Comments: ensure unauthenticated users cannot access the single comment endpoint for notes.

peterwilsoncc · peterwilsoncc · commit b98748797f54 · 2025-11-25T01:22:32.000Z
Fix an issue where notes could be accessed by unauthenticated users by using the single comment REST API endpoint and passing the comment ID (`/wp/v2/comments/<ID>`). This fix only affects the `note` type. Reviewed by peterwilsoncc. Merges [61276] to the 6.9 branch. Props adamsilverstein, peterwilsoncc, westonruter, tharsheblows. See #44157. Built from https://develop.svn.wordpress.org/branches/6.9@61297 git-svn-id: http://core.svn.wordpress.org/branches/6.9@60609 1a063a9b-81f0-0310-95a4-ce76da25c4cd
diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@@ -123,21 +123,15 @@ public function register_routes() {
 	 * @return true|WP_Error True if the request has read access, error object otherwise.
 	 */
 	public function get_items_permissions_check( $request ) {
-		$is_note         = 'note' === $request['type'];
-		$is_edit_context = 'edit' === $request['context'];
+		$is_note          = 'note' === $request['type'];
+		$is_edit_context  = 'edit' === $request['context'];
+		$protected_params = array( 'author', 'author_exclude', 'author_email', 'type', 'status' );
+		$forbidden_params = array();
 
 		if ( ! empty( $request['post'] ) ) {
 			foreach ( (array) $request['post'] as $post_id ) {
 				$post = get_post( $post_id );
 
-				if ( $post && $is_note && ! $this->check_post_type_supports_notes( $post->post_type ) ) {
-					return new WP_Error(
-						'rest_comment_not_supported_post_type',
-						__( 'Sorry, this post type does not support notes.' ),
-						array( 'status' => 403 )
-					);
-				}
-
 				if ( ! empty( $post_id ) && $post && ! $this->check_read_post_permission( $post, $request ) ) {
 					return new WP_Error(
 						'rest_cannot_read_post',
@@ -151,6 +145,36 @@ public function get_items_permissions_check( $request ) {
 						array( 'status' => rest_authorization_required_code() )
 					);
 				}
+
+				if ( $post && $is_note && ! $this->check_post_type_supports_notes( $post->post_type ) ) {
+					if ( current_user_can( 'edit_post', $post->ID ) ) {
+						return new WP_Error(
+							'rest_comment_not_supported_post_type',
+							__( 'Sorry, this post type does not support notes.' ),
+							array( 'status' => 403 )
+						);
+					}
+
+					foreach ( $protected_params as $param ) {
+						if ( 'status' === $param ) {
+							if ( 'approve' !== $request[ $param ] ) {
+								$forbidden_params[] = $param;
+							}
+						} elseif ( 'type' === $param ) {
+							if ( 'comment' !== $request[ $param ] ) {
+								$forbidden_params[] = $param;
+							}
+						} elseif ( ! empty( $request[ $param ] ) ) {
+							$forbidden_params[] = $param;
+						}
+					}
+					return new WP_Error(
+						'rest_forbidden_param',
+						/* translators: %s: List of forbidden parameters. */
+						sprintf( __( 'Query parameter not permitted: %s' ), implode( ', ', $forbidden_params ) ),
+						array( 'status' => rest_authorization_required_code() )
+					);
+				}
 			}
 		}
 
@@ -174,9 +198,6 @@ public function get_items_permissions_check( $request ) {
 		}
 
 		if ( ! current_user_can( 'edit_posts' ) ) {
-			$protected_params = array( 'author', 'author_exclude', 'author_email', 'type', 'status' );
-			$forbidden_params = array();
-
 			foreach ( $protected_params as $param ) {
 				if ( 'status' === $param ) {
 					if ( 'approve' !== $request[ $param ] ) {
@@ -1890,7 +1911,7 @@ protected function check_read_post_permission( $post, $request ) {
 	 * @return bool Whether the comment can be read.
 	 */
 	protected function check_read_permission( $comment, $request ) {
-		if ( ! empty( $comment->comment_post_ID ) ) {
+		if ( 'note' !== $comment->comment_type && ! empty( $comment->comment_post_ID ) ) {
 			$post = get_post( $comment->comment_post_ID );
 			if ( $post ) {
 				if ( $this->check_read_post_permission( $post, $request ) && 1 === (int) $comment->comment_approved ) {
diff --git a/wp-includes/version.php b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.9-RC2-61296';
+$wp_version = '6.9-RC2-61297';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`*`
`17`	`17`	`* @global string $wp_version`
`18`	`18`	`*/`
`19`		`-$wp_version = '6.9-RC2-61296';`
	`19`	`+$wp_version = '6.9-RC2-61297';`
`20`	`20`
`21`	`21`	`/**`
`22`	`22`	`* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.`