WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

REST API: On Comment create, limit the ability to set the `author_ip` value directly. 

Users without the moderate_comments capability can no longer set the `author_ip` property directly, and instead receive a `WP_Error` if they attempt to do so. Otherwise, the `author_ip property` is populated from `$_SERVER['REMOTE_ADDR']` if present and a valid IP value. Finally, fallback to 127.0.0.1 as a last resort.

Props dd32, rachelbaker, joehoyle.
Fixes #38819.
Built from https://develop.svn.wordpress.org/trunk@39302


git-svn-id: http://core.svn.wordpress.org/trunk@39242 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Rachel Baker 2016-11-18 21:13:32 +00:00
parent 234ae480ee
commit 0fdb955ce8
2 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
View File

@ -371,12 +371,18 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) );
}
// Limit who can set comment `author` or `status` to anything other than the default.
// Limit who can set comment `author`, `author_ip` or `status` to anything other than the default.
if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) {
/* translators: %s: request parameter */
return new WP_Error( 'rest_comment_invalid_author', sprintf( __( "Sorry, you are not allowed to edit '%s' for comments." ), 'author' ), array( 'status' => rest_authorization_required_code() ) );
}
if ( isset( $request['author_ip'] ) && ! current_user_can( 'moderate_comments' ) ) {
if ( empty( $_SERVER['REMOTE_ADDR'] ) || $request['author_ip'] !== $_SERVER['REMOTE_ADDR'] ) {
return new WP_Error( 'rest_comment_invalid_author_ip', __( 'Sorry, you are not allowed to set author_ip for comments.' ), array( 'status' => rest_authorization_required_code() ) );
}
}
if ( isset( $request['status'] ) && ! current_user_can( 'moderate_comments' ) ) {
/* translators: %s: request parameter */
return new WP_Error( 'rest_comment_invalid_status', sprintf( __( "Sorry, you are not allowed to edit '%s' for comments." ), 'status' ), array( 'status' => rest_authorization_required_code() ) );
@ -1041,8 +1047,12 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
$prepared_comment['comment_author_url'] = $request['author_url'];
}
if ( isset( $request['author_ip'] ) ) {
if ( isset( $request['author_ip'] ) && current_user_can( 'moderate_comments' ) ) {
$prepared_comment['comment_author_IP'] = $request['author_ip'];
} elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) && rest_is_ip_address( $_SERVER['REMOTE_ADDR'] ) ) {
$prepared_comment['comment_author_IP'] = $_SERVER['REMOTE_ADDR'];
} else {
$prepared_comment['comment_author_IP'] = '127.0.0.1';
}
if ( ! empty( $request['author_user_agent'] ) ) {
@ -1119,7 +1129,6 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
'type' => 'string',
'format' => 'ip',
'context' => array( 'edit' ),
'default' => '127.0.0.1',
),
'author_name' => array(
'description' => __( 'Display name for the object author.' ),

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.7-beta4-39301';
$wp_version = '4.7-beta4-39302';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.