Unapproved comments show publicly when using custom page parameter

[smerriman]

The fix for #35175 adds code which does a manual comment query when wp_list_comments is called with args that don't match the main query (eg a page parameter).

However, the fix queries comments with 'status=all'. This means it includes unapproved comments - so any theme which uses a custom page parameter results in all unapproved comments showing up publicly.

This is a major issue.

@boonebgorges

[smerriman]

Perhaps should match the 'default' logic where unapproved comments for the current user are included too? Ie something like (sorry, don't have things set up to add patches easily myself right now):

$comment_args = array(
	'post_id' => get_the_ID(),
	'orderby' => 'comment_date_gmt',
	'order' => 'ASC',
	'status' => 'approve',
);

global $user_ID;
$commenter = wp_get_current_commenter();
$comment_author_email = $commenter['comment_author_email'];
if ( $user_ID ) {
	$comment_args['include_unapproved'] = array( $user_ID );
} elseif ( ! empty( $comment_author_email ) ) {
	$comment_args['include_unapproved'] = array( $comment_author_email );
}

$comments = get_comments($comment_args);

[boonebgorges]

Perhaps should match the 'default' logic where unapproved comments for the current user are included too

Yup, this sounds right. Thanks for the report.

[boonebgorges]

In 37655:

Comments: In wp_list_comments(), queries with custom pagination params should obey default comment_status logic.

When custom pagination parameters are passed to wp_list_comments(), a
secondary query must be performed to fetch the proper comments. See [36157].
This query should show comments of the same comment_status as the default
query initialized in comments_template(): show only comments that are
approved, or those that are unapproved but belong to the current user.

Props smerriman.
Fixes #37048.