[wp-trac] [WordPress Trac] #53008: Creating an anonymous comment with custom fields via REST API

WordPress Trac noreply at wordpress.org
Fri Apr 9 14:16:40 UTC 2021 

#53008: Creating an anonymous comment with custom fields via REST API
--------------------------+-----------------------------
 Reporter:  dawgawel      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  REST API      |    Version:  5.7
 Severity:  normal        |   Keywords:
  Focuses:  rest-api      |
--------------------------+-----------------------------
 Hi!

 When `rest_allow_anonymous_comments` filter is enabled, I'm able to
 successfully create anonymous comments via REST API POST /comments method,
 without any authorization. Unfortunately, when trying to create a comment
 with a registered, non-protected meta field, I got a 401 error (details
 below). Even when `auth_callback` is forced to return true for that field,
 things don't change. I think that by default, when
 `rest_allow_anonymous_comments` is enabled, one should be able to create a
 comment with meta fields.

 Field definition:

 {{{#!php
 <?php

 add_filter( 'rest_allow_anonymous_comments', '__return_true' );

 register_meta('comment', 'twitter_handle', [
   'single' => true,
   'type' => 'string',
   'show_in_rest' => true,
 ]);
 }}}


 Request:


 {{{
 curl --request POST \
   --url 'http://example.com/wp-json/wp/v2/comments' \
   --header 'Content-Type: application/json' \
   --data '{
         "post": 1,
         "content": "Lorem ipsum",
         "author_name": "Dawid",
         "author_email": "example at example.com",
         "meta": {
                 "twitter_handle": "dmgawel"
         }
 }'
 }}}

 Response:


 {{{
 {
   "code": "rest_cannot_update",
   "message": "Sorry, you are not allowed to edit the twitter_handle custom
 field.",
   "data": {
     "key": "twitter_handle",
     "status": 401
   }
 }
 }}}

 I got the same response for the following meta field definition:

 {{{#!php
 <?php

 add_filter( 'rest_allow_anonymous_comments', '__return_true' );

 register_meta('comment', 'twitter_handle', [
   'single' => true,
   'type' => 'string',
   'show_in_rest' => true,
   'auth_callback' => function(){ return true; }
 ]);
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53008>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list