[wp-trac] [WordPress Trac] #38820: REST API: Clients should not be allowed to set arbitrary comment_type's
WordPress Trac
noreply at wordpress.org
Wed Nov 16 17:06:09 UTC 2016
#38820: REST API: Clients should not be allowed to set arbitrary comment_type's
--------------------------+-----------------------
Reporter: dd32 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.7
Component: Comments | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses: rest-api
--------------------------+-----------------------
Comment (by boonebgorges):
Replying to [comment:1 dd32]:
> I'll also add that I'm not sure a user with `moderate_comments`
capability should be allowed to set this field either, but followed that
inline with what the other fields in the API endpoint require. I'd be all
for rejecting all requests which attempted to set it (unless a plugin had
allowed it somehow).
This seems right to me with respect to updates. I don't think there's
precedent elsewhere in core for allowing 'moderate_comments' users, or
anyone, to change comment types. And in fact, `update_item()` already
disallows the changing of comment types. If this isn't about permissions
(and I don't think it is) then the check probably belongs in
`create_item()`. See [attachment:38820.2.diff].
Is the intent to support 'trackback' and 'pingback' creation via the core
endpoint? @dd32 your patch hardcoded 'comment' only, but my patch includes
all three core types.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38820#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list