sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

REST API: On comment create, return an error if the type property is set to anything other than comment.

Browse Source 
Of the default comment_types, only comments are expected to be created via the REST API endpoint. Comments do not have registered types the way that Posts do, so we do not have a method to accurately check permissions for arbitrary comment types.

Props dd32, boonebgorges, rachelbaker.
Fixes #38820.

git-svn-id: https://develop.svn.wordpress.org/trunk@39290 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Rachel Baker 2016-11-18 18:36:10 +00:00
parent 659822098a
commit f553ad6277
2 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
View File

@ -433,6 +433,11 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
return $prepared_comment; return $prepared_comment;
} }
// Do not allow comments to be created with a non-default type.
if ( ! empty( $request['type'] ) && 'comment' !== $request['type'] ) {
return new WP_Error( 'rest_invalid_comment_type', __( 'Cannot create a comment with that type.' ), array( 'status' => 400 ) );
}
/* /*
* Do not allow a comment to be created with missing or empty * Do not allow a comment to be created with missing or empty
* comment_content. See wp_handle_comment_submission(). * comment_content. See wp_handle_comment_submission().

29
tests/phpunit/tests/rest-api/rest-comments-controller.php
View File

@ -1034,6 +1034,32 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
$this->assertEquals( $comment_id, $collection_data[0]['id'] ); $this->assertEquals( $comment_id, $collection_data[0]['id'] );
} }
/**
* @ticket 38820
*/
public function test_create_comment_with_invalid_type() {
$post_id = $this->factory->post->create();
wp_set_current_user( self::$admin_id );
$params = array(
'post' => $post_id,
'author' => self::$admin_id,
'author_name' => 'Comic Book Guy',
'author_email' => 'cbg@androidsdungeon.com',
'author_url' => 'http://androidsdungeon.com',
'content' => 'Worst Comment Ever!',
'date' => '2014-11-07T10:14:25',
'type' => 'foo',
);
$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
$request->add_header( 'content-type', 'application/json' );
$request->set_body( wp_json_encode( $params ) );
$response = $this->server->dispatch( $request );
$this->assertErrorResponse( 'rest_invalid_comment_type', $response, 400 );
}
public function test_create_comment_invalid_email() { public function test_create_comment_invalid_email() {
$post_id = $this->factory->post->create(); $post_id = $this->factory->post->create();
wp_set_current_user( self::$admin_id ); wp_set_current_user( self::$admin_id );
@ -2218,6 +2244,9 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
$this->assertArrayHasKey( 'type', $properties ); $this->assertArrayHasKey( 'type', $properties );
$this->assertEquals( '127.0.0.1', $properties['author_ip']['default'] ); $this->assertEquals( '127.0.0.1', $properties['author_ip']['default'] );
$this->assertEquals( 'comment', $properties['type']['default'] );
$this->assertEquals( 0, $properties['parent']['default'] ); $this->assertEquals( 0, $properties['parent']['default'] );
$this->assertEquals( 0, $properties['post']['default'] ); $this->assertEquals( 0, $properties['post']['default'] );
} }