WP_Comments_List_Table bulk actions do not account for user permissions.

[snicco]

Unlike other list tables, the comment list table's get_bulk_actions()
does not check the current user's permissions which leads to a confusing UX if a user can for example, edit comments, but not delete them (due to custom permissions).

<?php
        protected function get_bulk_actions() {
                global $comment_status;

                $actions = array();

                if ( in_array( $comment_status, array( 'all', 'approved' ), true ) ) {
                        $actions['unapprove'] = __( 'Unapprove' );
                }

                if ( in_array( $comment_status, array( 'all', 'moderated' ), true ) ) {
                        $actions['approve'] = __( 'Approve' );
                }

                if ( in_array( $comment_status, array( 'all', 'moderated', 'approved', 'trash' ), true ) ) {
                        $actions['spam'] = _x( 'Mark as spam', 'comment' );
                }

                if ( 'trash' === $comment_status ) {
                        $actions['untrash'] = __( 'Restore' );
                } elseif ( 'spam' === $comment_status ) {
                        $actions['unspam'] = _x( 'Not spam', 'comment' );
                }

                if ( in_array( $comment_status, array( 'trash', 'spam' ), true ) || ! EMPTY_TRASH_DAYS ) {
                        $actions['delete'] = __( 'Delete permanently' );
                } else {
                        $actions['trash'] = __( 'Move to Trash' );
                }

                return $actions;
        }

The correct capability to check for here would be "edit_comment" and return an empty array on permissions mismatch.

There does not seem to be granularity in map_meta_cap for comments - only edit_comment for all actions (I think).

[snicco]

Here is a screenshot with the user having full permissions. You can see that each comment has individial actions to delete, edit, etc.

[snicco]

Here is a screenshot with the user having the "edit_comment" permission removed. All individual row level actions are removed, but bulk actions are still shown in the UI

[iflairwebtechnologies]

We have hide bulk action dropdown base on user capability

[shanemuir]

Hey @iflairwebtechnologies

Happy to test this patch if you submit PR :)

UPDATE: just spotted your slack message, looks like you are awaiting a review on your patch.

[shanemuir]

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

• WordPress: 6.8-alpha-59274-src
• PHP: 8.3.15
• Server: Apache/2.4.62 (Unix) OpenSSL/3.4.0 PHP/8.3.15
• Database: mysqli (Server: 8.0.39 / Client: mysqlnd 8.3.15)
• Browser: Chrome 132.0.0.0
• OS: macOS
• Theme: Twenty Twenty-Five 1.0
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Actual Results

1. ✅ Error condition occurs (reproduced).

Additional Notes

Comments bulk actions remain regardless of the current users permissions.

Testing roles:
Administrator
Contributor

https://core.trac.wordpress.org/ticket/59440

[shanemuir]

Test Report

Description

This report validates whether the indicated patch works as expected.

Patch tested: ​https://patch-diff.githubusercontent.com/raw/WordPress/wordpress-develop/pull/8154.diff

Environment

• WordPress: 6.8-alpha-59274-src
• PHP: 8.3.15
• Server: Apache/2.4.62 (Unix) OpenSSL/3.4.0 PHP/8.3.15
• Database: mysqli (Server: 8.0.39 / Client: mysqlnd 8.3.15)
• Browser: Chrome 132.0.0.0
• OS: macOS
• Theme: Twenty Twenty-Five 1.0
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Actual Results

1. ✅ Issue resolved with patch.

Additional Notes

Tested with and without patch as administrator and contributor

Supplemental Artifacts

Added screenshots as attachments.

[shanemuir]

Without patch

[shanemuir]

With patch applied.

Core ticket:https://core.trac.wordpress.org/ticket/59440

Added detailed PHPUnit tests to show bulk action drop-down menu for comments table list based on user capability.

Trac ticket:

@jigneshnakrani088 Please fix the PHPCS issues and feedbacks.

[audrasjb]

Self assigning to see if we can commit this in 6.8 cycle.

…s/wordpress-develop/pull/8264)

Trac ticket: https://core.trac.wordpress.org/ticket/59440

Address the feedback and issues from ​https://github.com/WordPress/wordpress-develop/pull/8264.

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See ​GitHub Pull Requests for Code Review in the Core Handbook for more details.

There were still some WPCS issues. I added a commit to fix them.

## Before patch
Logged in as a contributor.

## After patch
Logged in as a contributor.

[audrasjb]

In 59877:

Comments: Remove bulk action dropdown depending on user caps.

This changeset adds a conditional to show the comments bulk actions dropdown only when the current user has moderate_comments capability.

Props snicco, iflairwebtechnologies, shanemuir, audrasjb.
Fixes #59440.