[wp-trac] [WordPress Trac] #50219: Change in Create Comment JSON API Endpoint Behavior (?)

WordPress Trac noreply at wordpress.org
Thu May 21 17:07:35 UTC 2020


#50219: Change in Create Comment JSON API Endpoint Behavior (?)
--------------------------+-----------------------------
 Reporter:  adamfortuna   |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  REST API      |    Version:  5.4.1
 Severity:  normal        |   Keywords:
  Focuses:  rest-api      |
--------------------------+-----------------------------
 Hey hey! I've been looking through the
 [https://make.wordpress.org/core/2020/02/29/rest-api-changes-in-5-4/ 5.4]
 and [https://wordpress.org/support/wordpress-version/version-5-4-1/ 5.4.1]
 changes and didn't see this one, so wanted to report it here.

 I updated from 5.3.x to 5.4.1 and saw this change in this endpoint:

 {{{
 POST /wp/v2/comments
 }}}

 **5.3.x behavior:**
 I was hitting the /wp/v2/comments using basic authentication with the JSON
 Basic Authentication plugin. I'd hit this URL when authenticated as an
 administrator to create comments on behalf of other users. These requests
 had the email, website, ip, and other details of the other user – not of
 the authenticated administrator.

 This includes passing in all of the parameters listed in the
 [https://developer.wordpress.org/rest-
 api/reference/comments/#create-a-comment create a comment API] docs.

 **5.4.1 behavior:**
 POSTing to this URL with basic authentication in the same way as before
 returned this message.

 {{{
 {:response=>{"code"=>"rest_comment_login_required", "message"=>"Sorry, you
 must be logged in to comment.", "data"=>{"status"=>401}}
 }}}

 Anonymous comments are enabled via the WordPress Admin, but I needed to
 add this line to accept these REST comments.

 {{{
 add_filter( 'rest_allow_anonymous_comments', '__return_true' );
 }}}

 This seemed a weird though because I'm already authenticating via basic
 auth so this shouldn't be an anonymous comment. Has something changed to
 prioritize a different form of authentication that might be overriding
 JSON Basic Authentication plugin's auth?

 With the 'rest_allow_anonymous_comments' options enabled, I was able to
 create a comment as before, so the API endpoint is for sure working. I did
 have to disable passing over two fields for this to work: 'author_ip' and
 'status' – which would make sense to not be settable if this is an
 anonymous comment.

 **Takeaway / guess at what's up**: Something changed with authorization
 that's not defaulting to the logged in user via basic auth. Instead, it's
 creating the comment as wherever the POST is coming from. This behavior
 would be how that endpoint would work when coming from a front-end form
 that's POSTing to the endpoint, but not for a back-end API requestion.

 Hopefully it's something on my part I'm missing!

 **Steps to reproduce:**

 This is using Ruby and the [https://github.com/jnunemaker/httparty
 HTTparty gem]. This file is also attached.

 {{{
 require 'httparty'

 site_url =  ENV['wordpress_url']
 encoded_auth =
 Base64.encode64("#{ENV['wordpress_username']}:#{ENV['wordpress_password']}")
 auth =  { headers: { 'Authorization': "Basic #{encoded_auth}" } }
 post_id = 14200

 comment = comment_params = {
   'author_ip': '172.16.254.1',
   'status': 'pending',
   'author_user_agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3)
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138
 Safari/537.36",
   'author_email': "user at example.com",
   'author_name': "Adam",
   'author_url': "http://example.com",
   'content': "<p>this is a test comment</p>",
   'date': "2020-05-21T16:10:11Z",
   'date_gmt': "2020-05-21T16:10:11Z",
   'parent': 0,
   'post': post_id
 }

 params = auth.merge(body: comment)
 res = HTTParty.post("#{site_url}/wp-json/wp/v2/comments", params)

 # = {"code":"rest_comment_login_required","message":"Sorry, you must be
 logged in to comment.","data":{"status":401}}


 # If we add add_filter( 'rest_allow_anonymous_comments', '__return_true'
 ); to the Wordpress side and re-run this, the error changes to:
 #=> {"code":"rest_comment_invalid_author_ip","message":"Sorry, you are not
 allowed to edit ''author_ip'' for comments.","data":{"status":401}}

 # If we remove `author_ip` from the params and re-run this, we get this
 message:
 #=> {"code":"rest_comment_invalid_status","message":"Sorry, you are not
 allowed to edit ''status'' for comments.","data":{"status":401}}

 # If we remove `status` and re-run this, then it works, but every comment
 has the IP address of the server
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50219>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list