From 191e085fa375b46adea3e282e29019c779199317 Mon Sep 17 00:00:00 2001 From: Rachel Baker Date: Fri, 18 Nov 2016 18:37:30 +0000 Subject: [PATCH] REST API: On comment create, return an error if the `type` property is set to anything other than `comment`. Of the default comment_types, only comments are expected to be created via the REST API endpoint. Comments do not have registered types the way that Posts do, so we do not have a method to accurately check permissions for arbitrary comment types. Props dd32, boonebgorges, rachelbaker. Fixes #38820. Built from https://develop.svn.wordpress.org/trunk@39290 git-svn-id: http://core.svn.wordpress.org/trunk@39230 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../rest-api/endpoints/class-wp-rest-comments-controller.php | 5 +++++ wp-includes/version.php | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index ccd172fbe5..a0861ee209 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -433,6 +433,11 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { return $prepared_comment; } + // Do not allow comments to be created with a non-default type. + if ( ! empty( $request['type'] ) && 'comment' !== $request['type'] ) { + return new WP_Error( 'rest_invalid_comment_type', __( 'Cannot create a comment with that type.' ), array( 'status' => 400 ) ); + } + /* * Do not allow a comment to be created with missing or empty * comment_content. See wp_handle_comment_submission(). diff --git a/wp-includes/version.php b/wp-includes/version.php index d192da5b12..c78f79d6ff 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta4-39289'; +$wp_version = '4.7-beta4-39290'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.