Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Comments: Make admin comment dimming comment-type aware (Trac #35214, Stage 3)#57

Open
adamsilverstein wants to merge 2 commits into
feature/comment-type-moderation-restfrom
feature/comment-type-moderation-admin
Open

Comments: Make admin comment dimming comment-type aware (Trac #35214, Stage 3)#57
adamsilverstein wants to merge 2 commits into
feature/comment-type-moderation-restfrom
feature/comment-type-moderation-admin

Conversation

@adamsilverstein

@adamsilverstein adamsilverstein commented Jun 25, 2026

Copy link
Copy Markdown
Owner

Summary

Continues Stage 3 of capability enforcement (follow-up to PR #56) with the admin call-site family.

wp_ajax_dim_comment() (approve/unapprove from the comments list table) gated on:

if ( ! current_user_can( 'edit_comment', $comment->comment_ID ) && ! current_user_can( 'moderate_comments' ) ) {
    wp_die( -1 );
}

The moderate_comments fallback is the global primitive, so a moderator of a custom comment type could not dim comments of that type.

What changed

Route the fallback through the per-comment moderate_comment meta cap (added in #55):

if ( ! current_user_can( 'edit_comment', $comment->comment_ID ) && ! current_user_can( 'moderate_comment', $comment->comment_ID ) ) {

For the default capability model moderate_comment resolves to moderate_comments, so built-in types are unchanged. A type with its own capability_type is gated by its own moderation primitive.

Why this is the last per-comment admin gate

After auditing the admin + XML-RPC surface, this is the only remaining per-comment moderation gate using the bare global primitive:

  • wp-admin/comment.php, edit-comments.php, and the other AJAX comment handlers already gate on edit_comment, which #55 made type-aware.
  • The list table's moderate_comments checks (get_bulk_actions(), the Empty Spam/Trash button) and XML-RPC wp.getComments (status filter) are collection-level, not a specific comment, so moderate_comment doesn't apply - they correctly stay global.

So with this PR, every per-comment moderation gate in core (REST in #56, admin AJAX here) now flows through the type-aware map_meta_cap() foundation.

Testing

Extends the existing wpAjaxDimComment.php Ajax tests: a review-type moderator (moderate_reviews) can dim a review comment; a global moderate_comments moderator without the type's caps is denied (-1). The existing administrator and subscriber tests still pass, confirming the default model is unchanged.

Full --group ajax --group comment --group capabilities passes (806 tests). PHPCS + PHPStan clean.

Stacking

Based on feature/comment-type-moderation-rest (#56). Retarget to trunk as the stack lands behind #12311.

See #35214.

@adamsilverstein
Comments: Make admin comment dimming comment-type aware.
a0bf970 
`wp_ajax_dim_comment()` fell back to the global `moderate_comments`
primitive when a user could not `edit_comment` the target comment, so a
moderator of a custom comment type could not approve or unapprove comments
of that type from the admin list table.

Route the fallback through the per-comment `moderate_comment` meta
capability. For comment types using the default capability model this
resolves to `moderate_comments` (behavior unchanged); a type with its own
capabilities is gated by its own moderation primitive.

This is the last per-comment moderation gate in the admin AJAX path. The
remaining `moderate_comments` checks in the list table (bulk action
availability, the Empty Spam/Trash button) and in XML-RPC `wp.getComments`
are collection-level, not per-comment, and intentionally stay global.

See #35214.
@adamsilverstein
Comments: Add admin dim-comment tests for type-aware moderation.
99a0564 
Drive `wp_ajax_dim_comment()` through the Ajax test harness: a moderator of
an independent `review` type can dim its comments, while a global
`moderate_comments` moderator without the type's capabilities is denied. The
existing administrator and subscriber tests continue to pass, confirming the
default model is unchanged.

See #35214.
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cd12c6b0-86dd-4b11-9e02-f1f6b8ff8355

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/comment-type-moderation-admin

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adamsilverstein