REST API: Ensure users with "moderate_comments" capability may edit comments.

Props meloniq.
Fixes #47024.



git-svn-id: https://develop.svn.wordpress.org/trunk@46433 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

@@ -1672,8 +1672,8 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 			return false;
 		}
 
-		if ( ! current_user_can( 'moderate_comments' ) ) {
-			return false;
+		if ( current_user_can( 'moderate_comments' ) ) {
+			return true;
 		}
 
 		return current_user_can( 'edit_comment', $comment->comment_ID );

tests/phpunit/tests/rest-api/rest-comments-controller.php

@@ -13,6 +13,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	protected static $superadmin_id;
 	protected static $admin_id;
 	protected static $editor_id;
+	protected static $moderator_id;
 	protected static $subscriber_id;
 	protected static $author_id;
 
@@ -27,6 +28,15 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	protected $endpoint;
 
 	public static function wpSetUpBeforeClass( $factory ) {
+		add_role(
+			'comment_moderator',
+			'Comment Moderator',
+			array(
+				'read'              => true,
+				'moderate_comments' => true,
+			)
+		);
+
 		self::$superadmin_id = $factory->user->create(
 			array(
 				'role'       => 'administrator',
@@ -43,6 +53,11 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 				'role' => 'editor',
 			)
 		);
+		self::$moderator_id  = $factory->user->create(
+			array(
+				'role' => 'comment_moderator',
+			)
+		);
 		self::$subscriber_id = $factory->user->create(
 			array(
 				'role' => 'subscriber',
@@ -98,9 +113,12 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 	}
 
 	public static function wpTearDownAfterClass() {
+		remove_role( 'comment_moderator' );
+
 		self::delete_user( self::$superadmin_id );
 		self::delete_user( self::$admin_id );
 		self::delete_user( self::$editor_id );
+		self::delete_user( self::$moderator_id );
 		self::delete_user( self::$subscriber_id );
 		self::delete_user( self::$author_id );
 
@@ -2480,6 +2498,31 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
 		$this->assertErrorResponse( 'rest_cannot_edit', $response, 401 );
 	}
 
+	/**
+	 * @ticket 47024
+	 */
+	public function test_update_comment_when_can_moderate_comments() {
+		wp_set_current_user( self::$moderator_id );
+
+		$request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
+		$params  = array(
+			'content' => 'Updated comment.',
+			'date'    => '2019-10-07T23:14:25',
+		);
+		$request->add_header( 'content-type', 'application/json' );
+		$request->set_body( wp_json_encode( $params ) );
+
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+
+		$comment = $response->get_data();
+		$updated = get_comment( self::$approved_id );
+
+		$this->assertEquals( $params['content'], $updated->comment_content );
+		$this->assertEquals( self::$post_id, $comment['post'] );
+		$this->assertEquals( '2019-10-07T23:14:25', $comment['date'] );
+	}
+
 	public function test_update_comment_private_post_invalid_permission() {
 		$private_comment_id = $this->factory->comment->create(
 			array(

tests/qunit/fixtures/wp-api-generated.js

@@ -2304,7 +2304,7 @@ mockedApiResponse.Schema = {
                 }
             ]
         },
-        "/wp/v2/media/(?P<id>[\\d+])/post-process": {
+        "/wp/v2/media/(?P<id>[\\d]+)/post-process": {
             "namespace": "wp/v2",
             "methods": [
                 "POST"