[wp-trac] [WordPress Trac] #38819: REST API: Limit what users can set `author_ip` in the Comments endpoint
WordPress Trac
noreply at wordpress.org
Fri Nov 18 20:54:22 UTC 2016
#38819: REST API: Limit what users can set `author_ip` in the Comments endpoint
------------------------------+--------------------------
Reporter: dd32 | Owner: rachelbaker
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 4.7
Component: Comments | Version:
Severity: normal | Resolution:
Keywords: has-patch commit | Focuses: rest-api
------------------------------+--------------------------
Comment (by rachelbaker):
@joehoyle I think this is close, but the more I look at this... ticket
here is what I think should happen:
users with the `moderate_comments` capability:
1. can set the `author_ip` property directly to a valid IP value
2. otherwise, fallback to the `$_SERVER['REMOTE_ADDR']` if present and a
valid IP value
3. finally, fallback to `127.0.0.1`
users withOUT the `moderate_comments` capability:
1. canNOT set the `author_ip` property directly, and instead receive a
`WP_Error` if they attempt to do so
2. the `author_ip` property is populated from `$_SERVER['REMOTE_ADDR']` if
present and a valid IP value
3. otherwise, fallback to `127.0.0.1`
what do you think? does this sound sane to you?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38819#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list