From 4e05ff6a1166cad75d0002a34bbfd8d74e4f77ec Mon Sep 17 00:00:00 2001 From: Ryan McCue Date: Mon, 21 Nov 2016 05:32:33 +0000 Subject: [PATCH] REST API: Disable anonymous commenting by default. Adding a brand new anonymous comment method is a potential conduit for spam. Since it's still useful functionality, we're now hiding it behind a filter to allow plugins and themes to turn it on if they do want it. Props helen, rachelbaker, joehoyle. Fixes #38855. Built from https://develop.svn.wordpress.org/trunk@39327 git-svn-id: http://core.svn.wordpress.org/trunk@39267 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../class-wp-rest-comments-controller.php | 22 +++++++++++++++++-- wp-includes/version.php | 2 +- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index 9071697f9a..0ddd023605 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -366,9 +366,27 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { * @return WP_Error|bool True if the request has access to create items, error object otherwise. */ public function create_item_permissions_check( $request ) { + if ( ! is_user_logged_in() ) { + if ( get_option( 'comment_registration' ) ) { + return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) ); + } - if ( ! is_user_logged_in() && get_option( 'comment_registration' ) ) { - return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) ); + /** + * Filter whether comments can be created without authentication. + * + * Enables creating comments for anonymous users. + * + * @since 4.7.0 + * + * @param bool $allow_anonymous Whether to allow anonymous comments to + * be created. Default `false`. + * @param WP_REST_Request $request Request used to generate the + * response. + */ + $allow_anonymous = apply_filters( 'rest_allow_anonymous_comments', false, $request ); + if ( false === $allow_anonymous ) { + return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) ); + } } // Limit who can set comment `author`, `author_ip` or `status` to anything other than the default. diff --git a/wp-includes/version.php b/wp-includes/version.php index 55d417dbab..7c9b16bf00 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta4-39326'; +$wp_version = '4.7-beta4-39327'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.