From 0438d27410272424a5943b5032efffd4a760aede Mon Sep 17 00:00:00 2001 From: Rachel Baker Date: Thu, 6 Oct 2016 15:51:31 +0000 Subject: [PATCH] Comments: Improve check for previous comments for authenticated users in `check_comment()`. When the 'comment_whitelist' option is enabled and the commenter is an authenticated user, query for the existence of an approved comment with a matching `user_id`. This allows authenticated users that have changed their email address to bypass having their comment held for moderation. Props voldemortensen, rachelbaker. Fixes #28603. Built from https://develop.svn.wordpress.org/trunk@38738 git-svn-id: http://core.svn.wordpress.org/trunk@38681 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/comment.php | 9 +++++++-- wp-includes/version.php | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/wp-includes/comment.php b/wp-includes/comment.php index 861ad6b802..4a3966824e 100644 --- a/wp-includes/comment.php +++ b/wp-includes/comment.php @@ -110,8 +110,13 @@ function check_comment($author, $email, $url, $comment, $user_ip, $user_agent, $ */ if ( 1 == get_option('comment_whitelist')) { if ( 'trackback' != $comment_type && 'pingback' != $comment_type && $author != '' && $email != '' ) { - // expected_slashed ($author, $email) - $ok_to_comment = $wpdb->get_var("SELECT comment_approved FROM $wpdb->comments WHERE comment_author = '$author' AND comment_author_email = '$email' and comment_approved = '1' LIMIT 1"); + $comment_user = get_user_by( 'email', wp_unslash( $email ) ); + if ( ! empty( $comment_user->ID ) ) { + $ok_to_comment = $wpdb->get_var( $wpdb->prepare( "SELECT comment_approved FROM $wpdb->comments WHERE user_id = %d AND comment_approved = '1' LIMIT 1", $comment_user->ID ) ); + } else { + // expected_slashed ($author, $email) + $ok_to_comment = $wpdb->get_var( $wpdb->prepare( "SELECT comment_approved FROM $wpdb->comments WHERE comment_author = %s AND comment_author_email = %s and comment_approved = '1' LIMIT 1", $author, $email ) ); + } if ( ( 1 == $ok_to_comment ) && ( empty($mod_keys) || false === strpos( $email, $mod_keys) ) ) return true; diff --git a/wp-includes/version.php b/wp-includes/version.php index 70f676fdd5..338a0066a1 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-alpha-38737'; +$wp_version = '4.7-alpha-38738'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.