Editor: Add auth_callback to _wp_note_status comment meta.

t-hamano · t-hamano · commit 80156af50505 · 2025-10-30T11:54:22.000Z
Adds an `auth_callback` to the `_wp_note_status` comment meta so that only users with the `edit_comment` capability can update this meta field via the REST API. This is necessary to ensure that users can properly resolve or reopen Notes. Props wildworks, adamsilverstein, westonruter, mamaduka, desrosj. Fixes #64153. git-svn-id: https://develop.svn.wordpress.org/trunk@61089 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/comment.php b/src/wp-includes/comment.php
@@ -4129,7 +4129,9 @@ function wp_create_initial_comment_meta() {
 					'enum' => array( 'resolved', 'reopen' ),
 				),
 			),
+			'auth_callback' => function ( $allowed, $meta_key, $object_id ) {
+				return current_user_can( 'edit_comment', $object_id );
+			},
 		)
 	);
 }
-add_action( 'init', 'wp_create_initial_comment_meta' );
diff --git a/src/wp-includes/default-filters.php b/src/wp-includes/default-filters.php
@@ -151,6 +151,7 @@
 add_action( 'added_comment_meta', 'wp_cache_set_comments_last_changed' );
 add_action( 'updated_comment_meta', 'wp_cache_set_comments_last_changed' );
 add_action( 'deleted_comment_meta', 'wp_cache_set_comments_last_changed' );
+add_action( 'init', 'wp_create_initial_comment_meta' );
 
 // Places to balance tags on input.
 foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) {
diff --git a/tests/phpunit/tests/rest-api/rest-comments-controller.php b/tests/phpunit/tests/rest-api/rest-comments-controller.php
@@ -170,6 +170,8 @@ public static function wpTearDownAfterClass() {
 	public function set_up() {
 		parent::set_up();
 		$this->endpoint = new WP_REST_Comments_Controller();
+		wp_create_initial_comment_meta();
+
 		if ( is_multisite() ) {
 			update_site_option( 'site_admins', array( 'superadmin' ) );
 		}
@@ -3888,6 +3890,11 @@ public function test_create_empty_note_with_resolution_meta( $status ) {
 
 		$response = rest_get_server()->dispatch( $request );
 		$this->assertSame( 201, $response->get_status() );
+
+		$data = $response->get_data();
+		$this->assertArrayHasKey( 'meta', $data );
+		$this->assertArrayHasKey( '_wp_note_status', $data['meta'] );
+		$this->assertSame( $status, $data['meta']['_wp_note_status'] );
 	}
 
 	/**

Original file line number	Diff line number	Diff line change
`@@ -4129,7 +4129,9 @@ function wp_create_initial_comment_meta() {`
`4129`	`4129`	`'enum' => array( 'resolved', 'reopen' ),`
`4130`	`4130`	`),`
`4131`	`4131`	`),`
	`4132`	`+ 'auth_callback' => function ( $allowed, $meta_key, $object_id ) {`
	`4133`	`+ return current_user_can( 'edit_comment', $object_id );`
	`4134`	`+ },`
`4132`	`4135`	`)`
`4133`	`4136`	`);`
`4134`	`4137`	`}`
`4135`		`-add_action( 'init', 'wp_create_initial_comment_meta' );`