WordPress.org

Make WordPress Core

Ticket #16134: 16134.patch

File 16134.patch, 1.4 KB (added by solarissmoke, 4 years ago)

Check that a post author still has permissions to edit comments before inserting spam/trash links into notification email

  • wp-includes/pluggable.php

     
    10631063        } 
    10641064        $notify_message .= get_permalink($comment->comment_post_ID) . "#comments\r\n\r\n"; 
    10651065        $notify_message .= sprintf( __('Permalink: %s'), get_permalink( $comment->comment_post_ID ) . '#comment-' . $comment_id ) . "\r\n"; 
    1066         if ( EMPTY_TRASH_DAYS ) 
    1067                 $notify_message .= sprintf( __('Trash it: %s'), admin_url("comment.php?action=trash&c=$comment_id") ) . "\r\n"; 
    1068         else 
    1069                 $notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=delete&c=$comment_id") ) . "\r\n"; 
    1070         $notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=spam&c=$comment_id") ) . "\r\n"; 
     1066         
     1067        // check that author can edit comments, in case their role has changed 
     1068        if ( user_can( $author->ID, 'edit_comment', $comment_id ) ) { 
     1069                if ( EMPTY_TRASH_DAYS ) 
     1070                        $notify_message .= sprintf( __('Trash it: %s'), admin_url("comment.php?action=trash&c=$comment_id") ) . "\r\n"; 
     1071                else 
     1072                        $notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=delete&c=$comment_id") ) . "\r\n"; 
     1073                $notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=spam&c=$comment_id") ) . "\r\n"; 
     1074        } 
    10711075 
    10721076        $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME'])); 
    10731077