X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/0f74cdeda4c069bfbb9c4131ef1352f55b6f8499..4ea0dca21bda49aab5ccb91ec12bb4ef5924ed3e:/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index a3438c5f..79c3d571 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -63,6 +63,12 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { ) ); register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P[\d]+)', array( + 'args' => array( + 'id' => array( + 'description' => __( 'Unique identifier for the object.' ), + 'type' => 'integer', + ), + ), array( 'methods' => WP_REST_Server::READABLE, 'callback' => array( $this, 'get_item' ), @@ -299,6 +305,36 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { return $response; } + /** + * Get the comment, if the ID is valid. + * + * @since 4.7.2 + * + * @param int $id Supplied ID. + * @return WP_Comment|WP_Error Comment object if ID is valid, WP_Error otherwise. + */ + protected function get_comment( $id ) { + $error = new WP_Error( 'rest_comment_invalid_id', __( 'Invalid comment ID.' ), array( 'status' => 404 ) ); + if ( (int) $id <= 0 ) { + return $error; + } + + $id = (int) $id; + $comment = get_comment( $id ); + if ( empty( $comment ) ) { + return $error; + } + + if ( ! empty( $comment->comment_post_ID ) ) { + $post = get_post( (int) $comment->comment_post_ID ); + if ( empty( $post ) ) { + return new WP_Error( 'rest_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) ); + } + } + + return $comment; + } + /** * Checks if a given request has access to read the comment. * @@ -309,12 +345,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { * @return WP_Error|bool True if the request has read access for the item, error object otherwise. */ public function get_item_permissions_check( $request ) { - $id = (int) $request['id']; - - $comment = get_comment( $id ); - - if ( ! $comment ) { - return true; + $comment = $this->get_comment( $request['id'] ); + if ( is_wp_error( $comment ) ) { + return $comment; } if ( ! empty( $request['context'] ) && 'edit' === $request['context'] && ! current_user_can( 'moderate_comments' ) ) { @@ -344,18 +377,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { * @return WP_Error|WP_REST_Response Response object on success, or error object on failure. */ public function get_item( $request ) { - $id = (int) $request['id']; - - $comment = get_comment( $id ); - if ( empty( $comment ) ) { - return new WP_Error( 'rest_comment_invalid_id', __( 'Invalid comment ID.' ), array( 'status' => 404 ) ); - } - - if ( ! empty( $comment->comment_post_ID ) ) { - $post = get_post( $comment->comment_post_ID ); - if ( empty( $post ) ) { - return new WP_Error( 'rest_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) ); - } + $comment = $this->get_comment( $request['id'] ); + if ( is_wp_error( $comment ) ) { + return $comment; } $data = $this->prepare_item_for_response( $comment, $request ); @@ -624,12 +648,12 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { * @return WP_Error|bool True if the request has access to update the item, error object otherwise. */ public function update_item_permissions_check( $request ) { + $comment = $this->get_comment( $request['id'] ); + if ( is_wp_error( $comment ) ) { + return $comment; + } - $id = (int) $request['id']; - - $comment = get_comment( $id ); - - if ( $comment && ! $this->check_edit_permission( $comment ) ) { + if ( ! $this->check_edit_permission( $comment ) ) { return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this comment.' ), array( 'status' => rest_authorization_required_code() ) ); } @@ -646,14 +670,13 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { * @return WP_Error|WP_REST_Response Response object on success, or error object on failure. */ public function update_item( $request ) { - $id = (int) $request['id']; - - $comment = get_comment( $id ); - - if ( empty( $comment ) ) { - return new WP_Error( 'rest_comment_invalid_id', __( 'Invalid comment ID.' ), array( 'status' => 404 ) ); + $comment = $this->get_comment( $request['id'] ); + if ( is_wp_error( $comment ) ) { + return $comment; } + $id = $comment->comment_ID; + if ( isset( $request['type'] ) && get_comment_type( $id ) !== $request['type'] ) { return new WP_Error( 'rest_comment_invalid_type', __( 'Sorry, you are not allowed to change the comment type.' ), array( 'status' => 404 ) ); } @@ -744,11 +767,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { * @return WP_Error|bool True if the request has access to delete the item, error object otherwise. */ public function delete_item_permissions_check( $request ) { - $id = (int) $request['id']; - $comment = get_comment( $id ); - - if ( ! $comment ) { - return new WP_Error( 'rest_comment_invalid_id', __( 'Invalid comment ID.' ), array( 'status' => 404 ) ); + $comment = $this->get_comment( $request['id'] ); + if ( is_wp_error( $comment ) ) { + return $comment; } if ( ! $this->check_edit_permission( $comment ) ) { @@ -767,15 +788,13 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { * @return WP_Error|WP_REST_Response Response object on success, or error object on failure. */ public function delete_item( $request ) { - $id = (int) $request['id']; - $force = isset( $request['force'] ) ? (bool) $request['force'] : false; - - $comment = get_comment( $id ); - - if ( empty( $comment ) ) { - return new WP_Error( 'rest_comment_invalid_id', __( 'Invalid comment ID.' ), array( 'status' => 404 ) ); + $comment = $this->get_comment( $request['id'] ); + if ( is_wp_error( $comment ) ) { + return $comment; } + $force = isset( $request['force'] ) ? (bool) $request['force'] : false; + /** * Filters whether a comment can be trashed. *