[wp-trac] [WordPress Trac] #38820: REST API: Clients should not be allowed to set arbitrary comment_type's

WordPress Trac noreply at wordpress.org
Wed Nov 16 23:32:00 UTC 2016 

#38820: REST API: Clients should not be allowed to set arbitrary comment_type's
--------------------------+-----------------------
 Reporter:  dd32          |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  4.7
Component:  Comments      |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:  rest-api
--------------------------+-----------------------

Comment (by dd32):

 Replying to [comment:2 boonebgorges]:
 > Replying to [comment:1 dd32]:
 > > I'll also add that I'm not sure a user with `moderate_comments`
 capability should be allowed to set this field either, but followed that
 inline with what the other fields in the API endpoint require. I'd be all
 for rejecting all requests which attempted to set it (unless a plugin had
 allowed it somehow).
 >
 > This seems right to me with respect to updates. I don't think there's
 precedent elsewhere in core for allowing 'moderate_comments' users, or
 anyone, to change comment types. And in fact, `update_item()` already
 disallows the changing of comment types. If this isn't about permissions
 (and I don't think it is) then the check probably belongs in
 `create_item()`. See [attachment:38820.2.diff].

 Yep, it prevents you changing the comment type after-the-fact (which
 sounds correct to me). I put the checks into the comment creation
 permission check function as that's where permission checks in the rest
 api belong AFAIK.
 My comment about `moderate_comments` was that currently the rest of the
 API allows a user with that cap from overriding most of the checks in
 place, so I went with that for this one too - although I think that should
 probably be reviewed too. I'm all for removing that check from my patch.

 > Is the intent to support 'trackback' and 'pingback' creation via the
 core endpoint? @dd32 your patch hardcoded 'comment' only, but my patch
 includes all three core types.
 It currently allows that, but I don't think that's correct - a
 trackback/pingback shouldn't be able to be created via a comment creation
 api, that should only be created via the trackback/pingback entry points
 (and their validation/sanitization of the pingback/trackback).

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38820#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list