Comments: Don't attempt to create a note if the user cannot edit the target post.

Props johnbillion, peterwilsoncc, adamsilverstein. Built from https://develop.svn.wordpress.org/trunk@61888 git-svn-id: http://core.svn.wordpress.org/trunk@61170 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2026-03-10 12:49:45 +00:00
parent 8f6921d5cd
commit f46ecd2f8c
2 changed files with 9 additions and 1 deletions
--- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@@ -560,6 +560,14 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 			}
 		}

+		if ( $is_note && ! empty( $request['post'] ) && ! current_user_can( 'edit_post', (int) $request['post'] ) ) {
+			return new WP_Error(
+				'rest_cannot_create_note',
+				__( 'Sorry, you are not allowed to create notes for this post.' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+
 		$edit_cap = $is_note ? array( 'edit_post', (int) $request['post'] ) : array( 'moderate_comments' );
 		if ( isset( $request['status'] ) && ! current_user_can( ...$edit_cap ) ) {
 			return new WP_Error(
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '7.0-beta3-61887';
+$wp_version = '7.0-beta3-61888';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.