[wp-trac] [WordPress Trac] #38819: REST API: Limit what users can set `author_ip` in the Comments endpoint
WordPress Trac
noreply at wordpress.org
Wed Nov 16 13:06:30 UTC 2016
#38819: REST API: Limit what users can set `author_ip` in the Comments endpoint
--------------------------+-----------------
Reporter: dd32 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.7
Component: Comments | Version:
Severity: normal | Keywords:
Focuses: rest-api |
--------------------------+-----------------
The Comments endpoint currently requires the caller to set the `author_ip`
field, including for unauthed anonymous comments.
The API should not allow an anonymous user to set the IP address of the
comment.
Furthermore, the documentation suggests that the default IP of `127.0.0.1`
will be used if not presented - This should default to
`$_SERVER['REMOTE_ADDR']` instead, and only authorized users should be
able to override that.
I personally do not believe any cap should be able to override the field,
and that it should be hard-coded to always use `REMOTE_ADDR` unless a
plugin allows otherwise (or `REMOTE_ADDR` is unavailable in the
environment), however, in following with the other API designs in the
endpoint, it would make sense to limit it to users with the
`moderate_comments` cap.
The attached patch is a movement towards this, but fails as I couldn't see
how to make the defaults play nicely together with the cap check. Further
checks probably are needed to prevent the field being edited as well.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38819>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list