[wp-trac] [WordPress Trac] #50219: Change in Create Comment JSON API Endpoint Behavior (?)
WordPress Trac
noreply at wordpress.org
Thu May 21 17:07:35 UTC 2020
#50219: Change in Create Comment JSON API Endpoint Behavior (?)
--------------------------+-----------------------------
Reporter: adamfortuna | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 5.4.1
Severity: normal | Keywords:
Focuses: rest-api |
--------------------------+-----------------------------
Hey hey! I've been looking through the
[https://make.wordpress.org/core/2020/02/29/rest-api-changes-in-5-4/ 5.4]
and [https://wordpress.org/support/wordpress-version/version-5-4-1/ 5.4.1]
changes and didn't see this one, so wanted to report it here.
I updated from 5.3.x to 5.4.1 and saw this change in this endpoint:
{{{
POST /wp/v2/comments
}}}
**5.3.x behavior:**
I was hitting the /wp/v2/comments using basic authentication with the JSON
Basic Authentication plugin. I'd hit this URL when authenticated as an
administrator to create comments on behalf of other users. These requests
had the email, website, ip, and other details of the other user – not of
the authenticated administrator.
This includes passing in all of the parameters listed in the
[https://developer.wordpress.org/rest-
api/reference/comments/#create-a-comment create a comment API] docs.
**5.4.1 behavior:**
POSTing to this URL with basic authentication in the same way as before
returned this message.
{{{
{:response=>{"code"=>"rest_comment_login_required", "message"=>"Sorry, you
must be logged in to comment.", "data"=>{"status"=>401}}
}}}
Anonymous comments are enabled via the WordPress Admin, but I needed to
add this line to accept these REST comments.
{{{
add_filter( 'rest_allow_anonymous_comments', '__return_true' );
}}}
This seemed a weird though because I'm already authenticating via basic
auth so this shouldn't be an anonymous comment. Has something changed to
prioritize a different form of authentication that might be overriding
JSON Basic Authentication plugin's auth?
With the 'rest_allow_anonymous_comments' options enabled, I was able to
create a comment as before, so the API endpoint is for sure working. I did
have to disable passing over two fields for this to work: 'author_ip' and
'status' – which would make sense to not be settable if this is an
anonymous comment.
**Takeaway / guess at what's up**: Something changed with authorization
that's not defaulting to the logged in user via basic auth. Instead, it's
creating the comment as wherever the POST is coming from. This behavior
would be how that endpoint would work when coming from a front-end form
that's POSTing to the endpoint, but not for a back-end API requestion.
Hopefully it's something on my part I'm missing!
**Steps to reproduce:**
This is using Ruby and the [https://github.com/jnunemaker/httparty
HTTparty gem]. This file is also attached.
{{{
require 'httparty'
site_url = ENV['wordpress_url']
encoded_auth =
Base64.encode64("#{ENV['wordpress_username']}:#{ENV['wordpress_password']}")
auth = { headers: { 'Authorization': "Basic #{encoded_auth}" } }
post_id = 14200
comment = comment_params = {
'author_ip': '172.16.254.1',
'status': 'pending',
'author_user_agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138
Safari/537.36",
'author_email': "user at example.com",
'author_name': "Adam",
'author_url': "http://example.com",
'content': "<p>this is a test comment</p>",
'date': "2020-05-21T16:10:11Z",
'date_gmt': "2020-05-21T16:10:11Z",
'parent': 0,
'post': post_id
}
params = auth.merge(body: comment)
res = HTTParty.post("#{site_url}/wp-json/wp/v2/comments", params)
# = {"code":"rest_comment_login_required","message":"Sorry, you must be
logged in to comment.","data":{"status":401}}
# If we add add_filter( 'rest_allow_anonymous_comments', '__return_true'
); to the Wordpress side and re-run this, the error changes to:
#=> {"code":"rest_comment_invalid_author_ip","message":"Sorry, you are not
allowed to edit ''author_ip'' for comments.","data":{"status":401}}
# If we remove `author_ip` from the params and re-run this, we get this
message:
#=> {"code":"rest_comment_invalid_status","message":"Sorry, you are not
allowed to edit ''status'' for comments.","data":{"status":401}}
# If we remove `status` and re-run this, then it works, but every comment
has the IP address of the server
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50219>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list