Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comments: wp-admin ignores moderate_comments #17687

Closed
gwwar opened this issue Sep 1, 2017 · 4 comments
Closed

Comments: wp-admin ignores moderate_comments #17687

gwwar opened this issue Sep 1, 2017 · 4 comments
Assignees
@kwight
Labels
[Feature] Comments Comments on posts and the admin screen for managing them. [Type] Bug

Comments

@gwwar
Copy link
Contributor

gwwar commented Sep 1, 2017
edited
Loading

It turns out that wp-admin does not respect moderate_comments at all. https://core.trac.wordpress.org/ticket/6907#comment:4

At a high level this means that a default Author role can moderate comments on their post in wp-admin, but cannot using our rest apis.

Unless there are security concerns, I would recommend modifying the comment endpoints to match wp-admin behavior.

To summarize:

  • Visibility of edit-comments.php checks edit_posts instead of moderate_comments
  • Authors in wp-admin can see all comments (pending too), but they can only moderate comments on their own blog posts. The action bar is missing from other comments
    wp-admin
  • The API endpoints are much stricter. An author can only see approved comments, unapproved comments on their post, and cannot moderate any comments.

screen shot 2017-09-01 at 2 00 47 pm

commentactions
@gwwar gwwar added [Type] Bug [Feature] Comments Comments on posts and the admin screen for managing them. labels Sep 1, 2017
@gwwar
Copy link
Contributor Author

gwwar commented Sep 1, 2017

Also probably related:
Automattic/notifications-panel#180
#10529

@gwwar
Copy link
Contributor Author

gwwar commented Sep 1, 2017
edited
Loading

Verified that edit-comments.php uses edit_posts instead of moderate_comments

The action links are also filtered by:

foreach ( $comment_ids as $comment_id ) { // Check the permissions on each
		if ( !current_user_can( 'edit_comment', $comment_id ) )
			continue;

@kwight kwight self-assigned this Oct 5, 2017
@kwight
Copy link
Contributor

kwight commented Oct 6, 2017
edited
Loading

Working on this in:

kwight added a commit to Automattic/jetpack that referenced this issue Oct 12, 2017
@kwight
REST API: Match permissions for viewing comments to those of wp-admin.
e143a8d 
See: Automattic/wp-calypso#17687
This was referenced Oct 12, 2017
Merged
Merged
@kwight
Copy link
Contributor

kwight commented Oct 16, 2017
edited
Loading

POSTs (moderate) fixed in r163946-wpcom and Automattic/jetpack#7981 (v5.5).
GETs (view) fixed in r163950-wpcom and Automattic/jetpack#7980 (v5.5).

@kwight kwight closed this as completed Oct 16, 2017
dereksmart pushed a commit to Automattic/jetpack that referenced this issue Oct 17, 2017
@kwight @dereksmart
REST API: Match permissions for viewing comments to those of wp-admin. (
11d5689 
#7980)

See: Automattic/wp-calypso#17687
@gwwar gwwar mentioned this issue Nov 17, 2017
Merged
@gwwar gwwar mentioned this issue Nov 27, 2017
Closed
This was referenced Jan 11, 2018
Closed
Closed
@gwwar gwwar mentioned this issue Aug 19, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kwight kwight

Labels
[Feature] Comments Comments on posts and the admin screen for managing them. [Type] Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kwight @gwwar