553 lines
17 KiB
PHP
553 lines
17 KiB
PHP
|
<?php
|
||
|
|
||
|
class Akismet_REST_API {
|
||
|
/**
|
||
|
* Register the REST API routes.
|
||
|
*/
|
||
|
public static function init() {
|
||
|
if ( ! function_exists( 'register_rest_route' ) ) {
|
||
|
// The REST API wasn't integrated into core until 4.4, and we support 4.0+ (for now).
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
register_rest_route( 'akismet/v1', '/key', array(
|
||
|
array(
|
||
|
'methods' => WP_REST_Server::READABLE,
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'privileged_permission_callback' ),
|
||
|
'callback' => array( 'Akismet_REST_API', 'get_key' ),
|
||
|
), array(
|
||
|
'methods' => WP_REST_Server::EDITABLE,
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'privileged_permission_callback' ),
|
||
|
'callback' => array( 'Akismet_REST_API', 'set_key' ),
|
||
|
'args' => array(
|
||
|
'key' => array(
|
||
|
'required' => true,
|
||
|
'type' => 'string',
|
||
|
'sanitize_callback' => array( 'Akismet_REST_API', 'sanitize_key' ),
|
||
|
'description' => __( 'A 12-character Akismet API key. Available at akismet.com/get/', 'akismet' ),
|
||
|
),
|
||
|
),
|
||
|
), array(
|
||
|
'methods' => WP_REST_Server::DELETABLE,
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'privileged_permission_callback' ),
|
||
|
'callback' => array( 'Akismet_REST_API', 'delete_key' ),
|
||
|
)
|
||
|
) );
|
||
|
|
||
|
register_rest_route( 'akismet/v1', '/settings/', array(
|
||
|
array(
|
||
|
'methods' => WP_REST_Server::READABLE,
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'privileged_permission_callback' ),
|
||
|
'callback' => array( 'Akismet_REST_API', 'get_settings' ),
|
||
|
),
|
||
|
array(
|
||
|
'methods' => WP_REST_Server::EDITABLE,
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'privileged_permission_callback' ),
|
||
|
'callback' => array( 'Akismet_REST_API', 'set_boolean_settings' ),
|
||
|
'args' => array(
|
||
|
'akismet_strictness' => array(
|
||
|
'required' => false,
|
||
|
'type' => 'boolean',
|
||
|
'description' => __( 'If true, Akismet will automatically discard the worst spam automatically rather than putting it in the spam folder.', 'akismet' ),
|
||
|
),
|
||
|
'akismet_show_user_comments_approved' => array(
|
||
|
'required' => false,
|
||
|
'type' => 'boolean',
|
||
|
'description' => __( 'If true, show the number of approved comments beside each comment author in the comments list page.', 'akismet' ),
|
||
|
),
|
||
|
),
|
||
|
)
|
||
|
) );
|
||
|
|
||
|
register_rest_route( 'akismet/v1', '/stats', array(
|
||
|
'methods' => WP_REST_Server::READABLE,
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'privileged_permission_callback' ),
|
||
|
'callback' => array( 'Akismet_REST_API', 'get_stats' ),
|
||
|
'args' => array(
|
||
|
'interval' => array(
|
||
|
'required' => false,
|
||
|
'type' => 'string',
|
||
|
'sanitize_callback' => array( 'Akismet_REST_API', 'sanitize_interval' ),
|
||
|
'description' => __( 'The time period for which to retrieve stats. Options: 60-days, 6-months, all', 'akismet' ),
|
||
|
'default' => 'all',
|
||
|
),
|
||
|
),
|
||
|
) );
|
||
|
|
||
|
register_rest_route( 'akismet/v1', '/stats/(?P<interval>[\w+])', array(
|
||
|
'args' => array(
|
||
|
'interval' => array(
|
||
|
'description' => __( 'The time period for which to retrieve stats. Options: 60-days, 6-months, all', 'akismet' ),
|
||
|
'type' => 'string',
|
||
|
),
|
||
|
),
|
||
|
array(
|
||
|
'methods' => WP_REST_Server::READABLE,
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'privileged_permission_callback' ),
|
||
|
'callback' => array( 'Akismet_REST_API', 'get_stats' ),
|
||
|
)
|
||
|
) );
|
||
|
|
||
|
register_rest_route( 'akismet/v1', '/alert', array(
|
||
|
array(
|
||
|
'methods' => WP_REST_Server::READABLE,
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'remote_call_permission_callback' ),
|
||
|
'callback' => array( 'Akismet_REST_API', 'get_alert' ),
|
||
|
'args' => array(
|
||
|
'key' => array(
|
||
|
'required' => false,
|
||
|
'type' => 'string',
|
||
|
'sanitize_callback' => array( 'Akismet_REST_API', 'sanitize_key' ),
|
||
|
'description' => __( 'A 12-character Akismet API key. Available at akismet.com/get/', 'akismet' ),
|
||
|
),
|
||
|
),
|
||
|
),
|
||
|
array(
|
||
|
'methods' => WP_REST_Server::EDITABLE,
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'remote_call_permission_callback' ),
|
||
|
'callback' => array( 'Akismet_REST_API', 'set_alert' ),
|
||
|
'args' => array(
|
||
|
'key' => array(
|
||
|
'required' => false,
|
||
|
'type' => 'string',
|
||
|
'sanitize_callback' => array( 'Akismet_REST_API', 'sanitize_key' ),
|
||
|
'description' => __( 'A 12-character Akismet API key. Available at akismet.com/get/', 'akismet' ),
|
||
|
),
|
||
|
),
|
||
|
),
|
||
|
array(
|
||
|
'methods' => WP_REST_Server::DELETABLE,
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'remote_call_permission_callback' ),
|
||
|
'callback' => array( 'Akismet_REST_API', 'delete_alert' ),
|
||
|
'args' => array(
|
||
|
'key' => array(
|
||
|
'required' => false,
|
||
|
'type' => 'string',
|
||
|
'sanitize_callback' => array( 'Akismet_REST_API', 'sanitize_key' ),
|
||
|
'description' => __( 'A 12-character Akismet API key. Available at akismet.com/get/', 'akismet' ),
|
||
|
),
|
||
|
),
|
||
|
)
|
||
|
) );
|
||
|
|
||
|
register_rest_route(
|
||
|
'akismet/v1',
|
||
|
'/webhook',
|
||
|
array(
|
||
|
'methods' => WP_REST_Server::CREATABLE,
|
||
|
'callback' => array( 'Akismet_REST_API', 'receive_webhook' ),
|
||
|
'permission_callback' => array( 'Akismet_REST_API', 'remote_call_permission_callback' ),
|
||
|
)
|
||
|
);
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Get the current Akismet API key.
|
||
|
*
|
||
|
* @param WP_REST_Request $request
|
||
|
* @return WP_Error|WP_REST_Response
|
||
|
*/
|
||
|
public static function get_key( $request = null ) {
|
||
|
return rest_ensure_response( Akismet::get_api_key() );
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Set the API key, if possible.
|
||
|
*
|
||
|
* @param WP_REST_Request $request
|
||
|
* @return WP_Error|WP_REST_Response
|
||
|
*/
|
||
|
public static function set_key( $request ) {
|
||
|
if ( defined( 'WPCOM_API_KEY' ) ) {
|
||
|
return rest_ensure_response( new WP_Error( 'hardcoded_key', __( 'This site\'s API key is hardcoded and cannot be changed via the API.', 'akismet' ), array( 'status'=> 409 ) ) );
|
||
|
}
|
||
|
|
||
|
$new_api_key = $request->get_param( 'key' );
|
||
|
|
||
|
if ( ! self::key_is_valid( $new_api_key ) ) {
|
||
|
return rest_ensure_response( new WP_Error( 'invalid_key', __( 'The value provided is not a valid and registered API key.', 'akismet' ), array( 'status' => 400 ) ) );
|
||
|
}
|
||
|
|
||
|
update_option( 'wordpress_api_key', $new_api_key );
|
||
|
|
||
|
return self::get_key();
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Unset the API key, if possible.
|
||
|
*
|
||
|
* @param WP_REST_Request $request
|
||
|
* @return WP_Error|WP_REST_Response
|
||
|
*/
|
||
|
public static function delete_key( $request ) {
|
||
|
if ( defined( 'WPCOM_API_KEY' ) ) {
|
||
|
return rest_ensure_response( new WP_Error( 'hardcoded_key', __( 'This site\'s API key is hardcoded and cannot be deleted.', 'akismet' ), array( 'status'=> 409 ) ) );
|
||
|
}
|
||
|
|
||
|
delete_option( 'wordpress_api_key' );
|
||
|
|
||
|
return rest_ensure_response( true );
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Get the Akismet settings.
|
||
|
*
|
||
|
* @param WP_REST_Request $request
|
||
|
* @return WP_Error|WP_REST_Response
|
||
|
*/
|
||
|
public static function get_settings( $request = null ) {
|
||
|
return rest_ensure_response( array(
|
||
|
'akismet_strictness' => ( get_option( 'akismet_strictness', '1' ) === '1' ),
|
||
|
'akismet_show_user_comments_approved' => ( get_option( 'akismet_show_user_comments_approved', '1' ) === '1' ),
|
||
|
) );
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Update the Akismet settings.
|
||
|
*
|
||
|
* @param WP_REST_Request $request
|
||
|
* @return WP_Error|WP_REST_Response
|
||
|
*/
|
||
|
public static function set_boolean_settings( $request ) {
|
||
|
foreach ( array(
|
||
|
'akismet_strictness',
|
||
|
'akismet_show_user_comments_approved',
|
||
|
) as $setting_key ) {
|
||
|
|
||
|
$setting_value = $request->get_param( $setting_key );
|
||
|
if ( is_null( $setting_value ) ) {
|
||
|
// This setting was not specified.
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
// From 4.7+, WP core will ensure that these are always boolean
|
||
|
// values because they are registered with 'type' => 'boolean',
|
||
|
// but we need to do this ourselves for prior versions.
|
||
|
$setting_value = Akismet_REST_API::parse_boolean( $setting_value );
|
||
|
|
||
|
update_option( $setting_key, $setting_value ? '1' : '0' );
|
||
|
}
|
||
|
|
||
|
return self::get_settings();
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Parse a numeric or string boolean value into a boolean.
|
||
|
*
|
||
|
* @param mixed $value The value to convert into a boolean.
|
||
|
* @return bool The converted value.
|
||
|
*/
|
||
|
public static function parse_boolean( $value ) {
|
||
|
switch ( $value ) {
|
||
|
case true:
|
||
|
case 'true':
|
||
|
case '1':
|
||
|
case 1:
|
||
|
return true;
|
||
|
|
||
|
case false:
|
||
|
case 'false':
|
||
|
case '0':
|
||
|
case 0:
|
||
|
return false;
|
||
|
|
||
|
default:
|
||
|
return (bool) $value;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Get the Akismet stats for a given time period.
|
||
|
*
|
||
|
* Possible `interval` values:
|
||
|
* - all
|
||
|
* - 60-days
|
||
|
* - 6-months
|
||
|
*
|
||
|
* @param WP_REST_Request $request
|
||
|
* @return WP_Error|WP_REST_Response
|
||
|
*/
|
||
|
public static function get_stats( $request ) {
|
||
|
$api_key = Akismet::get_api_key();
|
||
|
|
||
|
$interval = $request->get_param( 'interval' );
|
||
|
|
||
|
$stat_totals = array();
|
||
|
|
||
|
$request_args = array(
|
||
|
'blog' => get_option( 'home' ),
|
||
|
'key' => $api_key,
|
||
|
'from' => $interval,
|
||
|
);
|
||
|
|
||
|
$request_args = apply_filters( 'akismet_request_args', $request_args, 'get-stats' );
|
||
|
|
||
|
$response = Akismet::http_post( Akismet::build_query( $request_args ), 'get-stats' );
|
||
|
|
||
|
if ( ! empty( $response[1] ) ) {
|
||
|
$stat_totals[$interval] = json_decode( $response[1] );
|
||
|
}
|
||
|
|
||
|
return rest_ensure_response( $stat_totals );
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Get the current alert code and message. Alert codes are used to notify the site owner
|
||
|
* if there's a problem, like a connection issue between their site and the Akismet API,
|
||
|
* invalid requests being sent, etc.
|
||
|
*
|
||
|
* @param WP_REST_Request $request
|
||
|
* @return WP_Error|WP_REST_Response
|
||
|
*/
|
||
|
public static function get_alert( $request ) {
|
||
|
return rest_ensure_response( array(
|
||
|
'code' => get_option( 'akismet_alert_code' ),
|
||
|
'message' => get_option( 'akismet_alert_msg' ),
|
||
|
) );
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Update the current alert code and message by triggering a call to the Akismet server.
|
||
|
*
|
||
|
* @param WP_REST_Request $request
|
||
|
* @return WP_Error|WP_REST_Response
|
||
|
*/
|
||
|
public static function set_alert( $request ) {
|
||
|
delete_option( 'akismet_alert_code' );
|
||
|
delete_option( 'akismet_alert_msg' );
|
||
|
|
||
|
// Make a request so the most recent alert code and message are retrieved.
|
||
|
Akismet::verify_key( Akismet::get_api_key() );
|
||
|
|
||
|
return self::get_alert( $request );
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Clear the current alert code and message.
|
||
|
*
|
||
|
* @param WP_REST_Request $request
|
||
|
* @return WP_Error|WP_REST_Response
|
||
|
*/
|
||
|
public static function delete_alert( $request ) {
|
||
|
delete_option( 'akismet_alert_code' );
|
||
|
delete_option( 'akismet_alert_msg' );
|
||
|
|
||
|
return self::get_alert( $request );
|
||
|
}
|
||
|
|
||
|
private static function key_is_valid( $key ) {
|
||
|
$request_args = array(
|
||
|
'key' => $key,
|
||
|
'blog' => get_option( 'home' ),
|
||
|
);
|
||
|
|
||
|
$request_args = apply_filters( 'akismet_request_args', $request_args, 'verify-key' );
|
||
|
|
||
|
$response = Akismet::http_post( Akismet::build_query( $request_args ), 'verify-key' );
|
||
|
|
||
|
if ( $response[1] == 'valid' ) {
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
public static function privileged_permission_callback() {
|
||
|
return current_user_can( 'manage_options' );
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* For calls that Akismet.com makes to the site to clear outdated alert codes, use the API key for authorization.
|
||
|
*/
|
||
|
public static function remote_call_permission_callback( $request ) {
|
||
|
$local_key = Akismet::get_api_key();
|
||
|
|
||
|
return $local_key && ( strtolower( $request->get_param( 'key' ) ) === strtolower( $local_key ) );
|
||
|
}
|
||
|
|
||
|
public static function sanitize_interval( $interval, $request, $param ) {
|
||
|
$interval = trim( $interval );
|
||
|
|
||
|
$valid_intervals = array( '60-days', '6-months', 'all', );
|
||
|
|
||
|
if ( ! in_array( $interval, $valid_intervals ) ) {
|
||
|
$interval = 'all';
|
||
|
}
|
||
|
|
||
|
return $interval;
|
||
|
}
|
||
|
|
||
|
public static function sanitize_key( $key, $request, $param ) {
|
||
|
return trim( $key );
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Process a webhook request from the Akismet servers.
|
||
|
*
|
||
|
* @param WP_REST_Request $request
|
||
|
* @return WP_Error|WP_REST_Response
|
||
|
*/
|
||
|
public static function receive_webhook( $request ) {
|
||
|
Akismet::log( array( 'Webhook request received', $request->get_body() ) );
|
||
|
|
||
|
/**
|
||
|
* The request body should look like this:
|
||
|
* array(
|
||
|
* 'key' => '1234567890abcd',
|
||
|
* 'endpoint' => '[comment-check|submit-ham|submit-spam]',
|
||
|
* 'comments' => array(
|
||
|
* array(
|
||
|
* 'guid' => '[...]',
|
||
|
* 'result' => '[true|false]',
|
||
|
* 'comment_author' => '[...]',
|
||
|
* [...]
|
||
|
* ),
|
||
|
* array(
|
||
|
* 'guid' => '[...]',
|
||
|
* [...],
|
||
|
* ),
|
||
|
* [...]
|
||
|
* )
|
||
|
* )
|
||
|
*
|
||
|
* Multiple comments can be included in each request, and the only truly required
|
||
|
* field for each is the guid, although it would be friendly to include also
|
||
|
* comment_post_ID, comment_parent, and comment_author_email, if possible to make
|
||
|
* searching easier.
|
||
|
*/
|
||
|
|
||
|
// The response will include statuses for the result of each comment that was supplied.
|
||
|
$response = array(
|
||
|
'comments' => array(),
|
||
|
);
|
||
|
|
||
|
$endpoint = $request->get_param( 'endpoint' );
|
||
|
|
||
|
switch ( $endpoint ) {
|
||
|
case 'comment-check':
|
||
|
$webhook_comments = $request->get_param( 'comments' );
|
||
|
|
||
|
if ( ! is_array( $webhook_comments ) ) {
|
||
|
return rest_ensure_response( new WP_Error( 'malformed_request', __( 'The \'comments\' parameter must be an array.', 'akismet' ), array( 'status' => 400 ) ) );
|
||
|
}
|
||
|
|
||
|
foreach ( $webhook_comments as $webhook_comment ) {
|
||
|
$guid = $webhook_comment['guid'];
|
||
|
|
||
|
if ( ! $guid ) {
|
||
|
// Without the GUID, we can't be sure that we're matching the right comment.
|
||
|
// We'll make it a rule that any comment without a GUID is ignored intentionally.
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
// Search on the fields that are indexed in the comments table, plus the GUID.
|
||
|
// The GUID is the only thing we really need to search on, but comment_meta
|
||
|
// is not indexed in a useful way if there are many many comments. This
|
||
|
// should help narrow it down first.
|
||
|
$queryable_fields = array(
|
||
|
'comment_post_ID' => 'post_id',
|
||
|
'comment_parent' => 'parent',
|
||
|
'comment_author_email' => 'author_email',
|
||
|
);
|
||
|
|
||
|
$query_args = array();
|
||
|
$query_args['status'] = 'any';
|
||
|
$query_args['meta_key'] = 'akismet_guid';
|
||
|
$query_args['meta_value'] = $guid;
|
||
|
|
||
|
foreach ( $queryable_fields as $queryable_field => $wp_comment_query_field ) {
|
||
|
if ( isset( $webhook_comment[ $queryable_field ] ) ) {
|
||
|
$query_args[ $wp_comment_query_field ] = $webhook_comment[ $queryable_field ];
|
||
|
}
|
||
|
}
|
||
|
|
||
|
$comments_query = new WP_Comment_Query( $query_args );
|
||
|
$comments = $comments_query->comments;
|
||
|
|
||
|
if ( ! $comments ) {
|
||
|
// Unexpected, although the comment could have been deleted since being submitted.
|
||
|
Akismet::log( 'Webhook failed: no matching comment found.' );
|
||
|
|
||
|
$response['comments'][ $guid ] = array( 'status' => 'error', 'message' => __( 'Could not find matching comment.', 'akismet' ) );
|
||
|
|
||
|
continue;
|
||
|
} if ( count( $comments ) > 1 ) {
|
||
|
// Two comments shouldn't be able to match the same GUID.
|
||
|
Akismet::log( 'Webhook failed: multiple matching comments found.', $comments );
|
||
|
|
||
|
$response['comments'][ $guid ] = array( 'status' => 'error', 'message' => __( 'Multiple comments matched request.', 'akismet' ) );
|
||
|
|
||
|
continue;
|
||
|
} else {
|
||
|
// We have one single match, as hoped for.
|
||
|
Akismet::log( 'Found matching comment.', $comments );
|
||
|
|
||
|
$current_status = wp_get_comment_status( $comments[0] );
|
||
|
|
||
|
$result = $webhook_comment['result'];
|
||
|
|
||
|
if ( 'true' == $result ) {
|
||
|
Akismet::log( 'Comment should be spam' );
|
||
|
|
||
|
// The comment should be classified as spam.
|
||
|
if ( 'spam' != $current_status ) {
|
||
|
// The comment is not classified as spam. If Akismet was the one to act on it, move it to spam.
|
||
|
if ( Akismet::last_comment_status_change_came_from_akismet( $comments[0]->comment_ID ) ) {
|
||
|
Akismet::log( 'Comment is not spam; marking as spam.' );
|
||
|
|
||
|
wp_spam_comment( $comments[0] );
|
||
|
Akismet::update_comment_history( $comments[0]->comment_ID, '', 'webhook-spam' );
|
||
|
} else {
|
||
|
Akismet::log( 'Comment is not spam, but it has already been manually handled by some other process.' );
|
||
|
Akismet::update_comment_history( $comments[0]->comment_ID, '', 'webhook-spam-noaction' );
|
||
|
}
|
||
|
}
|
||
|
} else if ( 'false' == $result ) {
|
||
|
Akismet::log( 'Comment should be ham' );
|
||
|
|
||
|
// The comment should be classified as ham.
|
||
|
if ( 'spam' == $current_status ) {
|
||
|
Akismet::log( 'Comment is spam.' );
|
||
|
|
||
|
// The comment is classified as spam. If Akismet was the one to label it as spam, unspam it.
|
||
|
if ( Akismet::last_comment_status_change_came_from_akismet( $comments[0]->comment_ID ) ) {
|
||
|
Akismet::log( 'Akismet marked it as spam; unspamming.' );
|
||
|
|
||
|
wp_unspam_comment( $comments[0] );
|
||
|
akismet::update_comment_history( $comments[0]->comment_ID, '', 'webhook-ham' );
|
||
|
} else {
|
||
|
Akismet::log( 'Comment is not spam, but it has already been manually handled by some other process.' );
|
||
|
Akismet::update_comment_history( $comments[0]->comment_ID, '', 'webhook-ham-noaction' );
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
$response['comments'][ $guid ] = array( 'status' => 'success' );
|
||
|
}
|
||
|
}
|
||
|
|
||
|
break;
|
||
|
case 'submit-ham':
|
||
|
case 'submit-spam':
|
||
|
// Nothing to do for submit-ham or submit-spam.
|
||
|
break;
|
||
|
default:
|
||
|
// Unsupported endpoint.
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Allow plugins to do things with a successfully processed webhook request, like logging.
|
||
|
*
|
||
|
* @since 5.3.2
|
||
|
*
|
||
|
* @param WP_REST_Request $request The REST request object.
|
||
|
*/
|
||
|
do_action( 'akismet_webhook_received', $request );
|
||
|
|
||
|
Akismet::log( 'Done processing webhook.' );
|
||
|
|
||
|
return rest_ensure_response( $response );
|
||
|
}
|
||
|
}
|