REST API: Fix bug where comment author and author email could be an empty string when creating a comment.

If the `require_name_email` option is true, creating a comment with an empty string for the author name or email should not be accepted. Both values can be an empty string on update. Merges [39444] into the 4.7 branch. Props flixos90, hnle, dd32, rachelbaker, jnylen0, ChopinBach, joehoyle, pento. Fixes #38971 for 4.7. Built from https://develop.svn.wordpress.org/branches/4.7@39446 git-svn-id: http://core.svn.wordpress.org/branches/4.7@39386 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-12-02 22:46:31 +00:00 · 2016-12-02 22:46:31 +00:00 · afa325993e
parent 0dd3e5e34d
commit afa325993e
2 changed files with 35 additions and 10 deletions
--- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@ -508,17 +508,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {

 		// Honor the discussion setting that requires a name and email address of the comment author.
 		if ( get_option( 'require_name_email' ) ) {
-			if ( ! isset( $prepared_comment['comment_author'] ) && ! isset( $prepared_comment['comment_author_email'] ) ) {
+			if ( empty( $prepared_comment['comment_author'] ) || empty( $prepared_comment['comment_author_email'] ) ) {
 				return new WP_Error( 'rest_comment_author_data_required', __( 'Creating a comment requires valid author name and email values.' ), array( 'status' => 400 ) );
 			}
-
-			if ( ! isset( $prepared_comment['comment_author'] ) ) {
-				return new WP_Error( 'rest_comment_author_required', __( 'Creating a comment requires a valid author name.' ), array( 'status' => 400 ) );
-			}
-
-			if ( ! isset( $prepared_comment['comment_author_email'] ) ) {
-				return new WP_Error( 'rest_comment_author_email_required', __( 'Creating a comment requires a valid author email.' ), array( 'status' => 400 ) );
-			}
 		}

 		if ( ! isset( $prepared_comment['comment_author_email'] ) ) {
@ -1155,6 +1147,10 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 					'type'         => 'string',
 					'format'       => 'email',
 					'context'      => array( 'edit' ),
+					'arg_options'  => array(
+						'sanitize_callback' => array( $this, 'check_comment_author_email' ),
+						'validate_callback' => null, // skip built-in validation of 'email'.
+					),
 				),
 				'author_ip'     => array(
 					'description'  => __( 'IP address for the object author.' ),
@ -1581,4 +1577,33 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {

 		return current_user_can( 'edit_comment', $comment->comment_ID );
 	}
+
+	/**
+	 * Checks a comment author email for validity.
+	 *
+	 * Accepts either a valid email address or empty string as a valid comment
+	 * author email address. Setting the comment author email to an empty
+	 * string is allowed when a comment is being updated.
+	 *
+	 * @since 4.7.0
+	 *
+	 * @param string          $value   Author email value submitted.
+	 * @param WP_REST_Request $request Full details about the request.
+	 * @param string          $param   The parameter name.
+	 * @return WP_Error|string The sanitized email address, if valid,
+	 *                         otherwise an error.
+	 */
+	public function check_comment_author_email( $value, $request, $param ) {
+		$email = (string) $value;
+		if ( empty( $email ) ) {
+			return $email;
+		}
+
+		$check_email = rest_validate_request_arg( $email, $request, $param );
+		if ( is_wp_error( $check_email ) ) {
+			return $check_email;
+		}
+
+		return $email;
+	}
 }
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.7-RC1-39445';
+$wp_version = '4.7-RC1-39446';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.