#6907 closed defect (bug) (wontfix)
A bug in /wp-admin/menu.php
Reported by: | CrazySerb | Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | normal | Version: | 2.5.1 |
Component: | General | Keywords: | menu.php has-patch dev-feedback |
Focuses: | Cc: |
Description
There's an obvious (at least to me) bug in the menu.php file on line 26, and it should read:
$menu[20] = array( sprintf( __('Comments %s'), "<span id='awaiting-mod' class='count-$awaiting_mod'><span class='comment-count'>$awaiting_mod</span></span>" ), 'moderate_comments', 'edit-comments.php');
(I just replaced the 'edit_posts' with 'moderate_comments' and it's working the way it should now, as in, those users who do not have moderate_comments role assigned to them cannot see the Comments link in the navigation menu)
Attachments (1)
Change History (12)
#3
@
16 years ago
- Milestone changed from 2.9 to 2.6.1
I think we should fix this asap. There is a more appropriate capability defined so let's use it. With a patch attached there is no to delay committing it after a quick test to make sure I haven't broken anything with the patch!
#4
@
16 years ago
moderate_comments is rarely and inconsistently used. edit-comments.php/comment.php do not use it when checking to see if the comment can be moderated. They use edit_post. About the only place that uses moderate_comments is admin-ajax.php. Further, is deleting a comment considered moderation? Currently it is not considered moderation and is not protected by a moderate_comments check. edit-comments.php must still be available in the menu for the comment to be deleted, however. The whole thing needs to be cleaned up before messing the menu.php. We may need to create a new set of meta caps: edit_comment, delete_comment, and moderate_comment.
#5
@
16 years ago
- Milestone changed from 2.6.1 to 2.7
@Ryan,
I take all your points there. let's bump this back to a later version but not forget about it.
The functions, actions, filters and capabilities throughout the code really do need to be consistent, well used and well documented
#7
follow-up:
↓ 8
@
16 years ago
The changes don't have to be too far-reaching. I had to make the modifications in our install so that 'moderate_comments' was used accurately in regard to comment moderation.
The code currently ties comment moderation to 'edit_posts' (editors) or 'edit_post' (with post ID passed for authors) capabilities rather than 'moderate_comments'.
current_user_can('moderate_comments') )</code>. |
Changes were required in 16 places in 6 core files.
#8
in reply to:
↑ 7
@
16 years ago
Replying to chelmer:
That is, from
if ( current_user_can('edit_post', $comment->comment_post_ID) )
to
if ( current_user_can('edit_post', $comment->comment_post_ID) || current_user_can('moderate_comments') )
or from
if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
to
if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) && !current_user_can( 'moderate_comments') )
#9
@
16 years ago
- Keywords dev-feedback added
- Milestone changed from 2.8 to 2.9
-1 on this idea.
As specified by the http://codex.wordpress.org/Roles_and_Capabilities, "edit_posts" allows the people who have the ability to post on the site to approve their comments for their topic.
#10
@
16 years ago
- Milestone 2.9 deleted
- Resolution set to wontfix
- Status changed from new to closed
suggesting wontfix too. we'll see if an angry mob shows up after closing.
#11
@
13 years ago
Angry mobs abound.
In WP-Admin Settings > Discussion, there's an option which reads "An administrator must always approve the comment" - however, the term administrator is deceiving there, as currently the author of the post, even if they're only a contributor, can approve the comment.
This deviates from what Contributors are in general, which are users who otherwise can't add content to a site without the approval of Editors / Admins, but in the case of comments, they can not only add content, but edit other people's content.
Plenty of people in the forums looking to have this sorted out:
http://wordpress.org/support/topic/how-to-prevent-accessibility-to-emails-038-ips-in-wp#post-650132
http://wordpress.org/support/topic/remove-comments-view-from-dashboard-1?replies=12
Attaching a patch file for this bug so it's easier to commit