Limit comments moderation
Because of WordPress developers selected ‘edit_posts’ as the critical capability to decide has user permission for comments moderation or not. If you open
/wp-admin/edit-comments.php, where comment moderation user interface lives, you will see:
11 12 | if ( !current_user_can('edit_posts') ) wp_die(__('Cheatin’ uh?')); |
Also, at line 43 we see:
43 44 | if ( !current_user_can( 'edit_comment', $comment_id ) ) continue; |
There is no such capability as ‘edit_comment’ in WordPress standard capabilities list. After little source code investigation I discovered that ‘edit_comment’ virtual capability is mapped to the real one ‘edit_posts’ at the wp-admin/includes/capabilities.php - map_meta_cap() funtion, look to lines 954-959:
954 955 956 957 958 959 | case 'edit_comment': $comment = get_comment( $args[0] ); $post = get_post( $comment->comment_post_ID ); $post_type_object = get_post_type_object( $post->post_type ); $caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID ); |
Thus, WordPress main rool for comments moderation is “if you can edit this post, you can edit, approve, unapprove, trash, that is moderate its comments.
What to do if you wish to go another way in this field? If you wish to permit comments moderation to user with ‘moderate_comments’ capability only? It’s not so easy.
We have a quick decision – just edit line 11 at ‘edit-comments.php’ and change ‘edit_posts’ to ‘moderate_comments’. But this is not good decision as this change will be lost after every WordPress update and should be restored manually in that case.
Can we achieve this using standard way for WordPress functionality modification – its hooks (filters and actions)? Let’s try. Imagine this picture, authors and editors go to the edit-comments.php page, but don’t see any links to use as comments moderation commands:
Limit edit-comments.php
Insert this code to your active theme
functions.php file:
function block_bulk_comments_actions($actions) { unset($actions['unapprove']); unset($actions['approve']); unset($actions['spam']); unset($actions['trash']); return $actions; } function block_comment_row_actions($actions) { unset($actions['approve']); unset($actions['unapprove']); unset($actions['quickedit']); unset($actions['edit']); unset($actions['spam']); unset($actions['trash']); return $actions; } if (!current_user_can('moderate_comments')) { add_filter('bulk_actions-edit-comments', 'block_bulk_comments_actions'); add_filter('comment_row_actions', 'block_comment_row_actions'); } |
and you will get the picture above for your edit-comments.php page.
Is our task resolved? No, we are only at the half of our way. We just hidden user interface elements for comments moderation. Those commands are still available to user if he/she is smart enough to type them directly in the browser address bar, e.g. http://yourblog.com/wp-admin/edit-comments.php?c=33&action=approvecomment&_wpnonce=...
I didn’t find legal way to block these commands without editing core WordPress files. These commands are executed in edit-comments.php before any WordPress hook is used. I tried to use ‘parse_query’ filter, but without success, it is not called for edit-comments.php that way it works for posts edit.php. If you know/find/discover way to block comment moderation commands, please share your knowledge with us. Thanks in advance.
Tags: capability, WordPress
