Make WordPress Core

Opened 4 years ago

Last modified 6 months ago

#12104 new enhancement

edit-comments.php not available to roles with proper capabilities

Reported by: sillybean Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.0
Component: Comments Keywords: has-patch needs-testing
Focuses: Cc:


I tried to create a Comment Moderator role today and realized it wouldn't work. My intention was to create a role for people who can't write or edit posts, but can keep an eye on the comment threads. I created the role like so:

add_role('moderator', 'Moderator', array(
            'read' => 1,
            'moderate_comments' => 1,

... then created a new user with that role. When I logged in as my test user, I realized that it was for all intents and purposes a Subscriber. I couldn't see any admin panels but the Dashboard, my profile, and the Tools. I went poking around in edit-comments.php and discovered that it's checking for another capability altogether:

if ( !current_user_can('edit_posts') )
        wp_die(__('Cheatin’ uh?'));

I double-checked wp-admin/includes/menu.php and it agreed that 'edit_posts' was the minimum capability to see this page, so I tried adding 'edit_posts' to my new role, and I still couldn't get there.

Later on in edit-comments.php, when actually trashing a comment, there is a check for 'moderate_comments', but it's a moot point: this screen doesn't even show up in the admin menu, and if you navigate directly to it, you'll get the "You do not have sufficient permissions to access this page" message.

I thought it was entirely possible I'd missed some finer point of creating roles, so I redid it with Justin Tadlock's excellent Members plugin, and that didn't work either.

This behavior might be intentional, but if so, I'm not following the logic. I know roles are due for an overhaul in the next version or two.

Attachments (3)

moderate_comments.diff (1.8 KB) - added by sillybean 4 years ago.
this gets the user to the page, but they still can't actually approve a held comment
12104.patch (527 bytes) - added by linuxologos 2 years ago.
12104.diff (1.5 KB) - added by nacin 2 years ago.

Download all attachments as: .zip

Change History (32)

sillybean4 years ago

this gets the user to the page, but they still can't actually approve a held comment

comment:1 follow-up: nacin4 years ago

  • Component changed from General to Comments

Currently, you need to be able to edit the specific post for which you're moderating a comment. Thus, the whole moderation panel is restricted by edit_posts. (You can possibly hack this for edit-comments.php and comment.php using the filter in map_meta_cap.)

This has come up before, both in general (the hijacking of caps), and moderation in particular. In general, there has been an expansion of capabilities already on 3.0. Specifically, this was discussed on #wordpress-dev after the dev chat on January 7. There hasn't been a ticket yet, so I guess this is it.

comment:2 in reply to: ↑ 1 ; follow-up: sillybean4 years ago

Replying to nacin:

Currently, you need to be able to edit the specific post for which you're moderating a comment.

Well, that explains it. But... why?

comment:3 in reply to: ↑ 2 nacin4 years ago

Replying to sillybean:

Replying to nacin:

Currently, you need to be able to edit the specific post for which you're moderating a comment.

Well, that explains it. But... why?

Because, when it was coded, that's the route they took. Unbundling that will take a lot of work modifying a lot of checks across numerous files. It is something that has been indicated as desirable, so once a patch is created it'll probably make it into core pretty quickly.

On the other hand, the core upgrader currently requires the upgrade_plugins cap. Changing that to something like upgrade_core is four lines (change the cap, populate it, map it for Multisite is_super_admin, update the db version). Just hasn't been done it yet.

It seems the core developers are ready to move forward with an expansion of capabilities. We just need to identify what needs to get changed and change it.

comment:4 follow-up: sillybean4 years ago

In this particular instance, I think it would make sense to redo the comment moderation capabilities to look more like posts and pages: one for moderating comments on one's own stuff, and one for moderating all comments.

comment:5 sillybean4 years ago

I'd take another crack at a patch, but map_meta_cap is a bit over my head at the moment.

There are a number of tickets on the larger role/cap issue, like #2531 and #10201.

comment:6 nacin4 years ago

I'm thinking about improvements to this while being backwards compatible. If we used moderate_comments as the entrance, then further restricted it by a new meta cap, moderate_comment. moderate_comment is more or less a copy of the edit_post meta cap, which means edit_posts, edit_others_posts, etc. They would be based on their counterparts.

For the moderation role, we'd need to figure out a way to flip moderate_comment to on for all. That could easily be done via a filter on map_meta_cap, or perhaps some other wider cap. Point is, the separation is a start and would allow plugins to control this consistently.

I'm probably missing something. Just figured I'd muse and progress the ticket along ever so slightly. On the other hand, if this seems like a good idea to anyone, I can put it on my to-do list.

comment:7 nacin4 years ago

  • Milestone changed from Unassigned to 3.1

3.1 sounds like a good time for this.

comment:8 pbearne4 years ago

  • Cc pbearne added

comment:9 in reply to: ↑ 4 shidouhikari4 years ago

  • Cc shidouhikari added

Replying to sillybean:

In this particular instance, I think it would make sense to redo the comment moderation capabilities to look more like posts and pages: one for moderating comments on one's own stuff, and one for moderating all comments.

Agreed. Requiring capability to edit a post to be able to edit that post's comments means comments are an extention of their post. That's correct for sites that have few comments and ppl who edit posts also edit comments.

But for a site where comments take post's visibility and look more as a forum, having comment moderators who deal with commentators interaction and don't have access to posts is a logical approach.

As a use case, I've seen some "communities" (in Brasil at least) where they aren't organized and skilled enough to build their forum, so they google for their concerning subjects and start commenting on posts of any site they find that had published a post about that subject.

Some small sites' posts get high ranked on Google because the amount of comments and content about that subject, and comments get much bigger than original post, with many comments with more content and relevance than the post, and it really becomes a discussion forum. Some site owners even get scared with it and they also go to a trolling line of debate, and when comments get closed for that post they restart searching for another site where their discussion/trolling is accepted.

If mini-forum sites would be created using this behavior, with posts offering subjects for visitors debate and it gets popular, site's owner would end up wanting to promote commentators to manage comments. But they wouldn't wanna give moderators access to edit the post, because mods could use post's special highlight to add content owner would want to remain democratically in comments.

Subscribed users also could edit their past comments, and a plugin could be made to resctrict old comments from being edited.

Wordpress should support this comment moderation feature :)

comment:10 scribu4 years ago

Related: #14520

comment:11 nacin3 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Triage to Future Release
  • Type changed from defect (bug) to enhancement

With edit_comment, we're closer to doing this. Needs patch. If someone wants to ping me at the start of 3.2 I'll take a look again.

comment:12 azizur3 years ago

  • Cc azizur added

comment:13 scribu2 years ago

Marked #19287 as dup.

comment:14 linuxologos2 years ago

  • Cc linuxologos@… added

linuxologos2 years ago

comment:15 linuxologos2 years ago

  • Keywords has-patch needs-testing added; needs-patch removed

12104.patch should allow a user/role with moderate_comments + edit_posts capabilities to access the Comments screen and moderate all comments. I think this is the most minimalistic and backwards compatible approach.

The only discussion this could raise, which I can think of, is whether such a user/role should have his comments checked upon submission or not (see: http://core.trac.wordpress.org/browser/tags/3.3/wp-includes/comment.php#L641).

comment:16 jordash562 years ago

I added the patch that linuxologos suggested and it worked great.

My suggestion would be to have multiple roles, something like "Super Moderater -> Can moderate all comments" "Moderator->Can moderate his own comments" etc..

comment:17 greenshady2 years ago

I just ran into this issue too for a site I was building. I tried to build a small plugin that disallowed post authors to edit comments and have a single role for comment moderation. I've also gotten several questions about this from users that are using my role management plugin.

I'll be more than happy to help out with this.

comment:18 Mamaduka2 years ago

  • Cc georgemamadashvili@… added

comment:19 toscho2 years ago

  • Cc info@… added

nacin2 years ago

comment:21 nacin2 years ago

Now that we have the edit_comment meta cap that can be easily tweaked by a plugin to suit ones workflow, the only thing we're really missing here is dual checks for edit-comments.php — allow the page to be accessible with either edit_posts OR manage_comments. 12104.diff is entirely untested. What does everyone think?

comment:22 scribu2 years ago

edit_posts OR manage_comments seems very reasonable.

comment:23 nprasath0022 years ago

edit_posts will list all the custom post type comments even if the user has no capabilities.

comment:24 nprasath0022 years ago

Ideally we should get all the custom post types and check whether the user has the capability with that post type or we can run a loop for every comment and check edit_comment capability
I am not sure how to solve this?

comment:25 scribu2 years ago

But that's no different from what we have now: users with 'edit_posts' cap see all comments, wether they can edit them or not.

With the patch, however, they can at least edit the comments that they're allowed to edit.

comment:26 scribu2 years ago

What I mean to say is that the current patch is a step in the right direction and should be commited if nothing better comes along.

comment:27 danielbachhuber18 months ago

  • Cc danielbachhuber added

comment:28 johnbillion8 months ago

#19286 was marked as a duplicate.

comment:29 johnbillion6 months ago

#20050 was marked as a duplicate.

Note: See TracTickets for help on using tickets.