WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#10280 closed enhancement (wontfix)

Comment approval bypassing administrator must always approve comments feature.

Reported by: JimJordan Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.8
Component: Comments Keywords:
Focuses: Cc:

Description

I was testing security and when a contributor submits a post and then the post is approved by the administrator. That contributor can then enter any amount of comments on that specific post without any approval by the administrator. The checkbox for “administrator must always approve comments” is checked.
I have deactivated 2 plugins Capability Manager v1.2, and Draft Notifier v1.2.1.
I was using Pixel v1.9.5 theme and went back to WordPress Default v1.6 theme.
Retested and the problem still exists.

Change History (16)

comment:1 follow-up: @Denis-de-Bernardy6 years ago

  • Keywords reporter-feedback added
  • Milestone changed from Unassigned to 2.9

changes made to your user roles and caps would stick even if you disable the cap manager. can you also try it on a clean install?

comment:2 @Denis-de-Bernardy6 years ago

  • Component changed from General to Comments
  • Severity changed from major to normal

comment:3 in reply to: ↑ 1 @JimJordan6 years ago

Replying to Denis-de-Bernardy:

changes made to your user roles and caps would stick even if you disable the cap manager. can you also try it on a clean install?

Yes, I am in the process of creating completely new database and blog with wordpress 2.8 and will get back to you after testing.

comment:4 @JimJordan6 years ago

Completed setting up new blog:
http://hpclife.com/Blog_wordpress_test/
I did not make any modifications other than the settings to turn on administrator must be notified on comments and a few other minor settings.
I setup an Editor, Test1 Contributor, and Test2 Contributor.
Ran the same test and again it allowed the original contributor (test1) to submit any comments without moderation. What do you need next? I can give you the full blog admin signon. I just don't like to post pw here.

comment:5 follow-up: @mrmist6 years ago

It worksforme in current trunk. The contributer is always held for moderation.

"An administrator must always approve the comment" must be checked.

comment:6 in reply to: ↑ 5 @JimJordan6 years ago

Replying to mrmist:

It worksforme in current trunk. The contributer is always held for moderation.

"An administrator must always approve the comment" must be checked.

Well, It don't work for me and "An administrator must always approve the comment" IS checked. What now? You want the signons?

comment:7 follow-up: @mrmist6 years ago

Working through the code flow the only thing that I can see overriding comment moderation would be if the contributer was the post author. Is the contributer the post author?

comment:8 in reply to: ↑ 7 @JimJordan6 years ago

Replying to mrmist:

Working through the code flow the only thing that I can see overriding comment moderation would be if the contributer was the post author. Is the contributer the post author?

Yes he is.

comment:9 follow-up: @mrmist6 years ago

The current logic (in wp_allow_comment) bypasses comment moderation requirements for the author of the post. So in that event the comment would be posted without approval.

This behaviour has not changed since 2.7.

comment:10 in reply to: ↑ 9 @JimJordan6 years ago

Replying to mrmist:

The current logic (in wp_allow_comment) bypasses comment moderation requirements for the author of the post. So in that event the comment would be posted without approval.

This behaviour has not changed since 2.7.

In the past, before you had the ability to moderate posts, we had not allowed the contributor function. Now, that it is there we would like to use the contributor post function that is moderated, but also moderate any comments that they issue. We are very cautions about something inappropriate being entered. They can be a good poster and then exploit the hole and become a bad commentor.
If there is anything you can do, please help. If you don't want to modify the base product, then tell me what I could change in a php or js script to accomplish this. Thanks.

comment:11 follow-up: @mrmist6 years ago

  • Keywords reporter-feedback removed
  • Type changed from defect (bug) to enhancement
  • Version set to 2.8

A quick and dirty hack would be to modify wp-includes\comment.php so line 428 changes from

if ( isset($userdata) && ( $user_id == $post_author || $user->has_cap('moderate_comments') ) ) {

to

if ( isset($userdata) && ( $user->has_cap('moderate_comments') ) ) {

Realistically any change to this is more an enhancement, since the behavious as is is "correct" in most cases. I expect it wouldn't be impossible to make it configurable as to whether post authors are or are not automatically approved.

comment:12 in reply to: ↑ 11 @JimJordan6 years ago

Replying to mrmist:

A quick and dirty hack would be to modify wp-includes\comment.php so line 428 changes from

if ( isset($userdata) && ( $user_id == $post_author || $user->has_cap('moderate_comments') ) ) {

to

if ( isset($userdata) && ( $user->has_cap('moderate_comments') ) ) {

Realistically any change to this is more an enhancement, since the behavious as is is "correct" in most cases. I expect it wouldn't be impossible to make it configurable as to whether post authors are or are not automatically approved.

Thank You. I modified the code and tested and it does what I needed. I do understand that I will have to maintain this piece of code until an enhancement is made. Is there anyway that I could be notified when the enhancement is completed?
Again, Thank You Very Much

comment:13 follow-up: @Denis-de-Bernardy6 years ago

Imo, you're going to wait for a very, very long time... It'll probably never be fixed, unless a core dev decides the current behavior is incorrect.

There almost certainly is a way for you to change this behavior with a plugin, which doesn't help either.

comment:14 in reply to: ↑ 13 @JimJordan6 years ago

Replying to Denis-de-Bernardy:

Imo, you're going to wait for a very, very long time... It'll probably never be fixed, unless a core dev decides the current behavior is incorrect.

There almost certainly is a way for you to change this behavior with a plugin, which doesn't help either.

OK, Just thought I would ask. I will review any future upgrades. And won't reply anymore to this ticket. Thanks again.

comment:15 @Denis-de-Bernardy6 years ago

Just to add to my previous comment, the filter to use is: pre_comment_approved.

comment:16 @ryan6 years ago

  • Milestone 2.9 deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.