From f553ad6277077ca901b05c392da4b4e35f203a60 Mon Sep 17 00:00:00 2001 From: Rachel Baker Date: Fri, 18 Nov 2016 18:36:10 +0000 Subject: [PATCH] REST API: On comment create, return an error if the `type` property is set to anything other than `comment`. Of the default comment_types, only comments are expected to be created via the REST API endpoint. Comments do not have registered types the way that Posts do, so we do not have a method to accurately check permissions for arbitrary comment types. Props dd32, boonebgorges, rachelbaker. Fixes #38820. git-svn-id: https://develop.svn.wordpress.org/trunk@39290 602fd350-edb4-49c9-b593-d223f7449a82 --- .../class-wp-rest-comments-controller.php | 5 ++++ .../rest-api/rest-comments-controller.php | 29 +++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index ccd172fbe5..a0861ee209 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -433,6 +433,11 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { return $prepared_comment; } + // Do not allow comments to be created with a non-default type. + if ( ! empty( $request['type'] ) && 'comment' !== $request['type'] ) { + return new WP_Error( 'rest_invalid_comment_type', __( 'Cannot create a comment with that type.' ), array( 'status' => 400 ) ); + } + /* * Do not allow a comment to be created with missing or empty * comment_content. See wp_handle_comment_submission(). diff --git a/tests/phpunit/tests/rest-api/rest-comments-controller.php b/tests/phpunit/tests/rest-api/rest-comments-controller.php index 33ac37d73d..fe9147a6db 100644 --- a/tests/phpunit/tests/rest-api/rest-comments-controller.php +++ b/tests/phpunit/tests/rest-api/rest-comments-controller.php @@ -1034,6 +1034,32 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase $this->assertEquals( $comment_id, $collection_data[0]['id'] ); } + /** + * @ticket 38820 + */ + public function test_create_comment_with_invalid_type() { + $post_id = $this->factory->post->create(); + wp_set_current_user( self::$admin_id ); + + $params = array( + 'post' => $post_id, + 'author' => self::$admin_id, + 'author_name' => 'Comic Book Guy', + 'author_email' => 'cbg@androidsdungeon.com', + 'author_url' => 'http://androidsdungeon.com', + 'content' => 'Worst Comment Ever!', + 'date' => '2014-11-07T10:14:25', + 'type' => 'foo', + ); + + $request = new WP_REST_Request( 'POST', '/wp/v2/comments' ); + $request->add_header( 'content-type', 'application/json' ); + $request->set_body( wp_json_encode( $params ) ); + + $response = $this->server->dispatch( $request ); + $this->assertErrorResponse( 'rest_invalid_comment_type', $response, 400 ); + } + public function test_create_comment_invalid_email() { $post_id = $this->factory->post->create(); wp_set_current_user( self::$admin_id ); @@ -2218,6 +2244,9 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase $this->assertArrayHasKey( 'type', $properties ); $this->assertEquals( '127.0.0.1', $properties['author_ip']['default'] ); + + $this->assertEquals( 'comment', $properties['type']['default'] ); + $this->assertEquals( 0, $properties['parent']['default'] ); $this->assertEquals( 0, $properties['post']['default'] ); }