Wrong capability check in wp_ajax_replyto_comment

[fgauthier]

The wp_ajax_replyto_comment function in the wp-admin/includes/ajax-actions.php checks the "edit-post" capability instead of the "edit-comment" capability.

Attached a tested patch.

[nacin]

edit_post is proper here. The question is, can they edit the post to which they are posting a comment? Yes, they can. And because of that, they are allowed to reply from the admin. edit_comment would only make sense if we had a comment to check against. Here, we have a post to check against.

[fgauthier]

I may be confused, but wp_ajax_replyto_comment is called from the admin -> comments console when the admin clicks the reply link of a comment, not a post.

This function allows the admin to reply to a comment and potentially approve the comment to which he is replying to. It seems to me that we have a comment to check against, not a post.

Also, approving comments in wp-admin/edit-comments.php requires the "edit_comment" capability, not "edit_post".

[ocean90]

See 23939.patch​, we are checking against a post id, not a comment id.

[fgauthier]

Replaces the "edit_post" capability by the "edit_comment" capability in wp_ajax_replyto_comment

[fgauthier]

I see, thanks for the explanation.

Then I guess my question is, why don't we check the comment ID instead? It would make more sense in IMHO given that this function approves comments.

I updated the patch to check the comment id instead of the post id.

[ocean90]

Because the parent comment will be approved when you reply to it. And you are only allowed to change a status of a comment if you can edit the post to which the comment was posted.

[nacin]

Replying to ocean90:

Because the parent comment will be approved when you reply to it. And you are only allowed to change a status of a comment if you can edit the post to which the comment was posted.

Yeah... So, there should probably be a edit_comment check on the comment to which the user is replying. This maps to the exact same edit_post check, but who knows what a plugin may be doing with it.

[fgauthier]

Replying to nacin:

Replying to ocean90:

Because the parent comment will be approved when you reply to it. And you are only allowed to change a status of a comment if you can edit the post to which the comment was posted.

Yeah... So, there should probably be a edit_comment check on the comment to which the user is replying. This maps to the exact same edit_post check, but who knows what a plugin may be doing with it.

I agree and it would be consistent with wp-admin/edit-comments.php where both the edit_posts AND edit_comment are checked before the approval of a comment.

[SergeyBiryukov]

Has been this way since the feature was introduced in [8720].

[fgauthier]

Replying to SergeyBiryukov:

Has been this way since the feature was introduced in [8720].

Yeah, but in ticket:14520 and [15596], the edit_comment capability was introduced in edit-comment.php to replace edit_post. The wp_ajax_replyto_comment function performs similar operations but is still protected by the edit_post capability.

[rachelbaker]

Only check edit_comment if the comment is being approved with reply

[rachelbaker]

When replying to an unapproved comment in the Dashboard->Comments list-table the parent comment is also automatically approved, this is where the edit_comment check is needed. I left the original edit_post capability check and added the (slightly redundant) edit_comment check only when the comment is being moderated along with the reply.

[wonderboymusic]

In 34074:

AJAX Reply to Comment: check the edit_comment cap when parent comment will be auto-approved.

Props rachelbaker.
Fixes #23939.