Do not notify the post author about comments if they are no longer a member of the blog

[ryan]

wp_notify_postauthor() should not notify the post author of comments if the author is no longer a member of the blog.

[ryan]

Props nickmomrik

[ryan]

This has been running on wordpress.com for 13 months.

[markjaquith]

I like my patches like I like my drinks: simple, aged, respectable.

[markjaquith]

In 23294:

Do not notify the post author about comments if they are no longer a member of the blog. props nickmomrick. fixes #23136

[nacin]

I don't think this is so clear-cut. This had an existing ticket, #19395.

If they're still a member of the network, why shouldn't they get the email? They're still the author of the post, they just no longer have permissions on the blog. Perhaps the issue here isn't that they're no longer a member of the blog, but that a particular current_user_can() would fail. Specifically, the Trash/Delete and Spam links should confirm that they can still moderate the comment, so current_user_can( 'edit_comment', $comment_id ).

[nacin]

#19395 was marked as a duplicate.

[markjaquith]

Deleting their membership on that site is effectively like deleting them from the site. Why shouldn't it sever ties?

[aaroncampbell]

I have to go with Mark here. If the person is no longer on the site, there's likely a reason. If you want to take away their author capabilities and allow them to still receive notifications, you can just demote them to subscriber right? Seems like a bit of an edge case, but one with an easy solution.

[wonderboymusic]

When someone stops working at my company, they lose access to their blogs - yet, they are still cordial with the staff and sometimes still comment on other posts. Why cut off the notifications? Seems byzantine.

[nacin]

When you remove a user from a site, he remains an author of existing posts. Unless you delete the author entirely, there is no reassignment mechanism. The user still exists on the network and is still a valid user for the blog in terms of post_author and comment user_id. If there was a way to "shut off" a user account across a network (say, closing down a staff account for someone who left staff, but wrote lots of posts), then I could understand a desire to shut off a site.

As it stands, [23294] would break posts by a super admin, which I imagine is not uncommon. While a super admin *should* probably add themselves to individual sites, they might not.

This is for wp_notify_postauthor(), which is only sent on published comments. As long as the author can still read the post — and a cap check exists for that — they should still receive the notification. Why not? They still authored the post, and they can still reply, after all.

The user should only see trash/spam/delete links if they cannot edit_comment, of course. (If demoted to a subscriber, they can still read but won't be able to edit, for example. Not sure whether contributors can touch comments on their own posts.)

If we're going to silence these notifications once the author is removed from the blog, then maybe what we're looking for is a cap check like read or edit_comment?

I'm not saying there should be *no* change here. Clearly, something is needed. [23294] could even stay if that is consensus. But that still does not carve out an exception for super admins, nor does it block moderation links for users who can't moderate said comment.

[SergeyBiryukov]

Replying to nacin:

When you remove a user from a site, he remains an author of existing posts. Unless you delete the author entirely, there is no reassignment mechanism.

Related: #15855

[omarabid]

Replying to nacin:

This is for wp_notify_postauthor(), which is only sent on published comments. As long as the author can still read the post — and a cap check exists for that — they should still receive the notification. Why not? They still authored the post, and they can still reply, after all.

I agree to your reasoning. However, I think it's mandatory that the said user can opt out for email notifications (which is going to be complicated since he's no longer a user)

[markjaquith]

Couldn't they just be dropped to a subscriber, on that site, then?

[nacin]

How about 23136.2.diff​:

• Uses 'read', which is the equivalent of subscriber. If they're a member of the site, they still get an email. No functional change from [23294] except that it works with super admins by using the capabilities API.
• Prevents an author from receiving Trash/Spam links if they can't actually edit the comment.

[markjaquith]

I like that approach.

[aaroncampbell]

I tested a bunch of possible cases on a non-MS site and all worked as expected (notified as editor, author, subscriber; not notified with no role or when deleted). I didn't check the MS super-admin issue.

[aaroncampbell]

Also, as subscriber the notification E-Mail didn't have the Trash and Spam links (again, as expected).

[nacin]

In 24649:

Do not notify the post author about comments if they are no longer a member of the blog.

This updates [23294] to use capability checks to determine if the user can still edit a post, which works for super admins. Additionally, it hides Trash/Spam action links when the user is still a member of the blog but cannot (or can no longer) moderate the comment.

fixes #23136.