Make WordPress Core

Opened 8 months ago

#59440 new defect (bug)

WP_Comments_List_Table bulk actions do not account for user permissions.

Reported by: snicco's profile snicco Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.3.1
Component: Comments Keywords:
Focuses: ui, administration Cc:

Description

Unlike other list tables, the comment list table's get_bulk_actions()
does not check the current user's permissions which leads to a confusing UX if a user can for example, edit comments, but not delete them (due to custom permissions).

<?php
        protected function get_bulk_actions() {
                global $comment_status;

                $actions = array();

                if ( in_array( $comment_status, array( 'all', 'approved' ), true ) ) {
                        $actions['unapprove'] = __( 'Unapprove' );
                }

                if ( in_array( $comment_status, array( 'all', 'moderated' ), true ) ) {
                        $actions['approve'] = __( 'Approve' );
                }

                if ( in_array( $comment_status, array( 'all', 'moderated', 'approved', 'trash' ), true ) ) {
                        $actions['spam'] = _x( 'Mark as spam', 'comment' );
                }

                if ( 'trash' === $comment_status ) {
                        $actions['untrash'] = __( 'Restore' );
                } elseif ( 'spam' === $comment_status ) {
                        $actions['unspam'] = _x( 'Not spam', 'comment' );
                }

                if ( in_array( $comment_status, array( 'trash', 'spam' ), true ) || ! EMPTY_TRASH_DAYS ) {
                        $actions['delete'] = __( 'Delete permanently' );
                } else {
                        $actions['trash'] = __( 'Move to Trash' );
                }

                return $actions;
        }

The correct capability to check for here would be "edit_comment" and return an empty array on permissions mismatch.

There does not seem to be granularity in map_meta_cap for comments - only edit_comment for all actions (I think).

Attachments (2)

full-permissions.png (49.8 KB) - added by snicco 8 months ago.
Here is a screenshot with the user having full permissions. You can see that each comment has individial actions to delete, edit, etc.
Screenshot from 2023-09-25 12-04-49.png (45.6 KB) - added by snicco 8 months ago.
Here is a screenshot with the user having the "edit_comment" permission removed. All individual row level actions are removed, but bulk actions are still shown in the UI

Download all attachments as: .zip

Change History (2)

@snicco
8 months ago

Here is a screenshot with the user having full permissions. You can see that each comment has individial actions to delete, edit, etc.

@snicco
8 months ago

Here is a screenshot with the user having the "edit_comment" permission removed. All individual row level actions are removed, but bulk actions are still shown in the UI

Note: See TracTickets for help on using tickets.