Do not expose whether post type supports notes to unauthenticated users.

peterwilsoncc · peterwilsoncc · commit f26746a4206c · 2025-11-19T13:04:55.000+11:00
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@@ -123,21 +123,15 @@ public function register_routes() {
 	 * @return true|WP_Error True if the request has read access, error object otherwise.
 	 */
 	public function get_items_permissions_check( $request ) {
-		$is_note         = 'note' === $request['type'];
-		$is_edit_context = 'edit' === $request['context'];
+		$is_note          = 'note' === $request['type'];
+		$is_edit_context  = 'edit' === $request['context'];
+		$protected_params = array( 'author', 'author_exclude', 'author_email', 'type', 'status' );
+		$forbidden_params = array();
 
 		if ( ! empty( $request['post'] ) ) {
 			foreach ( (array) $request['post'] as $post_id ) {
 				$post = get_post( $post_id );
 
-				if ( $post && $is_note && ! $this->check_post_type_supports_notes( $post->post_type ) ) {
-					return new WP_Error(
-						'rest_comment_not_supported_post_type',
-						__( 'Sorry, this post type does not support notes.' ),
-						array( 'status' => 403 )
-					);
-				}
-
 				if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post, $request ) ) {
 					return new WP_Error(
 						'rest_cannot_read_post',
@@ -151,6 +145,36 @@ public function get_items_permissions_check( $request ) {
 						array( 'status' => rest_authorization_required_code() )
 					);
 				}
+
+				if ( $post && $is_note && ! $this->check_post_type_supports_notes( $post->post_type ) ) {
+					if ( current_user_can( get_post_type_object( $post->post_type )->cap->edit_posts ) ) {
+						return new WP_Error(
+							'rest_comment_not_supported_post_type',
+							__( 'Sorry, this post type does not support notes.' ),
+							array( 'status' => 403 )
+						);
+					}
+
+					foreach ( $protected_params as $param ) {
+						if ( 'status' === $param ) {
+							if ( 'approve' !== $request[ $param ] ) {
+								$forbidden_params[] = $param;
+							}
+						} elseif ( 'type' === $param ) {
+							if ( 'comment' !== $request[ $param ] ) {
+								$forbidden_params[] = $param;
+							}
+						} elseif ( ! empty( $request[ $param ] ) ) {
+							$forbidden_params[] = $param;
+						}
+					}
+					return new WP_Error(
+						'rest_forbidden_param',
+						/* translators: %s: List of forbidden parameters. */
+						sprintf( __( 'Query parameter not permitted: %s' ), implode( ', ', $forbidden_params ) ),
+						array( 'status' => rest_authorization_required_code() )
+					);
+				}
 			}
 		}
 
@@ -174,23 +198,6 @@ public function get_items_permissions_check( $request ) {
 		}
 
 		if ( ! current_user_can( 'edit_posts' ) ) {
-			$protected_params = array( 'author', 'author_exclude', 'author_email', 'type', 'status' );
-			$forbidden_params = array();
-
-			foreach ( $protected_params as $param ) {
-				if ( 'status' === $param ) {
-					if ( 'approve' !== $request[ $param ] ) {
-						$forbidden_params[] = $param;
-					}
-				} elseif ( 'type' === $param ) {
-					if ( 'comment' !== $request[ $param ] ) {
-						$forbidden_params[] = $param;
-					}
-				} elseif ( ! empty( $request[ $param ] ) ) {
-					$forbidden_params[] = $param;
-				}
-			}
-
 			if ( ! empty( $forbidden_params ) ) {
 				return new WP_Error(
 					'rest_forbidden_param',
