Opened 2 months ago
#59440 new defect (bug)
WP_Comments_List_Table bulk actions do not account for user permissions.
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 6.3.1 |
| Component: | Comments | Keywords: | |
| Focuses: | ui, administration | Cc: |
Description
Unlike other list tables, the comment list table's get_bulk_actions()
does not check the current user's permissions which leads to a confusing UX if a user can for example, edit comments, but not delete them (due to custom permissions).
<?php protected function get_bulk_actions() { global $comment_status; $actions = array(); if ( in_array( $comment_status, array( 'all', 'approved' ), true ) ) { $actions['unapprove'] = __( 'Unapprove' ); } if ( in_array( $comment_status, array( 'all', 'moderated' ), true ) ) { $actions['approve'] = __( 'Approve' ); } if ( in_array( $comment_status, array( 'all', 'moderated', 'approved', 'trash' ), true ) ) { $actions['spam'] = _x( 'Mark as spam', 'comment' ); } if ( 'trash' === $comment_status ) { $actions['untrash'] = __( 'Restore' ); } elseif ( 'spam' === $comment_status ) { $actions['unspam'] = _x( 'Not spam', 'comment' ); } if ( in_array( $comment_status, array( 'trash', 'spam' ), true ) || ! EMPTY_TRASH_DAYS ) { $actions['delete'] = __( 'Delete permanently' ); } else { $actions['trash'] = __( 'Move to Trash' ); } return $actions; }
The correct capability to check for here would be "edit_comment" and return an empty array on permissions mismatch.
There does not seem to be granularity in map_meta_cap for comments - only edit_comment for all actions (I think).
Attachments (2)
Change History (2)
Note: See
TracTickets for help on using
tickets.
Here is a screenshot with the user having full permissions. You can see that each comment has individial actions to delete, edit, etc.