Notes are accessible to any authenticated user with `edit_posts` capability using query args

[desrosj]

When a site has notes, they are only supposed to be visible to users that are allowed to edit the post the note was left on.

However, I discovered that all notes on a given site can be viewed by any authenticated user with the edit_posts capability (Contributor and higher by default) by adding comment_type=note as a query parameter to the wp-admin/edit-comments.php page.

The user is only able to perform actions on notes left on a post they created, but all notes are visible.

Fix an issue where notes can appear on the Comments page if the comment_type=note query parameter is passed to the page.

Even though notes are stored in the comments table, they are distinct and have somewhat different in behavior that makes them i'll suited to displaying on the Comments page. For example, comments are approved, notes are resolved. Comments can be trashed and later restored, noted can only be 'deleted' (although technically they still go in the trash).

We did explore displaying notes on the Comments page anod other surfaces outside the editor such as the Post list pages in ​https://github.com/WordPress/gutenberg/pull/71743 without arriving at a satisfactory solution.

Trac ticket: Core-64198

[adamsilverstein]

Thanks for the bug report @desrosj - I posted a PR that fixed the issue in my local: ​https://github.com/WordPress/wordpress-develop/pull/10462

The only other thing to call out is that the page will show just the normal "All" view. In my opinion that is fine, but wanted to make note of it.

Yeah, there was some heavy conversation a couple weeks ago about more clearly separating out Notes (then Block Comments) from "regular" Comments but it was decided to not make changes there and to come back to that in 7.0. Sorry I don't have a great reference link for that conversation, but its likely in a GitHub issue/PR or two.

[soyebsalar01]

Roles other than admin who is not the author of the post can see the comments

Below is the results of testing:-

1)Logged in as Admin
​https://www.awesomescreenshot.com/image/57267861?key=b82d0e0870991f558b0c169d117c271b

2)Logged in as Other Role
​https://www.awesomescreenshot.com/image/57267876?key=f3f2b1486bafc9f466d4a2fc8ea81a98

Conclusion : Bug still persisting

@desrosj - I accepted your suggestion and added a test in ​https://github.com/WordPress/wordpress-develop/pull/10462/commits/631bd560759a0120c1987aea479229a8cfa60063. I verified the test fails before the PR change.

[adamsilverstein]

@soyebsalar01 thanks for testing, have you tested the ​PR? This should fix the issue.

You can ​Test this pull request with WordPress Playground.

[adamsilverstein]

In 61183:

Comments: ensure notes never show on the comments page.

Fix an issue where adding comment_type=note as a query parameter to the wp-admin/edit-comments.php page would unexpectedly cause notes to show. Notes are different from comments - prevent them from showing on the comment list table.

Props adamsilverstein, desros, soyebsalar01j.
Fixes #64198.

[desrosj]

Moving tickets related to the new Notes feature into the new Notes sub-component under Comments.