[wp-trac] [WordPress Trac] #50219: Change in Create Comment JSON API Endpoint Behavior (?)
WordPress Trac
noreply at wordpress.org
Thu May 21 17:15:16 UTC 2020
#50219: Change in Create Comment JSON API Endpoint Behavior (?)
-------------------------------+------------------------------
Reporter: adamfortuna | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 5.4.1
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses: rest-api
-------------------------------+------------------------------
Changes (by TimothyBlynJacobs):
* keywords: => reporter-feedback
Old description:
> Hey hey! I've been looking through the
> [https://make.wordpress.org/core/2020/02/29/rest-api-changes-in-5-4/ 5.4]
> and [https://wordpress.org/support/wordpress-version/version-5-4-1/
> 5.4.1] changes and didn't see this one, so wanted to report it here.
>
> I updated from 5.3.x to 5.4.1 and saw this change in this endpoint:
>
> {{{
> POST /wp/v2/comments
> }}}
>
> **5.3.x behavior:**
> I was hitting the /wp/v2/comments using basic authentication with the
> JSON Basic Authentication plugin. I'd hit this URL when authenticated as
> an administrator to create comments on behalf of other users. These
> requests had the email, website, ip, and other details of the other user
> – not of the authenticated administrator.
>
> This includes passing in all of the parameters listed in the
> [https://developer.wordpress.org/rest-
> api/reference/comments/#create-a-comment create a comment API] docs.
>
> **5.4.1 behavior:**
> POSTing to this URL with basic authentication in the same way as before
> returned this message.
>
> {{{
> {:response=>{"code"=>"rest_comment_login_required", "message"=>"Sorry,
> you must be logged in to comment.", "data"=>{"status"=>401}}
> }}}
>
> Anonymous comments are enabled via the WordPress Admin, but I needed to
> add this line to accept these REST comments.
>
> {{{
> add_filter( 'rest_allow_anonymous_comments', '__return_true' );
> }}}
>
> This seemed a weird though because I'm already authenticating via basic
> auth so this shouldn't be an anonymous comment. Has something changed to
> prioritize a different form of authentication that might be overriding
> JSON Basic Authentication plugin's auth?
>
> With the 'rest_allow_anonymous_comments' options enabled, I was able to
> create a comment as before, so the API endpoint is for sure working. I
> did have to disable passing over two fields for this to work: 'author_ip'
> and 'status' – which would make sense to not be settable if this is an
> anonymous comment.
>
> **Takeaway / guess at what's up**: Something changed with authorization
> that's not defaulting to the logged in user via basic auth. Instead, it's
> creating the comment as wherever the POST is coming from. This behavior
> would be how that endpoint would work when coming from a front-end form
> that's POSTing to the endpoint, but not for a back-end API requestion.
>
> Hopefully it's something on my part I'm missing!
>
> **Steps to reproduce:**
>
> This is using Ruby and the [https://github.com/jnunemaker/httparty
> HTTparty gem]. This file is also attached.
>
> {{{
> require 'httparty'
>
> site_url = ENV['wordpress_url']
> encoded_auth =
> Base64.encode64("#{ENV['wordpress_username']}:#{ENV['wordpress_password']}")
> auth = { headers: { 'Authorization': "Basic #{encoded_auth}" } }
> post_id = 14200
>
> comment = comment_params = {
> 'author_ip': '172.16.254.1',
> 'status': 'pending',
> 'author_user_agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138
> Safari/537.36",
> 'author_email': "user at example.com",
> 'author_name': "Adam",
> 'author_url': "http://example.com",
> 'content': "<p>this is a test comment</p>",
> 'date': "2020-05-21T16:10:11Z",
> 'date_gmt': "2020-05-21T16:10:11Z",
> 'parent': 0,
> 'post': post_id
> }
>
> params = auth.merge(body: comment)
> res = HTTParty.post("#{site_url}/wp-json/wp/v2/comments", params)
>
> # = {"code":"rest_comment_login_required","message":"Sorry, you must be
> logged in to comment.","data":{"status":401}}
>
> # If we add add_filter( 'rest_allow_anonymous_comments', '__return_true'
> ); to the Wordpress side and re-run this, the error changes to:
> #=> {"code":"rest_comment_invalid_author_ip","message":"Sorry, you are
> not allowed to edit ''author_ip'' for comments.","data":{"status":401}}
>
> # If we remove `author_ip` from the params and re-run this, we get this
> message:
> #=> {"code":"rest_comment_invalid_status","message":"Sorry, you are not
> allowed to edit ''status'' for comments.","data":{"status":401}}
>
> # If we remove `status` and re-run this, then it works, but every comment
> has the IP address of the server
> }}}
New description:
Hey hey! I've been looking through the
[https://make.wordpress.org/core/2020/02/29/rest-api-changes-in-5-4/ 5.4]
and [https://wordpress.org/support/wordpress-version/version-5-4-1/ 5.4.1]
changes and didn't see this one, so wanted to report it here.
I updated from 5.3.x to 5.4.1 and saw this change in this endpoint:
{{{
POST /wp/v2/comments
}}}
**5.3.x behavior:**
I was hitting the /wp/v2/comments using basic authentication with the JSON
Basic Authentication plugin. I'd hit this URL when authenticated as an
administrator to create comments on behalf of other users. These requests
had the email, website, ip, and other details of the other user – not of
the authenticated administrator.
This includes passing in all of the parameters listed in the
[https://developer.wordpress.org/rest-
api/reference/comments/#create-a-comment create a comment API] docs.
**5.4.1 behavior:**
POSTing to this URL with basic authentication in the same way as before
returned this message.
{{{
{:response=>{"code"=>"rest_comment_login_required", "message"=>"Sorry, you
must be logged in to comment.", "data"=>{"status"=>401}}
}}}
Anonymous comments are enabled via the WordPress Admin, but I needed to
add this line to accept these REST comments.
{{{
add_filter( 'rest_allow_anonymous_comments', '__return_true' );
}}}
This seemed a weird though because I'm already authenticating via basic
auth so this shouldn't be an anonymous comment. Has something changed to
prioritize a different form of authentication that might be overriding
JSON Basic Authentication plugin's auth?
With the 'rest_allow_anonymous_comments' options enabled, I was able to
create a comment as before, so the API endpoint is for sure working. I did
have to disable passing over two fields for this to work: 'author_ip' and
'status' – which would make sense to not be settable if this is an
anonymous comment.
**Takeaway / guess at what's up**: Something changed with authorization
that's not defaulting to the logged in user via basic auth. Instead, it's
creating the comment as wherever the POST is coming from. This behavior
would be how that endpoint would work when coming from a front-end form
that's POSTing to the endpoint, but not for a back-end API requestion.
Hopefully it's something on my part I'm missing!
**Steps to reproduce:**
This is using Ruby and the [https://github.com/jnunemaker/httparty
HTTparty gem]. This file is also attached.
{{{
require 'httparty'
site_url = ENV['wordpress_url']
encoded_auth =
Base64.encode64("#{ENV['wordpress_username']}:#{ENV['wordpress_password']}")
auth = { headers: { 'Authorization': "Basic #{encoded_auth}" } }
post_id = 14200
comment = comment_params = {
'author_ip': '172.16.254.1',
'status': 'pending',
'author_user_agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138
Safari/537.36",
'author_email': "user at example.com",
'author_name': "Adam",
'author_url': "http://example.com",
'content': "<p>this is a test comment</p>",
'date': "2020-05-21T16:10:11Z",
'date_gmt': "2020-05-21T16:10:11Z",
'parent': 0,
'post': post_id
}
params = auth.merge(body: comment)
res = HTTParty.post("#{site_url}/wp-json/wp/v2/comments", params)
# = {"code":"rest_comment_login_required","message":"Sorry, you must be
logged in to comment.","data":{"status":401}}
# If we add add_filter( 'rest_allow_anonymous_comments', '__return_true'
); to the WordPress side and re-run this, the error changes to:
#=> {"code":"rest_comment_invalid_author_ip","message":"Sorry, you are not
allowed to edit ''author_ip'' for comments.","data":{"status":401}}
# If we remove `author_ip` from the params and re-run this, we get this
message:
#=> {"code":"rest_comment_invalid_status","message":"Sorry, you are not
allowed to edit ''status'' for comments.","data":{"status":401}}
# If we remove `status` and re-run this, then it works, but every comment
has the IP address of the server
}}}
--
Comment:
Hi @adamfortuna,
Welcome to trac and thanks for the ticket!
What are your Discussion Settings? Could you try deactivating other
plugins? I've been unable to replicate using the Basic Auth plugin.
{{{
curl --request POST \
--url 'http://trunk.test/wp-
json/wp/v2/comments?_locale=user&context=edit' \
--header 'accept: application/json' \
--header 'authorization: Basic YWRtaW46cGFzc3dvcmQ=' \
--header 'content-type: application/json' \
--data '{
"author_ip": "172.16.254.1",
"status": "pending",
"author_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X
10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138
Safari/537.36",
"author_email": "user at example.com",
"author_name": "Adam",
"author_url": "http://example.com",
"content": "<p>this is a test comment</p>",
"date": "2020-05-21T16:10:11Z",
"date_gmt": "2020-05-21T16:10:11Z",
"parent": 0,
"post": 2015
}'
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50219#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list