REST API: On comment create, return an error if the type property is set to anything other than comment.

Of the default comment_types, only comments are expected to be created via the REST API endpoint. Comments do not have registered types the way that Posts do, so we do not have a method to accurately check permissions for arbitrary comment types. Props dd32, boonebgorges, rachelbaker. Fixes #38820. git-svn-id: https://develop.svn.wordpress.org/trunk@39290 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 22:30:04 +00:00 · 2016-11-18 18:36:10 +00:00
parent 659822098a
commit f553ad6277
2 changed files with 34 additions and 0 deletions
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@@ -433,6 +433,11 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 			return $prepared_comment;
 		}

+		// Do not allow comments to be created with a non-default type.
+		if ( ! empty( $request['type'] ) && 'comment' !== $request['type'] ) {
+			return new WP_Error( 'rest_invalid_comment_type', __( 'Cannot create a comment with that type.' ), array( 'status' => 400 ) );
+		}
+
 		/*
 		 * Do not allow a comment to be created with missing or empty
 		 * comment_content. See wp_handle_comment_submission().