax/EditComment.php +++ b/tests/phpunit/tests/ajax/EditComment.php @@ -32,6 +32,11 @@ class Tests_Ajax_EditComment extends WP_Ajax_UnitTestCase { $this->_comment_post = get_post( $post_id ); } + public function tearDown() { + remove_filter( 'wp_update_comment_data', array( $this, '_wp_update_comment_data_filter' ), 10, 3 ); + parent::tearDown(); + } + /** * Get comments as a privilged user (administrator) * Expects test to pass @@ -126,6 +131,41 @@ class Tests_Ajax_EditComment extends WP_Ajax_UnitTestCase { $this->assertEmpty( (string) $xml->response[0]->edit_comment[0]->supplemental ); } + /** + * @ticket 39732 + */ + public function test_wp_update_comment_data_is_wp_error() { + // Become an administrator + $this->_setRole( 'administrator' ); + + // Get a comment + $comments = get_comments( + array( + 'post_id' => $this->_comment_post->ID, + ) + ); + $comment = array_pop( $comments ); + + // Set up a default request + $_POST['_ajax_nonce-replyto-comment'] = wp_create_nonce( 'replyto-comment' ); + $_POST['comment_ID'] = $comment->comment_ID; + $_POST['content'] = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.'; + + // Simulate filter check error + add_filter( 'wp_update_comment_data', array( $this, '_wp_update_comment_data_filter' ), 10, 3 ); + + // Make the request + $this->setExpectedException( 'WPAjaxDieStopException', 'wp_update_comment_data filter fails for this comment.' ); + $this->_handleAjax( 'edit-comment' ); + } + + /** + * Block comments from being updated by returning WP_Error + */ + public function _wp_update_comment_data_filter( $data, $comment, $commentarr ) { + return new WP_Error( 'comment_wrong', __( 'wp_update_comment_data filter fails for this comment.' ), 500 ); + } + /** * Get comments as a non-privileged user (subscriber) * Expects test to fail diff --git a/tests/phpunit/tests/comment.php b/tests/phpunit/tests/comment.php index c55c32a153..a5bd0a995d 100644 --- a/tests/phpunit/tests/comment.php +++ b/tests/phpunit/tests/comment.php @@ -142,6 +142,31 @@ class Tests_Comment extends WP_UnitTestCase { $this->assertEquals( $updated_comment_text, $comment->comment_content ); } + /** + * @ticket 39732 + */ + public function test_wp_update_comment_is_wp_error() { + $comment_id = self::factory()->comment->create( array( 'comment_post_ID' => self::$post_id ) ); + + add_filter( 'wp_update_comment_data', array( $this, '_wp_update_comment_data_filter' ), 10, 3 ); + $result = wp_update_comment( + array( + 'comment_ID' => $comment_id, + 'comment_type' => 'pingback', + ), + true + ); + $this->assertWPError( $result ); + remove_filter( 'wp_update_comment_data', array( $this, '_wp_update_comment_data_filter' ), 10, 3 ); + } + + /** + * Block comments from being updated by returning WP_Error + */ + public function _wp_update_comment_data_filter( $data, $comment, $commentarr ) { + return new WP_Error( 'comment_wrong', __( 'wp_update_comment_data filter fails for this comment.' ), 500 ); + } + public function test_get_approved_comments() { $ca1 = self::factory()->comment->create( array( diff --git a/tests/phpunit/tests/rest-api/rest-comments-controller.php b/tests/phpunit/tests/rest-api/rest-comments-controller.php index e061c1925d..7dd552d3d3 100644 --- a/tests/phpunit/tests/rest-api/rest-comments-controller.php +++ b/tests/phpunit/tests/rest-api/rest-comments-controller.php @@ -2790,6 +2790,36 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase $this->assertErrorResponse( 'comment_content_column_length', $response, 400 ); } + /** + * @ticket 39732 + */ + public function test_update_comment_is_wp_error() { + wp_set_current_user( self::$admin_id ); + + $params = array( + 'content' => 'This isn\'t a saxophone. It\'s an umbrella.', + ); + + add_filter( 'wp_update_comment_data', array( $this, '_wp_update_comment_data_filter' ), 10, 3 ); + + $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) ); + + $request->add_header( 'content-type', 'application/json' ); + $request->set_body( wp_json_encode( $params ) ); + $response = rest_get_server()->dispatch( $request ); + + $this->assertErrorResponse( 'rest_comment_failed_edit', $response, 500 ); + + remove_filter( 'wp_update_comment_data', array( $this, '_wp_update_comment_data_filter' ), 10, 3 ); + } + + /** + * Block comments from being updated by returning WP_Error + */ + public function _wp_update_comment_data_filter( $data, $comment, $commentarr ) { + return new WP_Error( 'comment_wrong', __( 'wp_update_comment_data filter fails for this comment.' ), array( 'status' => 500 ) ); + } + public function verify_comment_roundtrip( $input = array(), $expected_output = array() ) { // Create the comment. $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );