Wordpress REST API rest_comment_invalid_author Sorry, you are not allowed to edit 'author' for comments

I'm fairly new to Wordpress REST API, but I have an Angular application which needs to take user's input and then create a comment anonymously. To start off, we can get rid of the rest_comment_login_required error message by modifying the Wordpress REST API function located in wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php file. The following line allows anonymous commenting:

$allow_anonymous = apply_filters( 'rest_allow_anonymous_comments', true, $request );

In my Wordpress REST API, sending a GET request to http://localhost/wordpress/wp-json/wp/v2/users/1 returns:

{
    id: 1,
    name: root,
    url: http://localhost/wordpress,
    description: ,
    link: http://localhost/wordpress/author/root/,
    slug: root,
    avatar_urls: {
        24: http://1.gravatar.com/avatar/d11662ae04f559ce691c5b1b4ff906f7?s=24d=mmr=g,
        48: http://1.gravatar.com/avatar/d11662ae04f559ce691c5b1b4ff906f7?s=48d=mmr=g,
        96: http://1.gravatar.com/avatar/d11662ae04f559ce691c5b1b4ff906f7?s=96d=mmr=g
    },
    meta: [ ],
    _links: {
        self: [
            {
                    href: http://localhost/wordpress/wp-json/wp/v2/users/1
            }
    ],
    collection: [
        {
            href: http://localhost/wordpress/wp-json/wp/v2/users
        }
    ]
}

So I only have one user currently in my database, who is called root.

If I simulate a request to the API with Postman and send a POST request to http://localhost/wordpress/wp-json/wp/v2/comments while supplying a raw JSON body thata looks like

{
    content: Lorem Ipsum is simply dummy text of the printing and typesetting industry,
    date: 2021-08-04T22:24:09,
    post: 1,
    author: 1,
    author_name: root,
    author_url: http://localhost/wordpress
}

then I get an error

{
    code: rest_comment_invalid_author,
    message: Sorry, you are not allowed to edit 'author' for comments.,
    data: {
        status: 401
    }
}

What is the meaning of this error and how do I fix this?

Topic rest-api Wordpress

Category Web

1
answered at

This is because you are sending unauthenticated anonymous requests, but still specifying an author. If what you were trying to do worked then it would be possible to impersonate any person on your site in a comment by specifying their author ID when creating the request.

With this in mind, the error message is quite clear.

Here you're trying to edit the author property by setting it to 1:

    "author": 1,

And here the REST API is seeing this and saying No, you can't do that, you don't have permission:

    "code": "rest_comment_invalid_author",
    "message": "Sorry, you are not allowed to edit 'author' for comments.",

Anonymous logged out requests cannot edit other users comments or impersonate them.

So to fix this, either remove the author ID, or send an authenticated request, authenticated with that same user, or an administrator.

Additionally, the line you commented out was a filter:

$allow_anonymous = apply_filters( 'rest_allow_anonymous_comments', true, $request );

Instead of modifying WordPres files, instead hook into the filter to return true in a theme or plugin:

add_filter( 'rest_allow_anonymous_comments', '__return_true' );

or

add_filter( 'rest_allow_anonymous_comments', '__return_false' );

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.