Add support for filter param to comments query

[patrickgalbraith]

Only added support for some of the comments_query parameters but this will allow listing comments by post slug etc...

See #2066

[patrickgalbraith]

Ran into an issue with WP_Comment_Query not accepting more than one post related modifier. I worked around it by only specifying the post_name parameter. Which should be fine but it does mean that it won't work perfectly (i.e. you can only specify one post_* parameter until that issue below is fixed in release).

See https://core.trac.wordpress.org/changeset/36326/trunk

[danielbachhuber]

I think we need these filters behind edit_posts, or even generally think about capabilities more, because a public request shouldn't be able to query for the comments of a private post.

[patrickgalbraith]

@danielbachhuber

filter needs to be registered in get_collection_params() too.

Done I just used the one found in the posts controller as an example.

I think we need these filters behind edit_posts, or even generally think about capabilities more, because a public request shouldn't be able to query for the comments of a private post.

Shouldn't the following code that was already there ensure that isn't a problem:

https://github.com/patrickgalbraith/WP-API/blob/comment_filters_2/lib/endpoints/class-wp-rest-comments-controller.php#L161-L169

[danielbachhuber]

Shouldn't the following code that was already there ensure that isn't a problem:

Not necessarily. I think this pull request will need a lot of thought as to the security implications, and many more tests, before we can consider merging it.

[patrickgalbraith]

@danielbachhuber

Not necessarily. I think this pull request will need a lot of thought as to the security implications, and many more tests, before we can consider merging it.

I was assuming that the check_read_post_permission was secure. If it isn't then that will need to be investigated anyway. Since comments delegate to their post to check for read permissions.

For example can you explain what the difference would be between the following from a security point of view:

$comments_query_1 = new WP_Comment_Query(array(
  'post_id' => 1
));

$comments_query_2 = new WP_Comment_Query(array(
  'post_name' => 'sample-post'
));

Ultimately you can easily retrieve any comment by querying with it's ID so any way to exploit this should also apply when getting comments by ID /wp/v2/comments/<id>.

I will add a test for accessing private post comments similar to test_get_items_private_filter_query_var. Can you give me more of an idea of the other tests you want to see.

[patrickgalbraith]

@danielbachhuber I've added test cases to ensure comments are inaccessible when using filters to select comments on private posts.

[rachelbaker]

Assigned to myself for review

[rachelbaker]

I would like to see what happens with #2770 so we can apply it here as well.

[rachelbaker]

On hold pending the outcome of #2799

[kadamwhite]

In #core-restapi today this PR came up in the context of #2066, in which a decision was made not to support filter more broadly; #2799 tracks removing it entirely. In this context we now believe it does not make sense to add filter support to comments; any capabilities that could only be accessed via filter should be proposed as first-party query parameters.

Edit: missed the "on hold" above, will re-open depending on outcome of #2799.