[wp-trac] [WordPress Trac] #59440: WP_Comments_List_Table bulk actions do not account for user permissions.

WordPress Trac noreply at wordpress.org
Mon Sep 25 10:01:22 UTC 2023 

#59440: WP_Comments_List_Table bulk actions do not account for user permissions.
--------------------------------+-----------------------------
 Reporter:  snicco              |      Owner:  (none)
     Type:  defect (bug)        |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  Comments            |    Version:  6.3.1
 Severity:  normal              |   Keywords:
  Focuses:  ui, administration  |
--------------------------------+-----------------------------
 Unlike other list tables, the comment list table's get_bulk_actions()
 does not check the current user's permissions which leads to a confusing
 UX if a user can for example, edit comments, but not delete them (due to
 custom permissions).

 {{{#!php
 <?php
         protected function get_bulk_actions() {
                 global $comment_status;

                 $actions = array();

                 if ( in_array( $comment_status, array( 'all', 'approved'
 ), true ) ) {
                         $actions['unapprove'] = __( 'Unapprove' );
                 }

                 if ( in_array( $comment_status, array( 'all', 'moderated'
 ), true ) ) {
                         $actions['approve'] = __( 'Approve' );
                 }

                 if ( in_array( $comment_status, array( 'all', 'moderated',
 'approved', 'trash' ), true ) ) {
                         $actions['spam'] = _x( 'Mark as spam', 'comment'
 );
                 }

                 if ( 'trash' === $comment_status ) {
                         $actions['untrash'] = __( 'Restore' );
                 } elseif ( 'spam' === $comment_status ) {
                         $actions['unspam'] = _x( 'Not spam', 'comment' );
                 }

                 if ( in_array( $comment_status, array( 'trash', 'spam' ),
 true ) || ! EMPTY_TRASH_DAYS ) {
                         $actions['delete'] = __( 'Delete permanently' );
                 } else {
                         $actions['trash'] = __( 'Move to Trash' );
                 }

                 return $actions;
         }
 }}}

 The correct capability to check for here would be "edit_comment" and
 return an empty array on permissions mismatch.

 There does not seem to be granularity in map_meta_cap for comments - only
 edit_comment for all actions (I think).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/59440>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list