Comments: Prevent replying to unapproved comments.

Introduces client and server side validation to ensure the `replytocom` query string parameter can not be exploited to reply to an unapproved comment or display the name of an unapproved commenter.

This only affects commenting via the front end of the site. Comment replies via the dashboard continue their current behaviour of logging the reply and approving the parent comment.

Introduces the `$post` parameter, defaulting to the current global post, to `get_cancel_comment_reply_link()` and `comment_form_title()`.

Introduces `_get_comment_reply_id()` for determining the comment reply ID based on the `replytocom` query string parameter.

Renames the parameter `$post_id` to `$post` in `get_comment_id_fields()` and `comment_id_fields()` to accept either a post ID or `WP_Post` object.

Adds a new `WP_Error` return state to `wp_handle_comment_submission()` to prevent replies to unapproved comments. The error code is `comment_reply_to_unapproved_comment` with the message `Sorry, replies to unapproved comments are not allowed.`.

Props costdev, jrf, hellofromtonya, fasuto, boniu91, milana_cap.
Fixes #53962.


git-svn-id: https://develop.svn.wordpress.org/trunk@55369 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Peter Wilson
2023-02-21 01:43:33 +00:00
parent cdcbfd19f4
commit 2a753c1057
4 changed files with 658 additions and 43 deletions

View File

@@ -3475,7 +3475,28 @@ function wp_handle_comment_submission( $comment_data ) {
$comment_content = trim( $comment_data['comment'] );
}
if ( isset( $comment_data['comment_parent'] ) ) {
$comment_parent = absint( $comment_data['comment_parent'] );
$comment_parent = absint( $comment_data['comment_parent'] );
$comment_parent_object = get_comment( $comment_parent );
if (
0 !== $comment_parent &&
(
! $comment_parent_object instanceof WP_Comment ||
0 === (int) $comment_parent_object->comment_approved
)
) {
/**
* Fires when a comment reply is attempted to an unapproved comment.
*
* @since 6.2.0
*
* @param int $comment_post_id Post ID.
* @param int $comment_parent Parent comment ID.
*/
do_action( 'comment_reply_to_unapproved_comment', $comment_post_id, $comment_parent );
return new WP_Error( 'comment_reply_to_unapproved_comment', __( 'Sorry, replies to unapproved comments are not allowed.' ), 403 );
}
}
$post = get_post( $comment_post_id );
@@ -3560,7 +3581,6 @@ function wp_handle_comment_submission( $comment_data ) {
return new WP_Error( 'comment_on_password_protected' );
} else {
/**
* Fires before a comment is posted.
*
@@ -3569,7 +3589,6 @@ function wp_handle_comment_submission( $comment_data ) {
* @param int $comment_post_id Post ID.
*/
do_action( 'pre_comment_on_post', $comment_post_id );
}
// If the user is logged in.