Make WordPress Core

Opened 8 years ago

Closed 7 years ago

Last modified 4 years ago

#6907 closed defect (bug) (wontfix)

A bug in /wp-admin/menu.php

Reported by: CrazySerb Owned by:
Milestone: Priority: high
Severity: normal Version: 2.5.1
Component: General Keywords: menu.php has-patch dev-feedback
Focuses: Cc:


There's an obvious (at least to me) bug in the menu.php file on line 26, and it should read:

$menu[20] = array( sprintf( __('Comments %s'), "<span id='awaiting-mod' class='count-$awaiting_mod'><span class='comment-count'>$awaiting_mod</span></span>" ), 'moderate_comments', 'edit-comments.php');

(I just replaced the 'edit_posts' with 'moderate_comments' and it's working the way it should now, as in, those users who do not have moderate_comments role assigned to them cannot see the Comments link in the navigation menu)

Attachments (1)

patch.diff (948 bytes) - added by MattyRob 7 years ago.

Download all attachments as: .zip

Change History (12)

#1 @DD32
7 years ago

  • Milestone set to 2.6

#2 @MattyRob
7 years ago

  • Keywords has-patch added

Attaching a patch file for this bug so it's easier to commit

7 years ago

#3 @MattyRob
7 years ago

  • Milestone changed from 2.9 to 2.6.1

I think we should fix this asap. There is a more appropriate capability defined so let's use it. With a patch attached there is no to delay committing it after a quick test to make sure I haven't broken anything with the patch!

#4 @ryan
7 years ago

moderate_comments is rarely and inconsistently used. edit-comments.php/comment.php do not use it when checking to see if the comment can be moderated. They use edit_post. About the only place that uses moderate_comments is admin-ajax.php. Further, is deleting a comment considered moderation? Currently it is not considered moderation and is not protected by a moderate_comments check. edit-comments.php must still be available in the menu for the comment to be deleted, however. The whole thing needs to be cleaned up before messing the menu.php. We may need to create a new set of meta caps: edit_comment, delete_comment, and moderate_comment.

#5 @mattyrob
7 years ago

  • Milestone changed from 2.6.1 to 2.7


I take all your points there. let's bump this back to a later version but not forget about it.

The functions, actions, filters and capabilities throughout the code really do need to be consistent, well used and well documented

#6 @ryan
7 years ago

  • Milestone changed from 2.7 to 2.8

#7 follow-up: @chelmer
7 years ago

The changes don't have to be too far-reaching. I had to make the modifications in our install so that 'moderate_comments' was used accurately in regard to comment moderation.

The code currently ties comment moderation to 'edit_posts' (editors) or 'edit_post' (with post ID passed for authors) capabilities rather than 'moderate_comments'.

Where 'edit_posts' (plural) is used in current_user_can() conditional statements, and comment moderation is in view, then 'moderate_comments' can safely replace it (this is only in /admin/menu.php). Where 'edit_post' (singular) is in the conditional statement, 'moderate_comments' must be added to the statements ( <code>if ( current_user_can('edit_post', $comment->comment_post_ID) )</code> to <code>if ( current_user_can('edit_post', $comment->comment_post_ID)
current_user_can('moderate_comments') )</code>.

Changes were required in 16 places in 6 core files.

#8 in reply to: ↑ 7 @chelmer
7 years ago

Replying to chelmer:
That is, from

if ( current_user_can('edit_post', $comment->comment_post_ID) )


if ( current_user_can('edit_post', $comment->comment_post_ID) || current_user_can('moderate_comments') )

or from

if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )


if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) && !current_user_can( 'moderate_comments') )

#9 @ShaneF
7 years ago

  • Keywords dev-feedback added
  • Milestone changed from 2.8 to 2.9

-1 on this idea.

As specified by the http://codex.wordpress.org/Roles_and_Capabilities, "edit_posts" allows the people who have the ability to post on the site to approve their comments for their topic.

#10 @Denis-de-Bernardy
7 years ago

  • Milestone 2.9 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

suggesting wontfix too. we'll see if an angry mob shows up after closing.

#11 @clicknathan
4 years ago

Angry mobs abound.

In WP-Admin Settings > Discussion, there's an option which reads "An administrator must always approve the comment" - however, the term administrator is deceiving there, as currently the author of the post, even if they're only a contributor, can approve the comment.

This deviates from what Contributors are in general, which are users who otherwise can't add content to a site without the approval of Editors / Admins, but in the case of comments, they can not only add content, but edit other people's content.

Plenty of people in the forums looking to have this sorted out:




Note: See TracTickets for help on using tickets.