REST API: Fix bug where comment author and author email could be an empty string when creating a comment.

If the `require_name_email` option is true, creating a comment with an empty string for the author name or email should not be accepted. Both values can be an empty string on update. Props flixos90, hnle, dd32, rachelbaker, jnylen0, ChopinBach, joehoyle, pento. Fixes #38971. Built from https://develop.svn.wordpress.org/trunk@39444 git-svn-id: http://core.svn.wordpress.org/trunk@39384 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-09-26 06:13:07 +02:00 · 2016-12-02 22:44:42 +00:00 · 2016-12-02 22:44:42 +00:00 · 179e9f20b6
commit 179e9f20b6
parent a4042140f0
2 changed files with 35 additions and 10 deletions
--- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@ -508,17 +508,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {

 		// Honor the discussion setting that requires a name and email address of the comment author.
 		if ( get_option( 'require_name_email' ) ) {
-			if ( ! isset( $prepared_comment['comment_author'] ) && ! isset( $prepared_comment['comment_author_email'] ) ) {
+			if ( empty( $prepared_comment['comment_author'] ) || empty( $prepared_comment['comment_author_email'] ) ) {
 				return new WP_Error( 'rest_comment_author_data_required', __( 'Creating a comment requires valid author name and email values.' ), array( 'status' => 400 ) );
 			}
-
-			if ( ! isset( $prepared_comment['comment_author'] ) ) {
-				return new WP_Error( 'rest_comment_author_required', __( 'Creating a comment requires a valid author name.' ), array( 'status' => 400 ) );
-			}
-
-			if ( ! isset( $prepared_comment['comment_author_email'] ) ) {
-				return new WP_Error( 'rest_comment_author_email_required', __( 'Creating a comment requires a valid author email.' ), array( 'status' => 400 ) );
-			}
 		}

 		if ( ! isset( $prepared_comment['comment_author_email'] ) ) {
@ -1155,6 +1147,10 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 					'type'         => 'string',
 					'format'       => 'email',
 					'context'      => array( 'edit' ),
+					'arg_options'  => array(
+						'sanitize_callback' => array( $this, 'check_comment_author_email' ),
+						'validate_callback' => null, // skip built-in validation of 'email'.
+					),
 				),
 				'author_ip'     => array(
 					'description'  => __( 'IP address for the object author.' ),
@ -1581,4 +1577,33 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {

 		return current_user_can( 'edit_comment', $comment->comment_ID );
 	}
+
+	/**
+	 * Checks a comment author email for validity.
+	 *
+	 * Accepts either a valid email address or empty string as a valid comment
+	 * author email address. Setting the comment author email to an empty
+	 * string is allowed when a comment is being updated.
+	 *
+	 * @since 4.7.0
+	 *
+	 * @param string          $value   Author email value submitted.
+	 * @param WP_REST_Request $request Full details about the request.
+	 * @param string          $param   The parameter name.
+	 * @return WP_Error|string The sanitized email address, if valid,
+	 *                         otherwise an error.
+	 */
+	public function check_comment_author_email( $value, $request, $param ) {
+		$email = (string) $value;
+		if ( empty( $email ) ) {
+			return $email;
+		}
+
+		$check_email = rest_validate_request_arg( $email, $request, $param );
+		if ( is_wp_error( $check_email ) ) {
+			return $check_email;
+		}
+
+		return $email;
+	}
 }
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.8-alpha-39443';
+$wp_version = '4.8-alpha-39444';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.