REST API: Add support for comments of password-protected posts.

Core requires the post password to view and create comments on password protected posts, so we must support a “password” param on the comments endpoint when fetch comments for a specific post and creating a comment on a password protected post.

Props flixos90, jnylen0.
Fixes #38692.
Built from https://develop.svn.wordpress.org/trunk@39349


git-svn-id: http://core.svn.wordpress.org/trunk@39289 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Joe Hoyle 2016-11-23 16:15:31 +00:00
parent a985a4d126
commit 6f189ddbc8
3 changed files with 52 additions and 20 deletions

View File

@ -69,6 +69,10 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
'permission_callback' => array( $this, 'get_item_permissions_check' ), 'permission_callback' => array( $this, 'get_item_permissions_check' ),
'args' => array( 'args' => array(
'context' => $this->get_context_param( array( 'default' => 'view' ) ), 'context' => $this->get_context_param( array( 'default' => 'view' ) ),
'password' => array(
'description' => __( 'The password for the post if it is password protected.' ),
'type' => 'string',
),
), ),
), ),
array( array(
@ -87,6 +91,10 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
'default' => false, 'default' => false,
'description' => __( 'Whether to bypass trash and force deletion.' ), 'description' => __( 'Whether to bypass trash and force deletion.' ),
), ),
'password' => array(
'description' => __( 'The password for the post if it is password protected.' ),
'type' => 'string',
),
), ),
), ),
'schema' => array( $this, 'get_public_item_schema' ), 'schema' => array( $this, 'get_public_item_schema' ),
@ -108,7 +116,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
foreach ( (array) $request['post'] as $post_id ) { foreach ( (array) $request['post'] as $post_id ) {
$post = get_post( $post_id ); $post = get_post( $post_id );
if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post ) ) { if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post, $request ) ) {
return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
} elseif ( 0 === $post_id && ! current_user_can( 'moderate_comments' ) ) { } elseif ( 0 === $post_id && ! current_user_can( 'moderate_comments' ) ) {
return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read comments without a post.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read comments without a post.' ), array( 'status' => rest_authorization_required_code() ) );
@ -242,7 +250,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
$comments = array(); $comments = array();
foreach ( $query_result as $comment ) { foreach ( $query_result as $comment ) {
if ( ! $this->check_read_permission( $comment ) ) { if ( ! $this->check_read_permission( $comment, $request ) ) {
continue; continue;
} }
@ -309,18 +317,18 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
return true; return true;
} }
if ( ! $this->check_read_permission( $comment ) ) { if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'moderate_comments' ) ) {
return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read this comment.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit comments.' ), array( 'status' => rest_authorization_required_code() ) );
} }
$post = get_post( $comment->comment_post_ID ); $post = get_post( $comment->comment_post_ID );
if ( $post && ! $this->check_read_post_permission( $post ) ) { if ( ! $this->check_read_permission( $comment, $request ) ) {
return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_read', __( 'Sorry, you are not allowed to read this comment.' ), array( 'status' => rest_authorization_required_code() ) );
} }
if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'moderate_comments' ) ) { if ( $post && ! $this->check_read_post_permission( $post, $request ) ) {
return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit comments.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
} }
return true; return true;
@ -433,7 +441,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) ); return new WP_Error( 'rest_comment_trash_post', __( 'Sorry, you are not allowed to create a comment on this post.' ), array( 'status' => 403 ) );
} }
if ( ! $this->check_read_post_permission( $post ) ) { if ( ! $this->check_read_post_permission( $post, $request ) ) {
return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) ); return new WP_Error( 'rest_cannot_read_post', __( 'Sorry, you are not allowed to read the post for this comment.' ), array( 'status' => rest_authorization_required_code() ) );
} }
@ -1412,6 +1420,11 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
'validate_callback' => 'rest_validate_request_arg', 'validate_callback' => 'rest_validate_request_arg',
); );
$query_params['password'] = array(
'description' => __( 'The password for the post if it is password protected.' ),
'type' => 'string',
);
/** /**
* Filter collection parameters for the comments controller. * Filter collection parameters for the comments controller.
* *
@ -1481,18 +1494,36 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
* @since 4.7.0 * @since 4.7.0
* @access protected * @access protected
* *
* @param WP_Post $post Post Object. * @param WP_Post $post Post object.
* @param WP_REST_Request $request Request data to check.
* @return bool Whether post can be read. * @return bool Whether post can be read.
*/ */
protected function check_read_post_permission( $post ) { protected function check_read_post_permission( $post, $request ) {
$posts_controller = new WP_REST_Posts_Controller( $post->post_type ); $posts_controller = new WP_REST_Posts_Controller( $post->post_type );
$post_type = get_post_type_object( $post->post_type ); $post_type = get_post_type_object( $post->post_type );
if ( post_password_required( $post ) ) { $has_password_filter = false;
return current_user_can( $post_type->cap->edit_post, $post->ID );
// Only check password if a specific post was queried for or a single comment
$requested_post = ! empty( $request['post'] ) && 1 === count( $request['post'] );
$requested_comment = ! empty( $request['id'] );
if ( ( $requested_post || $requested_comment ) && $posts_controller->can_access_password_content( $post, $request ) ) {
add_filter( 'post_password_required', '__return_false' );
$has_password_filter = true;
} }
return $posts_controller->check_read_permission( $post ); if ( post_password_required( $post ) ) {
$result = current_user_can( $post_type->cap->edit_post, $post->ID );
} else {
$result = $posts_controller->check_read_permission( $post );
}
if ( $has_password_filter ) {
remove_filter( 'post_password_required', '__return_false' );
}
return $result;
} }
/** /**
@ -1501,14 +1532,15 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
* @since 4.7.0 * @since 4.7.0
* @access protected * @access protected
* *
* @param WP_Comment $comment Comment object. * @param WP_Comment $comment Comment object.
* @param WP_REST_Request $request Request data to check.
* @return bool Whether the comment can be read. * @return bool Whether the comment can be read.
*/ */
protected function check_read_permission( $comment ) { protected function check_read_permission( $comment, $request ) {
if ( ! empty( $comment->comment_post_ID ) ) { if ( ! empty( $comment->comment_post_ID ) ) {
$post = get_post( $comment->comment_post_ID ); $post = get_post( $comment->comment_post_ID );
if ( $post ) { if ( $post ) {
if ( $this->check_read_post_permission( $post ) && 1 === (int) $comment->comment_approved ) { if ( $this->check_read_post_permission( $post, $request ) && 1 === (int) $comment->comment_approved ) {
return true; return true;
} }
} }

View File

@ -383,13 +383,13 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
* check in core with a filter. * check in core with a filter.
* *
* @since 4.7.0 * @since 4.7.0
* @access protected * @access public
* *
* @param WP_Post $post Post to check against. * @param WP_Post $post Post to check against.
* @param WP_REST_Request $request Request data to check. * @param WP_REST_Request $request Request data to check.
* @return bool True if the user can access password-protected content, otherwise false. * @return bool True if the user can access password-protected content, otherwise false.
*/ */
protected function can_access_password_content( $post, $request ) { public function can_access_password_content( $post, $request ) {
if ( empty( $post->post_password ) ) { if ( empty( $post->post_password ) ) {
// No filter required. // No filter required.
return false; return false;

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.7-beta4-39348'; $wp_version = '4.7-beta4-39349';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.