From f46ecd2f8c396aff2ff622746dc4089d00ab2011 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 10 Mar 2026 12:49:45 +0000 Subject: [PATCH] Comments: Don't attempt to create a note if the user cannot edit the target post. Props johnbillion, peterwilsoncc, adamsilverstein. Built from https://develop.svn.wordpress.org/trunk@61888 git-svn-id: http://core.svn.wordpress.org/trunk@61170 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../endpoints/class-wp-rest-comments-controller.php | 8 ++++++++ wp-includes/version.php | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index 3f83504f8a..f462928847 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -560,6 +560,14 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { } } + if ( $is_note && ! empty( $request['post'] ) && ! current_user_can( 'edit_post', (int) $request['post'] ) ) { + return new WP_Error( + 'rest_cannot_create_note', + __( 'Sorry, you are not allowed to create notes for this post.' ), + array( 'status' => rest_authorization_required_code() ) + ); + } + $edit_cap = $is_note ? array( 'edit_post', (int) $request['post'] ) : array( 'moderate_comments' ); if ( isset( $request['status'] ) && ! current_user_can( ...$edit_cap ) ) { return new WP_Error( diff --git a/wp-includes/version.php b/wp-includes/version.php index e63c30527a..e569b7081d 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '7.0-beta3-61887'; +$wp_version = '7.0-beta3-61888'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.