Comments: Require login to comment with a registered user's email#12452
Comments: Require login to comment with a registered user's email#12452adamsilverstein wants to merge 1 commit into
Conversation
When a logged-out visitor submits a comment using the email address of a registered user, return a `WP_Error` from `wp_handle_comment_submission()` prompting them to log in, rather than accepting the comment. This prevents anonymous visitors from impersonating registered users. Handling this alongside the existing name/email validation returns the message to the comment form (with a login link that redirects back to the post) instead of halting the request, and keeps the behavior unit testable. See WordPress#10931.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
Summary
When a logged-out visitor submits a comment using the email address of a registered user, this blocks the comment and prompts them to log in, preventing anonymous visitors from impersonating registered users.
The check is added to
wp_handle_comment_submission(), alongside the existing name/email validation, and returns aWP_Error(comment_author_must_login, HTTP 403) whose message contains a login link that redirects back to the post after authenticating.Relationship to PR #8443
This is an alternative implementation of PR #8443 by @Infinite-Null, opened separately so as not to step on that contributor's work. The design goal (force login, per comment:72 / comment:73) is the same; the differences are:
WP_Errorinstead of callingwp_die(). The message is surfaced on the comment form (keeping the visitor on the page with a login link) rather than replacing the request with a 403 page.wp_handle_comment_submission()next to the sibling name/email checks, rather than inwp_check_comment_data()(which is documented to return an approval status, not halt the request).wp_die()approach could not be cleanly tested).Tests
tests/phpunit/tests/comment/wpHandleCommentSubmission.php:test_submitting_comment_anonymously_with_registered_email_returns_error— logged-out + registered email →WP_Error(comment_author_must_login, 403).test_submitting_comment_anonymously_with_unregistered_email_succeeds— logged-out + unregistered email → comment succeeds (guards against false positives).test_submitting_comment_as_logged_in_user_with_registered_email_succeeds— logged-in user commenting under their own registered email still succeeds (the check only targets logged-out visitors).All 47 tests in the class pass; PHPCS is clean on the changed lines.
Open question (design)
The error message states the address belongs to a registered user, which — as @johnbillion noted in comment:56 — is an email-enumeration signal (though the same information is already discoverable via
wp-login.php). This can be softened if preferred. Whether force-login is the agreed direction (vs. routing to the moderation queue) is still open on the ticket.Trac ticket: https://core.trac.wordpress.org/ticket/10931